How MS treats spam-virus with Sanesecurity

Neil nwilson123 at gmail.com
Tue Jan 22 07:49:09 UTC 2019


Hi Mark,

Thanks for your assistance!

I found two problems, one was my "Virus Names Which Are Spam" wasn't
matching the correct virus reports, and then my "header MS_FOUND_SPAMVIRUS
exists" didn't include my org-name, so even if it was matching the correct
virus report, the header being added wouldn't have matched my spamassassin
rule.

Thanks again!

Regards.
Neil Wilson.



On Mon, Jan 21, 2019 at 7:17 PM Mark Sapiro <mark at msapiro.net> wrote:

> On 1/21/19 1:08 AM, Neil wrote:
> > Hi guys,
> >
> > Apologies in advance, I'm not sure if this is a question for MS, MW or
> > Sansecurity but I've just discovered that despite my Sansecurity sigs
> > picking up that this email was a spam email, it hasn't blocked it or
> > added points to the spam score as per the logs below...
> >
> > Jan 18 09:56:35 MailScanner[3219]:
> > Clamd::INFECTED::Sanesecurity.Phishing.Fake.Coin.27561.UNOFFICIAL ::
> > ./CAC9885AC.A3148/
> > Jan 18 09:56:35  MailScanner[3219]: Found spam-virus
> > Sanesecurity.Phishing.Fake.Coin.27561.UNOFFICIAL in CAC9885AC.A3148
> > Jan 18 09:56:35 MailScanner[3219]: Clamd::INFECTED::
> > Sanesecurity.Phishing.Fake.Coin.27561.UNOFFICIAL ::
> > ./CAC9885AC.A3148/msg-3219-52.txt
> > Jan 18 09:56:35 MailScanner[3219]: Found spam-virus
> > Sanesecurity.Phishing.Fake.Coin.27561.UNOFFICIAL in CAC9885AC.A3148
>
>
> Clamd has found Sanesecurity.Phishing.Fake.Coin.27561.UNOFFICIAL and
> MailScanner has identified it as a spam-virus because the name matched
> one of the configured "Virus Names Which Are Spam" pattern. See
> <
> https://www.mailscanner.info/MailScanner.conf.index.html#Virus%20Names%20Which%20Are%20Spam
> >.
>
> The next step is MailScanner adds the header defined by "Spam-Virus
> Header" to the message. The default for this is
>
> X-%org-name%-MailScanner-SpamVirus-Report:
>
> I.e. if org-name is "Example" the header added is
>
> X-Example-MailScanner-SpamVirus-Report:
>
> See
> <
> https://www.mailscanner.info/MailScanner.conf.index.html#Spam-Virus%20Header
> >
>
> The part you are missing is in SpamAssassin, you need something like
>
> header MS_FOUND_SPAMVIRUS exists:X-Example-MailScanner-SpamVirus-Report
> score  MS_FOUND_SPAMVIRUS 3.0
>
> Of course the actual name of the rule and the score are up to you.
>
> --
> Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
> San Francisco Bay Area, California    better use your sense - B. Dylan
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20190122/543b28da/attachment.html>


More information about the MailScanner mailing list