Spam-Virus scoring not working any more for me

James Gray james at gray.net.au
Sat Sep 25 23:47:27 IST 2010


On 23/09/2010, at 12:05 AM, Mark Sapiro wrote:

> On 11:59 AM, Michael Mansour wrote:
>> 
>> Having tested this now, I can say that the removal of the ":" did not affect it. These "infections":
> 
> 
> The colon is correct. It should be there in Spam-Virus Header in
> MailScanner.conf as it defines the header and the colon is part of the
> header. The lack of a colon in 'header' in the spamassassin file is also
> correct as this just references the 'name' of the header which does not
> include the colon.
> 
> Did you by chance change your org-name? I.e. I have
> 
> Spam-Virus Header = X-%org-name%-MailScanner-SpamVirus-Report:
> 
> in MailScanner.conf and
> 
> header MS_FOUND_SPAMVIRUS exists:X-GPC-MailScanner-SpamVirus-Report
> 
> in spamassassin. This only works if
> 
> %org-name% = GPC
> 
> in MailScanner.conf.
> 
> 
>> Clamd: message was infected: INetMsg.SpamDomain-2w.on9mail_com.UNOFFICIAL(b296e7ae61a7c8480c7219a4e2a27390:1916) 
>> 
>> still get blocked when I want them scored.
> 
> 
> If the above does not solve the problem, please post exactly what you
> have in Mailscanner.conf for "Spam-Virus Header" and "Virus Names Which
> Are Spam". In particular, does your "Virus Names Which Are Spam"
> pattern(s) match the virus name?

Hi All,

Even though I'm not on the latest MS version (4.80.1) I'm not seeing any effect on the message scoring with the unofficial signatures in CLamAV too.  Here's an example from this morning:

MailScanner.conf:
Spam-Virus Header = X-%org-name%-MailScanner-SpamVirus-Report:

SpamAssassin rule:
header MS_FOUND_SPAMVIRUS       exists:X-MyOrg-MailScanner-SpamVirus-Report
describe MS_FOUND_SPAMVIRUS     ClamAV found a Spam Virus via MailScanner
score MS_FOUND_SPAMVIRUS        5.899

Relevant message headers:
X-MyOrg-MailScanner-SpamVirus-Report: Sanesecurity.Junk.32803.UNOFFICIAL
X-MyOrg-MailScanner-SpamCheck: spam, SpamAssassin (not cached,
	score=30.564, required 5, autolearn=spam, BAYES_99 3.85,
	BODY_GAPPY_TEXT 1.92, HTML_MESSAGE 0.00, NO_RELAYS -0.00,
	RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E8_51_100 1.89,
	RAZOR2_CHECK 0.92, SUBJ_OBFU_REPLICA 5.11, SUBJ_SPAMWORD 0.20,
	SUBJ_SWISS_WATCH 2.11, SUBJ_WATCH 0.91, T_SURBL_MULTI1 0.01,
	T_SURBL_MULTI2 0.01, T_SURBL_MULTI3 0.01, T_SURBL_MULTI4 0.01,
	T_URIBL_BLACK_OVERLAP 0.01, URIBL_AB_SURBL 4.50, URIBL_BLACK 1.73,
	URIBL_DBL_SPAM 1.70, URIBL_JP_SURBL 1.25, URIBL_OB_SURBL 0.12,
	URIBL_SBL 1.62, URIBL_SC_SURBL 0.57, URIBL_WS_SURBL 1.61)

Finally, the mail log for this batch (one message in it):
Sep 26 07:14:07 MailScanner[6199]: New Batch: Scanning 1 messages, 8060 bytes
Sep 26 07:14:08 MailScanner[6199]: Virus and Content Scanning: Starting
Sep 26 07:14:13 MailScanner[6199]: 1732B7029C096.ABA62.header: Sanesecurity.Junk.32803.UNOFFICIAL FOUND
Sep 26 07:14:13 MailScanner[6199]: Found spam-virus Sanesecurity.Junk.32803.UNOFFICIAL in 1732B7029C096.ABA62
Sep 26 07:14:13 MailScanner[6199]: <A> tag found in message 1732B7029C096.ABA62 from izettanella_ys at cypressconsulting.com
Sep 26 07:14:13 MailScanner[6199]: Virus Scanning completed at 1417 bytes per second
Sep 26 07:14:13 MailScanner[6199]: Spam Checks: Starting
Sep 26 07:14:19 MailScanner[6199]: Message 1732B7029C096.ABA62 from 10.0.0.50 (izettanella_ys at cypressconsulting.com) to MyServer is spam, SpamAssassin (not cached, score=30.564, required 5, autolearn=spam, BAYES_99 3.85, BODY_GAPPY_TEXT 1.92, HTML_MESSAGE 0.00, NO_RELAYS -0.00, RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E8_51_100 1.89, RAZOR2_CHECK 0.92, SUBJ_OBFU_REPLICA 5.11, SUBJ_SPAMWORD 0.20, SUBJ_SWISS_WATCH 2.11, SUBJ_WATCH 0.91, T_SURBL_MULTI1 0.01, T_SURBL_MULTI2 0.01, T_SURBL_MULTI3 0.01, T_SURBL_MULTI4 0.01, T_URIBL_BLACK_OVERLAP 0.01, URIBL_AB_SURBL 4.50, URIBL_BLACK 1.73, URIBL_DBL_SPAM 1.70, URIBL_JP_SURBL 1.25, URIBL_OB_SURBL 0.12, URIBL_SBL 1.62, URIBL_SC_SURBL 0.57, URIBL_WS_SURBL 1.61)
Sep 26 07:14:19 MailScanner[6199]: Spam Checks: Found 1 spam messages
Sep 26 07:14:19 MailScanner[6199]: Delivery of spam: message 1732B7029C096.ABA62 from izettanella_ys at cypressconsulting.com to james at MyOrg with subject Perfect Watches Clones Cheap from $150. Buy Rep1icaWatches: Swiss Rep1icaWatch 2r
Sep 26 07:14:19 MailScanner[6199]: Spam Actions: message 1732B7029C096.ABA62 actions are attachment,deliver,header
Sep 26 07:14:19 MailScanner[6199]: Spam Checks completed at 1355 bytes per second
Sep 26 07:14:19 MailScanner[6199]: Requeue: 1732B7029C096.ABA62 to AABA37029A7C5

Any takers??

Cheers,

James
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3826 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100926/c43ee28d/smime.bin


More information about the MailScanner mailing list