New beta release 4.78.3 -- "spam-viruses"
Jonas A. Larsen
jonas at vrt.dk
Fri Jul 31 15:10:13 IST 2009
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
> bounces at lists.mailscanner.info] On Behalf Of Julian Field
> Sent: 31. juli 2009 15:41
> To: MailScanner discussion
> Subject: New beta release 4.78.3 -- "spam-viruses"
>
> I have just released a new beta, the first in quite a while.
>
> This has one major re-arrangement done to it, in that the virus scanning
> is now done *before* the spam checking, instead of after it as it has
> always been in the past. This results in you virus-scanning all the spam
> you are about to delete, but for virtually all virus scanners the cost
> of scanning a few extra files is very minimal compared to the cost of
> running SpamAssassin on them anyway. So it won't make much difference to
> the speed at all. And you have the advantage that you won't be
> spam-scanning viruses any more.
>
> The need for this is because...
>
> I have introduced a solution to the issue of what I am calling
> "spam-viruses" which are messages detected as being spam by your *virus*
> scanner. At least ClamAV and F-Prot can do this now. Automatically
> deleting mail which a third-party ClamAV signature database thinks is
> probably spam is not a very good idea, as there are false alarms which
> have bitten most of us in the past.
>
> So what you want is a way of assigning a spam score to different
> "spam-viruses" so you can use the signature databases to varying effect,
> depending on what you think of their reliability. Some of the ClamAV
> databases have far more false alarms (false positives) than others, as
> documented here:
> http://www.sanesecurity.net/databases.htm
>
> So now a list of all the "spam-viruses" found in a message will be put
> in a new message header before the message is passed to SpamAssassin, so
> you can do everything from simply assigning a score if the header exists
> at all, to assigning different scores to different spam-viruses as you
> like. You can make it as simple or as complex as you choose. I have
> given you a sample rule to start from in spam.assassin.prefs.conf.
>
> So you need to do 2 other things:
> 1. Set the name of the header used for this: see the "Spam-Virus Header"
> setting in MailScanner.conf.
> 2. Define what virus names are actually spam-viruses. See the "Virus
> Names Which Are Spam" setting in MailScanner.conf.
>
> The second of those is given very simply. No regular expressions or
> anything complicated like that, sorry.
> You give a space-separated list of strings which are the names of the
> spam-viruses.
> You can use the "*" wildcard character to mean "any number of zero or
> more characters", just like you do in filenames. You can use several "*"
> wildcards in each string, of course.
> Other than that the string will be matched against the whole virus name,
> with a case sensitive match.
> If you want to match just a sub-string of the virus name, put a "*" at
> the start and end of the string, such as in "*UNOFFICIAL*" for example.
> Two simple examples are "HTML/*" and "Sane*UNOFFICIAL" which are
> hopefully both self-explanatory.
>
> For more information about these 2 settings, see the MailScanner.conf
file.
>
> I think this keeps the configuration nice and simple for most people,
> but allows the 0.1% of wizards to build really complex setups.
>
> If you strongly disagree with the way I have done it, please do let me
> know, this is only a beta so I can easily change it at this point
> without upsetting anyone. :-)
>
> Hopefully you will find this a useful new feature, and that the cost of
> the code re-arrangement is not too high.
>
> Have a good weekend, and please let me know if you have any "issues"
> with any of it!
>
Woohoo, again MailScanner responds to users' needs in record time.
I will definitely be trying to test this next week. It sounds like its
implemented precisely how I was hoping it would be.
Again you go above and beyond Julian :)
I will report back as soon as i got some results/comments.
Med venlig hilsen / Best regards
Jonas Akrouh Larsen
TechBiz ApS
Laplandsgade 4, 2. sal
2300 København S
Office: 7020 0979
Direct: 3336 9974
Mobile: 5120 1096
Fax: 7020 0978
Web: www.techbiz.dk
More information about the MailScanner
mailing list