FW: Re:Nddc Poverty Award (Ref No: NDDC/FGN/009/08/01/NDG)

Mark Sapiro mark at msapiro.net
Tue Oct 27 18:35:00 GMT 2009

Robert Lopez wrote:

>On Tue, Oct 27, 2009 at 10:41 AM, Mark Sapiro <mark at msapiro.net> wrote:
>> Just FYI, here are some headers from my latest MailScanner list digest
>> X-GPC-MailScanner-SpamVirus-Report: Sanesecurity.Junk.22901.UNOFFICIAL
>> X-GPC-MailScanner-SpamCheck: spam, SpamAssassin (not cached, score=7.251,
>> ? ? ? ?required 5, BAYES_00 -0.75, HTML_MESSAGE 0.00,
>> ? ? ? ?JM_SOUGHT_FRAUD_2 3.00, JM_SOUGHT_FRAUD_3 3.00,
>> ? ? ? ?MS_FOUND_SPAMVIRUS 3.00, RCVD_IN_DNSWL_LOW -1.00, SPF_PASS -0.00,
>> ? ? ? ?WEIRD_PORT 0.00)
>> X-GPC-MailScanner-SpamScore: sssssss
>> Sanesecurity.Junk.22901.UNOFFICIAL is a hit on some of the text in the
>> and results in the MS_FOUND_SPAMVIRUS 3.00 score. The JM_SOUGHT_FRAUD_*
>> hits are also from your message.
>> The sought rules come from http://wiki.apache.org/spamassassin/SoughtRules
>> and the Sanesecurity sigs come from http://www.sanesecurity.net/ together
>> with the latest 'spam virus' settings in MailScanner to give the score.
>Are you saying you use the SoughtRules with SpamAssassin and the
>Sanesecurity sigs with ClamAV ? Or is there a way to use the
>Sanesecutiry sigs directly with SpamAssassin?

Yes, the sought rules are spamassassin rules and the Sanesecurity sigs
are clamAV sigs, but the latest Mailscanner has settings (with

Spam-Virus Header = X-%org-name%-MailScanner-SpamVirus-Report:
Virus Names Which Are Spam = Sane*UNOFFICIAL HTML/*

In particular, this will detect any ClamAV detection with a name
matching Sane*UNOFFICIAL and consider it a "spam virus". It then adds
the header (in this case)

X-GPC-MailScanner-SpamVirus-Report: Sanesecurity.Junk.22901.UNOFFICIAL

to the message passed to spamassassin (GPC is my org-name). Then,
/etc/MailScanner/spam.assassin.prefs.conf has in it

header MS_FOUND_SPAMVIRUS exists:X-GPC-MailScanner-SpamVirus-Report

so that messages with the X-GPC-MailScanner-SpamVirus-Report get a
spamassassin score.

This is way preferable to just having the message flagged as containing
a virus by ClamAV when it matches a spam signature. -Thank you Jules!

Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the MailScanner mailing list