New beta release 4.78.3 -- "spam-viruses"

Julian Field MailScanner at
Fri Jul 31 14:41:03 IST 2009

I have just released a new beta, the first in quite a while.

This has one major re-arrangement done to it, in that the virus scanning 
is now done *before* the spam checking, instead of after it as it has 
always been in the past. This results in you virus-scanning all the spam 
you are about to delete, but for virtually all virus scanners the cost 
of scanning a few extra files is very minimal compared to the cost of 
running SpamAssassin on them anyway. So it won't make much difference to 
the speed at all. And you have the advantage that you won't be 
spam-scanning viruses any more.

The need for this is because...

I have introduced a solution to the issue of what I am calling 
"spam-viruses" which are messages detected as being spam by your *virus* 
scanner. At least ClamAV and F-Prot can do this now. Automatically 
deleting mail which a third-party ClamAV signature database thinks is 
probably spam is not a very good idea, as there are false alarms which 
have bitten most of us in the past.

So what you want is a way of assigning a spam score to different 
"spam-viruses" so you can use the signature databases to varying effect, 
depending on what you think of their reliability. Some of the ClamAV 
databases have far more false alarms (false positives) than others, as 
documented here:

So now a list of all the "spam-viruses" found in a message will be put 
in a new message header before the message is passed to SpamAssassin, so 
you can do everything from simply assigning a score if the header exists 
at all, to assigning different scores to different spam-viruses as you 
like. You can make it as simple or as complex as you choose. I have 
given you a sample rule to start from in spam.assassin.prefs.conf.

So you need to do 2 other things:
1. Set the name of the header used for this: see the "Spam-Virus Header" 
setting in MailScanner.conf.
2. Define what virus names are actually spam-viruses. See the "Virus 
Names Which Are Spam" setting in MailScanner.conf.

The second of those is given very simply. No regular expressions or 
anything complicated like that, sorry.
You give a space-separated list of strings which are the names of the 
You can use the "*" wildcard character to mean "any number of zero or 
more characters", just like you do in filenames. You can use several "*" 
wildcards in each string, of course.
Other than that the string will be matched against the whole virus name, 
with a case sensitive match.
If you want to match just a sub-string of the virus name, put a "*" at 
the start and end of the string, such as in "*UNOFFICIAL*" for example.
Two simple examples are "HTML/*" and "Sane*UNOFFICIAL" which are 
hopefully both self-explanatory.

For more information about these 2 settings, see the MailScanner.conf file.

I think this keeps the configuration nice and simple for most people, 
but allows the 0.1% of wizards to build really complex setups.

If you strongly disagree with the way I have done it, please do let me 
know, this is only a beta so I can easily change it at this point 
without upsetting anyone. :-)

Hopefully you will find this a useful new feature, and that the cost of 
the code re-arrangement is not too high.

Have a good weekend, and please let me know if you have any "issues" 
with any of it!


Julian Field MEng CITP CEng
Buy the MailScanner book at

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at and

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list