Jerry, > I understand they're not true virus files, but the default value of > 0.1 is way low and was causing them to be passed on to users. It > seems the SA rules to catch these should be in the standard set.
Release notes suggest a set of SA rules to match these. Although high scores can be given in @virus_name_to_spam_score_maps, it is better to keep them low and let an AV finding just contribute to other SA scores. This way SA has a chance to counterbalance some false positives as given by ClamAV rules (especially the Sanesecurity rules have a tendency to be trigger happy) or push the score even higher for a clean discard (bounce suppression). It also behaves better in case the checking results are cached and reused. > I just set the maps to undef, it was easier than writing a bunch of > rules. Now they all skip delivery again. ...but are treated as viruses unconditionally. It may be acceptable (this was a behaviour until 2.5.0), although it has its deficiencies (like unconditional false positives and quarantining with viruses). > Is there any reason SA needs to see these messages? Seems simply > deleting them before they even get to SA is faster and does the same > thing. I get about 3.8% of messages matching ClamAV spam rules at our site. If this extra load (by not skipping a SA call) poses a problem, I'd say you have other things to worry about. I've noticed several false positives in the first two weeks of May, saved by other SA rules. These are usually mail with images or bounces, blocked by MSRBL-Images, MSRBL-SPAM.SpamBlowBack, Email.Hdr.Sanesecurity, Email.Spam.Gen*.Sanesecurity. At least for images I'd say a couple of our users would be quite unhappy if they were blocked (serious mail, not just some jokes being passed around). Mark
