New beta release 4.78.3 -- "spam-viruses"
MailScanner at ecs.soton.ac.uk
Fri Jul 31 14:41:03 IST 2009
I have just released a new beta, the first in quite a while.
This has one major re-arrangement done to it, in that the virus scanning
is now done *before* the spam checking, instead of after it as it has
always been in the past. This results in you virus-scanning all the spam
you are about to delete, but for virtually all virus scanners the cost
of scanning a few extra files is very minimal compared to the cost of
running SpamAssassin on them anyway. So it won't make much difference to
the speed at all. And you have the advantage that you won't be
spam-scanning viruses any more.
The need for this is because...
I have introduced a solution to the issue of what I am calling
"spam-viruses" which are messages detected as being spam by your *virus*
scanner. At least ClamAV and F-Prot can do this now. Automatically
deleting mail which a third-party ClamAV signature database thinks is
probably spam is not a very good idea, as there are false alarms which
have bitten most of us in the past.
So what you want is a way of assigning a spam score to different
"spam-viruses" so you can use the signature databases to varying effect,
depending on what you think of their reliability. Some of the ClamAV
databases have far more false alarms (false positives) than others, as
So now a list of all the "spam-viruses" found in a message will be put
in a new message header before the message is passed to SpamAssassin, so
you can do everything from simply assigning a score if the header exists
at all, to assigning different scores to different spam-viruses as you
like. You can make it as simple or as complex as you choose. I have
given you a sample rule to start from in spam.assassin.prefs.conf.
So you need to do 2 other things:
1. Set the name of the header used for this: see the "Spam-Virus Header"
setting in MailScanner.conf.
2. Define what virus names are actually spam-viruses. See the "Virus
Names Which Are Spam" setting in MailScanner.conf.
The second of those is given very simply. No regular expressions or
anything complicated like that, sorry.
You give a space-separated list of strings which are the names of the
You can use the "*" wildcard character to mean "any number of zero or
more characters", just like you do in filenames. You can use several "*"
wildcards in each string, of course.
Other than that the string will be matched against the whole virus name,
with a case sensitive match.
If you want to match just a sub-string of the virus name, put a "*" at
the start and end of the string, such as in "*UNOFFICIAL*" for example.
Two simple examples are "HTML/*" and "Sane*UNOFFICIAL" which are
hopefully both self-explanatory.
For more information about these 2 settings, see the MailScanner.conf file.
I think this keeps the configuration nice and simple for most people,
but allows the 0.1% of wizards to build really complex setups.
If you strongly disagree with the way I have done it, please do let me
know, this is only a beta so I can easily change it at this point
without upsetting anyone. :-)
Hopefully you will find this a useful new feature, and that the cost of
the code re-arrangement is not too high.
Have a good weekend, and please let me know if you have any "issues"
with any of it!
Julian Field MEng CITP CEng
Buy the MailScanner book at www.MailScanner.info/store
Need help customising MailScanner?
Need help fixing or optimising your systems?
Need help getting you started solving new requirements from your boss?
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at twitter.com/JulesFM and twitter.com/MailScanner
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the MailScanner