Spam-Virus scoring not working any more for me

Michael Mansour micoots at yahoo.com
Thu Sep 30 09:11:50 IST 2010 

Hi Mark,


--- On Thu, 30/9/10, Michael Mansour <micoots at yahoo.com> wrote:

> From: Michael Mansour <micoots at yahoo.com>
> Subject: Re: Re: Re: Spam-Virus scoring not working any more for me
> To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
> Received: Thursday, 30 September, 2010, 1:57 PM
> Hi Mark,
> 
> Thank you for analysing my output and your reply.
> 
> --- On Mon, 27/9/10, Mark Sapiro <mark at msapiro.net>
> wrote:
> 
> > From: Mark Sapiro <mark at msapiro.net>
> > Subject: Re: Re: Re: Spam-Virus scoring not working
> any more for me
> > To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
> > Received: Monday, 27 September, 2010, 11:37 PM
> > On 11:59 AM, Michael Mansour wrote:
> > 
> > > I get plenty of this stuff:
> > > 
> > > Sep 26 00:11:34 server MailScanner[11193]:
> > Clamd::INFECTED::
> >
> INetMsg.SpamDomain-2m.e2ma_net.UNOFFICIAL(56c0464fb2737c4622779d0b765fb23d:29099)
> > :: ./o8PEBTxB019677/
> > 
> > 
> > And this says MailScanner got the report from clamd
> > 
> > 
> > > No, nothing at all that says "spam-virus" and
> I've
> > searched all current mail logs.
> > 
> > 
> > Yet this says that MailScanner didn't recognize that
> >
> INetMsg.SpamDomain-2m.e2ma_net.UNOFFICIAL(56c0464fb2737c4622779d0b765fb23d:29099)
> > was a spam virus.
> > 
> > 
> > > Note that when this used to work, I do remember
> seeing
> > the "spam-virus" responses from MailScanner in the
> logs.
> > > 
> > > Could this have something to do with the Clam
> version?
> > I'm using 3 packages of clamav, clamav-db, clamd from
> > RPMforge and all are 0.96.3.
> > 
> > 
> > I'm running the same clamav/clamd and it works for me.
> I do
> > note that my
> > log entries do not contain things like
> > (56c0464fb2737c4622779d0b765fb23d:29099) (apparently
> the
> > signature that
> > matched). Try adding * after UNOFFICIAL in your
> various
> > "Virus Names
> > Which Are Spam" patterns, e.g.
> > INetMsg.SpamDomain*UNOFFICIAL* instead of
> > just INetMsg.SpamDomain*UNOFFICIAL or possibly remove
> > "LogVerbose yes"
> > and/or "ExtendedDetectionInfo yes" (I don't know
> which
> > controls this)
> > from clamd.conf.
> 
> I've added the "*" after the "UNOFFICIAL" to hopefully
> match the clamd output.
> 
> I've checked the clamd.conf file and have:
> 
> # Enable verbose logging.
> # Default: no
> #LogVerbose yes
> 
> # Provide additional information about the infected file,
> such as its
> # size and hash, together with the virus name. It's
> recommended to enable
> # this option along with SubmitDetectionStats in
> freshclam.conf.
> #ExtendedDetectionInfo yes
> ExtendedDetectionInfo yes
> 
> So it's the second option which is enabled. I enable this
> to provide virus stats to Clam. I'll leave this enabled for
> now and monitor the mail queues/virus detected files to see
> if the "*" has fixed it.
> 
> If not, I'll disable the ExtendedDetectionInfo setting and
> try again.
> 
> Hopefully your "*" recommendation has fixed the issue. I'll
> post to the list when I find out. 

You were spot on with this, as soon as I made that change I waited for spam-viruses to come in and there they were, detected and scored correctly.

Basically it was the additional info that ExtendedDetectionInfo setting in clamd.conf adds to the report send to MailScanner.

What a great result after months of this not working :) 

Thanks again.

Michael.

> Thanks.
> 
> Michael.
> 
> > -- 
> > Mark Sapiro <mark at msapiro.net> >       The highway is for gamblers,
> > San Francisco Bay Area, California    better use
> > your sense - B. Dylan
> > 
> > -- 
> > MailScanner mailing list
> > mailscanner at lists.mailscanner.info
> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> > 
> > Before posting, read http://wiki.mailscanner.info/posting
> > 
> > Support MailScanner development - buy the book off
> the
> > website! 
> > 
> 
> 
> 
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> Before posting, read http://wiki.mailscanner.info/posting
> 
> Support MailScanner development - buy the book off the
> website!
>

More information about the MailScanner mailing list