Sophos & ClamAV + Sanesecurity

Julian Field MailScanner at ecs.soton.ac.uk
Tue Jan 12 09:59:24 GMT 2010 

I have just done a quick test of the spam-virus code.
When I send it a message containing a spam-virus, I get this in the 
headers of the message:

X-JKF-MailScanner: Found to be clean
X-MailScanner-SpamVirus-Report: Sanesecurity.Jurlbl.8564.UNOFFICIAL
X-JKF-MailScanner-SpamScore: ss
X-JKF-MailScanner-From: toucanv at rondalynresort.com
X-Spam-Status: No

which is exactly what I want. It is not virus-infected, it has a 
spamvirus, and its spam-status is no because the score added by the rule 
in spam.assassin.prefs.conf wasn't enough to get it over the spam threshold.

If I set the score in spam.assassin.prefs.conf file to something above 
the high-score threshold, I get this:

X-JKF-MailScanner: Found to be clean
X-MailScanner-SpamVirus-Report: Sanesecurity.Jurlbl.8564.UNOFFICIAL
X-JKF-MailScanner-SpamCheck: spam, SpamAssassin (score=17.878, required 6,
     BAYES_50 0.00, HTML_IMAGE_ONLY_20 1.55, HTML_MESSAGE 0.00,
     MS_FOUND_SPAMVIRUS 15.00, RCVD_IN_SORBS_WEB 0.62,
     SARE_RECV_IP_FROMIP3 0.71)
X-JKF-MailScanner-SpamScore: sssssssssssssssss
X-JKF-MailScanner-From: toucanv at rondalynresort.com
X-Spam-Status: High

Again, it has taken the correct spam action and not marked it as a virus.

Note that setting up the SpamVirus stuff involves taking a quick peek 
into /etc/MailScanner/spam.assassin.prefs.conf as well as 
/etc/MailScanner/MailScanner.conf as SpamAssassin needs to know what 
header name it is looking for to assign the spam score.

Hope that helps resolve your difficulties.

It does all appear to work as I intended.

Jules.

On 11/01/2010 13:35, Jules Field wrote:
> I'm not sure I quite understand you.
> There are a myriad of issues here, which all need sensible answers.
> What happens when 1 scanner finds a spamvirus and another scanner 
> finds a real virus?
> What happens when the same scanner finds both a spamvirus and a real 
> virus?
> There are umpteen combinations of these issues and others, and I'm not 
> sure I can produce a working solution for all of them. In fact I don't 
> think one can exist in theory.
>
> What does it not do at the moment, and what would you like to do instead?
> And what about all the problems of multiple infections and/or multiple 
> scanners? How do they affect your answer?
>
> I'm not trying to be mean, just that this stuff is a lot more awkward 
> than it may at first appear.
>
> Jules.
>
> On 23/12/2009 21:06, Mike Wallace wrote:
>> The order checking change is only good if you use Sanesecurity. If 
>> you don't, it can create major problems such as mine where infected 
>> messages are being delivered.
>>
>> My environment requires that all infected attachments be removed from 
>> messages before delivery and all messages with a spam score of 5.0 or 
>> greater delivered to a special mailbox. I use the Sought, OpenProtect 
>> and a couple of custom rules and have a false positive rate of 0.16% 
>> and a false negative rate of 0.87% (if I exclude the viruses that 
>> passed), so I don't think that I need the Sanesecurity rules.
>>
>> I just checked the last 12 infected message that went through with 
>> spamassassin and it scored at an average of 23.0, the lowest was 11.5 
>> the highest was 40.4. So if they were spam checked, then they never 
>> would have been delivered to the user.
>>
>> You would think that if MailScanner flags something as being 
>> infected, it would be handled identically.
>>
>> Does anyone know how to force MailScanner to spam check every 
>> non-blacklisted or non-whitelisted message like it used to?
>>
>> Mike Wallace
>> mike at mlrw.com
>>
>>
>>
>> On Dec 23, 2009, at 1:31 PM, Kai Schaetzl wrote:
>>
>>> Mike Wallace wrote on Wed, 23 Dec 2009 11:16:09 -0500:
>>>
>>>> What I occasionally see is that clamav 0.95.3 finds an infection but
>>>> the message never gets spam checked.
>>> The order of checking has been reverted lately. No need for a 
>>> spamcheck if
>>> it already contains a virus.
>>>
>>> Kai
>>>
>>> -- 
>>> Kai Schätzl, Berlin, Germany
>>> Get your web at Conactive Internet Services: http://www.conactive.com
>>>
>>>
>>>
>>> -- 
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info
>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>
>>> Before posting, read http://wiki.mailscanner.info/posting
>>>
>>> Support MailScanner development - buy the book off the website!
>>>
>>>
>>> This message has been scanned for viruses and dangerous content by 
>>> MailScanner, and is believed to be clean.
>>>
>
> Jules
>

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at twitter.com/JulesFM and twitter.com/MailScanner


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list