Sophos & ClamAV + Sanesecurity

ThB lists at buschor.ch
Tue Jan 12 14:57:37 GMT 2010 

On  Tue, 12 Jan 2010 09:59:24, Julian Field wrote:
>
> I have just done a quick test of the spam-virus code.
> When I send it a message containing a spam-virus, I get this in the
> headers of the message:
>
> X-JKF-MailScanner: Found to be clean
> X-MailScanner-SpamVirus-Report: Sanesecurity.Jurlbl.8564.UNOFFICIAL
> X-JKF-MailScanner-SpamScore: ss
> X-JKF-MailScanner-From: toucanv at rondalynresort.com
> X-Spam-Status: No

Yes, this is what I expect. This result I get when only using ClamAV & SA
is used, but no additional virus scanner.

I use ClamAV _and_ Sophos at the same Time and I suspect the problem only
occurs when ClamAV says that it's a spam-virus but Sophos says it's a real
virus. In this special case SA is not run (and therefore the SpamScore is
missing) but the Message is also not quarantined.

If ClamAV and/or Sophos say it's a real virus then the message is
quarantined. If only ClamAV says it's a spam-virus then SA correctly sets
the SpamScore.

> which is exactly what I want. It is not virus-infected, it has a
> spamvirus, and its spam-status is no because the score added by the rule
> in spam.assassin.prefs.conf wasn't enough to get it over the spam
> threshold.

I agree as long as there is not any other virus scanner telling me that's
a virus. In my opinion must the message be treated as infected, if one of
several virus scanner tell me it contains a real virus. Even if ClamAV
tells it's only a spam virus.

>
> If I set the score in spam.assassin.prefs.conf file to something above
> the high-score threshold, I get this:
>
> X-JKF-MailScanner: Found to be clean
> X-MailScanner-SpamVirus-Report: Sanesecurity.Jurlbl.8564.UNOFFICIAL
> X-JKF-MailScanner-SpamCheck: spam, SpamAssassin (score=17.878, required 6,
>      BAYES_50 0.00, HTML_IMAGE_ONLY_20 1.55, HTML_MESSAGE 0.00,
>      MS_FOUND_SPAMVIRUS 15.00, RCVD_IN_SORBS_WEB 0.62,
>      SARE_RECV_IP_FROMIP3 0.71)
> X-JKF-MailScanner-SpamScore: sssssssssssssssss
> X-JKF-MailScanner-From: toucanv at rondalynresort.com
> X-Spam-Status: High
>
> Again, it has taken the correct spam action and not marked it as a virus.

Yes, it exactly works this way if Sophos (or any other virus scanner?)
does not detect a virus in the very same message.

> Note that setting up the SpamVirus stuff involves taking a quick peek
> into /etc/MailScanner/spam.assassin.prefs.conf as well as
> /etc/MailScanner/MailScanner.conf as SpamAssassin needs to know what
> header name it is looking for to assign the spam score.
>
> Hope that helps resolve your difficulties.
>
> It does all appear to work as I intended.
>
> Jules.
>

regards
Thomas

PS: Sorry for breaking the thread, but it's not possible to reply when
using text digest of this list.

More information about the MailScanner mailing list