How MS treats spam-virus with Sanesecurity

Mark Sapiro mark at
Mon Jan 21 17:17:12 UTC 2019

On 1/21/19 1:08 AM, Neil wrote:
> Hi guys,
> Apologies in advance, I'm not sure if this is a question for MS, MW or
> Sansecurity but I've just discovered that despite my Sansecurity sigs
> picking up that this email was a spam email, it hasn't blocked it or
> added points to the spam score as per the logs below...
> Jan 18 09:56:35 MailScanner[3219]: 
> Clamd::INFECTED::Sanesecurity.Phishing.Fake.Coin.27561.UNOFFICIAL ::
> ./CAC9885AC.A3148/
> Jan 18 09:56:35  MailScanner[3219]: Found spam-virus
> Sanesecurity.Phishing.Fake.Coin.27561.UNOFFICIAL in CAC9885AC.A3148
> Jan 18 09:56:35 MailScanner[3219]: Clamd::INFECTED::
> Sanesecurity.Phishing.Fake.Coin.27561.UNOFFICIAL ::
> ./CAC9885AC.A3148/msg-3219-52.txt
> Jan 18 09:56:35 MailScanner[3219]: Found spam-virus
> Sanesecurity.Phishing.Fake.Coin.27561.UNOFFICIAL in CAC9885AC.A3148

Clamd has found Sanesecurity.Phishing.Fake.Coin.27561.UNOFFICIAL and
MailScanner has identified it as a spam-virus because the name matched
one of the configured "Virus Names Which Are Spam" pattern. See

The next step is MailScanner adds the header defined by "Spam-Virus
Header" to the message. The default for this is


I.e. if org-name is "Example" the header added is



The part you are missing is in SpamAssassin, you need something like

header MS_FOUND_SPAMVIRUS exists:X-Example-MailScanner-SpamVirus-Report

Of course the actual name of the rule and the score are up to you.

Mark Sapiro <mark at>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the MailScanner mailing list