[Help] scamnailer with Clamav FP

Mark Sapiro mark at msapiro.net
Sat Jul 9 02:26:54 UTC 2016 

On 7/8/16 12:00 AM, Sistemisti Posta wrote:
> Hello,
> 
>  I use scamnailer.ndb with Clamav:
> 
>   http://www.scamnailer.info/documentation.html
> 
> During last days I experience many false positives with
> @beniculturali.it domain.
> 
> I checked with beniculturali.it's admins, and it doesn't seem that they
> are currently victim of phishing or email spoofing.
> 
> Could you try to remove the beniculturali.it addresses from the list?


The short answer is No.

Longer answer.

There are two ways to use ScamNailer. One is with a set of SpamAssassin
rules (ScamNailer.cf) and the other is with ClamAV signatures
(scamnailer.ndb). These two ways have different implications in
MailScanner becaust one is a SpamAssassin score, and the other is an
'unofficial' virus detection.

Originally, the data for these came from some proprietary source and was
maintained by Jules and there are scripts at
<http://www.scamnailer.info/downloads.html> to produce ScamNailer.cf
<http://www.scamnailer.info/files/2/ScamNailer-2.09.gz> and
scamnailer.ndb
<http://www.scamnailer.info/files/contrib/ClamNailer-1.01.gz> from Jules
data. The latter script doesn't produce scamnailer.ndb; it just
downloads it.

There is also a 'still updated by some process unknown to me'
scamnailer.ndb at <http://www.mailscanner.eu/scamnailer.ndb> and also
distributed by sanesecurity.com.

Over the years, the source of the data for the
<http://www.scamnailer.info/files/2/ScamNailer-2.09.gz> script has
proven unreliable so I refactored that script to use the data from
<http://svn.code.sf.net/p/aper/code/phishing_reply_addresses>. That also
contains @beniculturali.it addresses. See
<https://sourceforge.net/projects/aper/> for ways to contact that project.

The current version of that script is distributed with MailScanner and
is at
<https://github.com/MailScanner/v5/blob/master/common/usr/sbin/ms-update-bad-emails>.

The data at
<http://svn.code.sf.net/p/aper/code/phishing_reply_addresses> may also
be the source of the scamnailer.ndb files, but this is unknown to me.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the MailScanner mailing list