Bill Landry wrote the following on 5/18/2007 12:54 PM -0800: > Mark Martinec wrote the following on 5/18/2007 12:46 PM -0800: > >> Bill, >> >> >> >>>>> [ qr'^(Email|HTML)\.(Phishing|Spam|Scam[a-z0-9]?)\.'i => 0.1 ], >>>>> [ qr'^(Email|Html)\.Malware\.Sanesecurity\.' => undef], >>>>> [ qr'^(Email|Html)(\.[^., ]*)*\.Sanesecurity\.' => 0.1 ], >>>>> [ qr'^(MSRBL-Images/|MSRBL-SPAM\.)' => 0.1 ], >>>>> >>>>> >> >> >>> It's setup this way because that's the way you have it shown in the >>> amavisd.conf-default file that comes with the distro >>> >>> >> I have it that way, because I wanted to have the: >> >> ^(Email|Html)\.Malware\.Sanesecurity\. >> >> treated as a virus, and not as a spam. >> >> The rule stands above the >> ^(Email|Html)(\.[^., ]*)*\.Sanesecurity\. >> rule, which would have matched on such name too. >> >> So my intention is to let Email|Html * .Sanesecurity >> be spam, except for Email|Html .Malware .Sanesecurity >> >> >> > Yep, that's exactly what I want, as well. However, it does not work > this way in reality. I can send you a sample malware off-list to test > with, if you would like (let me know). > >> >> >>> If it does work then it looks like amavisd-new separates the headers >>> from the body...and then uses clamd to scan the body ONLY... >>> >>> >> Yes, as always, except when some decoder declares it is >> unable to decode, or if @keep_decoded_original_maps matches, >> in this case AV scanner would also see the complete mail, >> in addition to each decoded part. >> >> > > I know that, as Noel suggested, I can set "qr'^MAIL$',", but didn't > really want to have to do that unless absolutely necessary due to the > additional overhead.
Well, this was not a good solution: @keep_decoded_original_maps = (new_RE( qr'^MAIL$', # retain full original message for virus checking (can be slow) as this had the effect of quarantining everything that SaneSecurity and MSRBL detected, including spam, phish, image, scam, etc., and not just malware. :-( Any other suggestions? Thanks, Bill ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ AMaViS-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
