Need help with rule set - Bother! :(

Fri Jul 31 09:11:14 IST 2009

I've written it all, and I've just realised the reason the last bug is 
there is because I am totally screwed.
I do the spam scanning before the virus scanning.
So by the time I've got the virus scanner reports about spam, it is 
*way* too late to do anything with them.

The only solution is to turn it all around and do the virus scanning 
first, which is *far* less efficient as you'll end up virus scanning the 
90% of your mail that is actually spam anyway. And all the overheads in 
data structures that have to be generated in order for the scanning to 
work. And all the attachment extraction. And everything else.

Damn and botherations!

Anyone got any great ideas?

I can detect all the "spam-virus" output and put it in a separate 
header, but I can't then do anything with it except ignore it or just 
put it in a useless header in the output message.

Your thoughts please.

On 30/07/2009 11:01, Julian Field wrote:
> I wasn't thinking of anything quite so complicated as that.
> Maybe a single score for all defined spam reports from the virus 
> scanners?
> I would rather keep it simple so people can actually use it, than have 
> something very clever and complex that no-one ever quite understands 
> or can work out how to use (apart from the 0.1% who are wizards).
>
> Jules.
>
> On 30/07/2009 10:30, --[ UxBoD ]-- wrote:
>> Here is the scoremap you would use in Amavis aswell :-
>>
>> @virus_name_to_spam_score_maps =
>>    (new_RE(  # the order matters!
>>      [ qr'^Phishing\.'                                             
>> =>  0   ],
>>      [ qr'^(Email|HTML)\.Phishing\.(?!.*Sanesecurity)'             
>> =>  0   ],
>>      [ qr'^Sanesecurity\.(Malware|Rogue|Trojan)\.' =>  undef ],# keep 
>> as infected
>>      [ qr'^Sanesecurity(\.[^., ]*)*\.'                             
>> =>  0   ],
>>      [ qr'^Sanesecurity_PhishBar_'                                 
>> =>  0   ],
>>      [ qr'^Email\.Spam\.Bounce(\.[^., ]*)*\.Sanesecurity\.'        
>> =>  0   ],
>>      [ qr'^(MSRBL-Images\b|MSRBL-SPAM\.)'                          
>> =>  0   ],
>>      [ qr'^VX\.Honeypot-SecuriteInfo\.com\.Joke'                   
>> =>  0   ],
>>      [ qr'^VX\.not-virus_(Hoax|Joke)\..*-SecuriteInfo\.com(\.|\z)' 
>> =>  0   ],
>>      [ qr'^Email\.Spam.*-SecuriteInfo\.com(\.|\z)'                 
>> =>  0   ],
>>      [ qr'-SecuriteInfo\.com(\.|\z)'         =>  undef ],  # keep as 
>> infected
>>      [ qr'^MBL_'                             =>  undef ],  # keep as 
>> infected
>>    ));
>>
>> Best Regards,
>>
>
> Jules
>

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at twitter.com/JulesFM and twitter.com/MailScanner

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.