How MS treats spam-virus with Sanesecurity
Mark Sapiro
mark at msapiro.net
Mon Jan 21 17:17:12 UTC 2019
On 1/21/19 1:08 AM, Neil wrote:
> Hi guys,
>
> Apologies in advance, I'm not sure if this is a question for MS, MW or
> Sansecurity but I've just discovered that despite my Sansecurity sigs
> picking up that this email was a spam email, it hasn't blocked it or
> added points to the spam score as per the logs below...
>
> Jan 18 09:56:35 MailScanner[3219]:
> Clamd::INFECTED::Sanesecurity.Phishing.Fake.Coin.27561.UNOFFICIAL ::
> ./CAC9885AC.A3148/
> Jan 18 09:56:35 MailScanner[3219]: Found spam-virus
> Sanesecurity.Phishing.Fake.Coin.27561.UNOFFICIAL in CAC9885AC.A3148
> Jan 18 09:56:35 MailScanner[3219]: Clamd::INFECTED::
> Sanesecurity.Phishing.Fake.Coin.27561.UNOFFICIAL ::
> ./CAC9885AC.A3148/msg-3219-52.txt
> Jan 18 09:56:35 MailScanner[3219]: Found spam-virus
> Sanesecurity.Phishing.Fake.Coin.27561.UNOFFICIAL in CAC9885AC.A3148
Clamd has found Sanesecurity.Phishing.Fake.Coin.27561.UNOFFICIAL and
MailScanner has identified it as a spam-virus because the name matched
one of the configured "Virus Names Which Are Spam" pattern. See
<https://www.mailscanner.info/MailScanner.conf.index.html#Virus%20Names%20Which%20Are%20Spam>.
The next step is MailScanner adds the header defined by "Spam-Virus
Header" to the message. The default for this is
X-%org-name%-MailScanner-SpamVirus-Report:
I.e. if org-name is "Example" the header added is
X-Example-MailScanner-SpamVirus-Report:
See
<https://www.mailscanner.info/MailScanner.conf.index.html#Spam-Virus%20Header>
The part you are missing is in SpamAssassin, you need something like
header MS_FOUND_SPAMVIRUS exists:X-Example-MailScanner-SpamVirus-Report
score MS_FOUND_SPAMVIRUS 3.0
Of course the actual name of the rule and the score are up to you.
--
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
More information about the MailScanner
mailing list