Ability to controll Non-Forging Viruses treatment with a ruleset needed.

Rick Cooper rcooper at dwford.com
Wed Jun 15 18:14:51 UTC 2016


If you use the spam virus header and spam virus names (instead of the
incorrect non-forging) you can easily set up a SpamAssassin meta rule that
excludes your client's addresses from hitting.

Hint: clam calls the office macros Heuristics.OLE2.ContainsMacros

I have a two prong approach to this with Exim.

If the mail comes in from just anywhere (not in special "white list")
anything clam hits on is rejected and if the mail comes in from internal
addresses or addresses from a specific "white list" then anything that clam
hits on that is NOT Heuristics.OLE2.ContainsMacros is rejected

We then have, among other items, Heuristics.OLE2.ContainsMacros in the Spam
Virus names and
Our meta rule checks for the Spam Virus header, then checks the envelope
sender/ return address and if it's one of the whitelisted addresses there is
no score, otherwise it's given a score of 24 and quarantined. Of course you
could simplify that and just added the respective addresses to the spam
check rules to be skipped for spam scan altogether.


Rick
Heino Backhaus wrote:
> Hello List,
> 
> I've configured the Mailscanners (v4.84.6) of our customers to treat
> office documents with makros, detected by ClamAV,  as non forging
> viruses. Now one of our customers needs to send and receive those
> documents to and from special emailadresses.
> 
> Is there a way other than disableing the makro detection of ClamAV to
> let them pass through.
> 
> I'm thinking about an option like "Still deliver Non-Forging Viruses"
> as a ruleset, would be very nice. <hint>
> 
> Any Ideas?
> 
> 
> --
> Mit freundlichen Gruessen
> 
> H. Backhaus
> 
> Fink-Computer Systeme
> Heggrabenstr. 9, 35435 Wettenberg
> Email: heino.backhaus at fink-computer.de
> Web: www.fink-computer.de
> Fax: +49-641-98444638
> Fon: +49-641-98444640
> UST-ID: DE151040770
> HRB: 2143 Gießen
> GF: Fredi Fink
> 
> "In retrospect it becomes clear that hindsight is definitely
> overrated!" 
> 
>    -Alfred E. Neumann



More information about the MailScanner mailing list