Mark Martinec wrote the following on 5/21/2007 5:06 PM -0800: > Bill, > > >> I've noticed that when multiple message parts match different clamav >> signatures, *all* the signature names must be listed in >> @virus_name_to_spam_score_maps for it to be considered spam. >> > > Yes, as documented in RELEASE_NOTES: > > [...] When a virus scanner returns > names of viruses, and all provided names are matched by the > @virus_name_to_spam_score_maps, and no other virus scanner has > anything more sinister to report, then a message is _not_ flagged > as a virus, but a corresponding spam score is contributed to other > spam results [...] > > This is a key issue here. > > Your test example after enabling /^MAIL$/ (which requests that > a full message is passed to virus scanners, besides each decoded > part), clamd starts to report _two_ malware names. > Mark, can you tell me why the Email.Malware are still not detected without enabling /^MAIL$/? I would like to keep virus scan processing to a minimum, but if I disable /^MAIL$/, then Email.Malware messages are not detected. > As the 'Phishing.Email' was not in your @virus_name_to_spam_score_maps > list, such mail did not fulfill the requirement that _all_ reported > names must be in the list for the result to be turned into spam, > so you ended up with a quarantined 'virus'. Thanks for the explanation, and thanks to Noel for his assistance in figuring this out off-list over the weekend.
Bill ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ AMaViS-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
