Spam-Virus scoring not working any more for me

Michael Mansour micoots at yahoo.com
Thu Sep 23 03:00:44 IST 2010


Hi Mark,

--- On Thu, 23/9/10, Mark Sapiro <mark at msapiro.net> wrote:

> From: Mark Sapiro <mark at msapiro.net>
> Subject: Re: Spam-Virus scoring not working any more for me
> To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
> Received: Thursday, 23 September, 2010, 12:05 AM
> On 11:59 AM, Michael Mansour wrote:
> > 
> > Having tested this now, I can say that the removal of
> the ":" did not affect it. These "infections":
> 
> The colon is correct. It should be there in Spam-Virus
> Header in
> MailScanner.conf as it defines the header and the colon is
> part of the
> header. The lack of a colon in 'header' in the spamassassin
> file is also
> correct as this just references the 'name' of the header
> which does not
> include the colon.

Ok, I have re-added the colon in MailScanner.conf.

> Did you by chance change your org-name? I.e. I have
> 
> Spam-Virus Header =
> X-%org-name%-MailScanner-SpamVirus-Report:
> 
> in MailScanner.conf and
> 
> header MS_FOUND_SPAMVIRUS
> exists:X-GPC-MailScanner-SpamVirus-Report
> 
> in spamassassin. This only works if
> 
> %org-name% = GPC
> 
> in MailScanner.conf.

I haven't changed the %org-name% no. 

I do have a different setting for this though:

# Name of this host, or a name like "the MailScanner" if you want to hide
# the real hostname. It is used in the Help Desk note contained in the
# virus warnings sent to users.
# Remember you can use $HOSTNAME in here, so you might want to set it to
# Hostname = the %org-name% ($HOSTNAME) MailScanner
# This can also be the filename of a ruleset.
Hostname = %rules-dir%/hostname.rules

where I define:

FromOrTo:       *@blah.com                the blah ($HOSTNAME) mailscanner
FromOrTo:       default                         the %org-name% ($HOSTNAME) Mailscanner

but I'm not sure that would impact any headers.

Another question, I use MailWatch, should the X-MailScanner-blah headers be present when viewing the message headers in MailWatch?

I don't see them in MailWatch, but when I release the message from MailWatch to my Inbox and view full headers, I see the MailScanner lines no problems.

> > Clamd: message was infected:
> INetMsg.SpamDomain-2w.on9mail_com.UNOFFICIAL(b296e7ae61a7c8480c7219a4e2a27390:1916)
> 
> > 
> > still get blocked when I want them scored.
> 
> If the above does not solve the problem, please post
> exactly what you
> have in Mailscanner.conf for "Spam-Virus Header" and "Virus
> Names Which
> Are Spam". In particular, does your "Virus Names Which Are
> Spam"
> pattern(s) match the virus name?

My settings are:

Spam-Virus Header = X-NPGX-MailScanner-SpamVirus-Report:

Virus Names Which Are Spam = Sane*UNOFFICIAL HTML/* MBL*UNOFFICIAL *SecuriteInfo*UNOFFICIAL INetMsg.SpamDomain*UNOFFICIAL NPGX.DomainAddr*UNOFFICIAL NPGX.EmailAddr.*UNOFFICIAL winnow*UNOFFICIAL

Yes, all the above do match the virus names presented when the clamd scanner finds the signature in the 3rd party DB.

All this really used to work fine but the last time I "noticed" it working was a couple of MailScanner versions ago (fromthe latest stable to the beta's before that). Somewhere down that line things broke and I didn't notice until recently.

Thanks for your help and suggestions so far.

Michael.

> -- 
> Mark Sapiro <mark at msapiro.net>       The highway is for gamblers,
> San Francisco Bay Area, California    better use
> your sense - B. Dylan
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> Before posting, read http://wiki.mailscanner.info/posting
> 
> Support MailScanner development - buy the book off the
> website! 
> 


      


More information about the MailScanner mailing list