> sanesecurity site:
> refrences this archived email:
> says to set bypass_decode_parts=1 in amavisd.conf
>
Like bill says, you need one or the other.
Now, looking at readmes' and example.
header L_AV_Phish X-Amavis-AV-Status =~ m{\b(Email|HTML)\.Phishing\.}i
header L_AV_SS_Phish X-Amavis-AV-Status =~
m{\b(Email|Html)\.Phishing(\.[^., ]*)*\.Sanesecurity\.}
header L_AV_SS_Scam X-Amavis-AV-Status =~
m{\b(Email|Html)\.(Scam[A-Za-z0-9]?)(\.[^., ]*)*\.Sanesecurity\.}
header L_AV_SS_Spam X-Amavis-AV-Status =~
m{\b(Email|Html)\.(Spam|Bou|Stk|Loan|Cred|Job|Dipl|Doc)(\.[^.,
]*)*\.Sanesecurity\$
header L_AV_SS_Hdr X-Amavis-AV-Status =~ m{\b(Email|Html)\.Hdr(\.[^.,
]*)*\.Sanesecurity\.}
header L_AV_SS_Img X-Amavis-AV-Status =~
m{\b(Email|Html)\.(Img|ImgO)(\.[^., ]*)*\.Sanesecurity\.}
header L_AV_MSRBL_Img X-Amavis-AV-Status =~ m{\bMSRBL-Images/}
header L_AV_MSRBL_Spam X-Amavis-AV-Status =~ m{\bMSRBL-SPAM\.}
But it looks like sanesecurity sigs don't do:
HTML.Sanesecurity.(?)
They do:
/var/amavis/tmp/amavis-20090408T171506-41905/parts/p002:
Sanesecurity.TestSig_Type4_Bdy.UNOFFICIAL FOUND
/var/amavis/tmp/amavis-20090408T171539-41904/parts/p002:
Sanesecurity.Spam.4757.UNOFFICIAL FOUND
/var/amavis/tmp/amavis-20090408T171554-41906/parts/p004:
Sanesecurity.Spam.9571.UNOFFICIAL FOUND
/var/amavis/tmp/amavis-20090408T171506-41905/parts/p004:
Sanesecurity.Junk.7324.UNOFFICIAL FOUND
/var/amavis/tmp/amavis-20090408T171539-41904/parts/p002:
Sanesecurity.Scam.9460.UNOFFICIAL FOUND
/var/amavis/tmp/amavis-20090408T171539-41904/parts/p001:
Sanesecurity.Scam.9460.UNOFFICIAL FOUND
/var/amavis/tmp/amavis-20090408T171554-41906/parts/p002:
Sanesecurity.Junk.4247.UNOFFICIAL FOUND
/var/amavis/tmp/amavis-20090408T171539-41904/parts/p004:
Sanesecurity.Spam.10049.UNOFFICIAL FOUND
/var/amavis/tmp/amavis-20090408T171506-41905/parts/p004:
Sanesecurity.Spam.10049.UNOFFICIAL FOUND
/var/amavis/tmp/amavis-20090408T171539-41904/parts/p002:
Sanesecurity.Spam.10040.UNOFFICIAL FOUND
/var/amavis/tmp/amavis-20090408T171506-41905/parts/p002:
Sanesecurity.Junk.13875.UNOFFICIAL FOUND
/var/amavis/tmp/amavis-20090408T171539-41904/parts/p002:
Sanesecurity.Junk.13875.UNOFFICIAL FOUND
/var/amavis/tmp/amavis-20090408T171506-41905/parts/p002:
Sanesecurity.Junk.13875.UNOFFICIAL FOUND
/var/amavis/tmp/amavis-20090408T171539-41904/parts/p002:
Sanesecurity.Junk.10357.UNOFFICIAL FOUND
/var/amavis/tmp/amavis-20090408T171506-41905/parts/p002:
Sanesecurity.Junk.11598.UNOFFICIAL FOUND
/var/amavis/tmp/amavis-20090408T171539-41904/parts/p002:
Sanesecurity.Junk.414.UNOFFICIAL FOUND
/var/amavis/tmp/amavis-20090408T171554-41906/parts/p003:
Sanesecurity.Junk.12707.UNOFFICIAL FOUND
/var/amavis/tmp/amavis-20090408T171539-41904/parts/p002:
Sanesecurity.Junk.2014.UNOFFICIAL FOUND
/var/amavis/tmp/amavis-20090408T171506-41905/parts/p002:
Sanesecurity.Junk.11598.UNOFFICIAL FOUND
/var/amavis/tmp/amavis-20090408T174419-42478/parts/p004:
Sanesecurity.Spam.10049.UNOFFICIAL FOUND
/var/amavis/tmp/amavis-20090408T174601-42476/parts/p004:
Sanesecurity.Hdr.8289.UNOFFICIAL FOUND
> amavisd says to set it to 0 if you are using bounce_killer or using
> 'file' to guess the attachment type.
>
> (i have it set to 0, using bounce killer and file)
>
> (http://marc.info/?t=117951293700001&r=1&w=2)
>
> OT: bill, funny thing: I can't look up your DNS servers from our
> internal network..
>
>
> http://sanesecurity.com/usage.htm
>
> says: uncomment the #qr'^MAIL'
>
> @keep_decoded_original_maps = (new_RE(
> qr'^MAIL$', # retain full original message for virus checking (can be
> slow)
> qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains
> undecipherables
> qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
> # qr'^Zip archive data', # don't trust Archive::Zip
> ));
>
>
> and it looks like sane security test #2 and 3 did fail if I don't do
> this in amavisd.conf:
> (uncomment out the qr'^MAIL'.
>
> so, 'can be slow'. how slow is it? and is bill landry wrong saying I
> need bypass-decode_parts=1?
> is this something fixed in 2.6.2?
>
>
>
> (see above)
>
--
Michael Scheidell, CTO
>|SECNAP Network Security
Finalist 2009 Network Products Guide Hot Companies
FreeBSD SpamAssassin Ports maintainer
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
_________________________________________________________________________
------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
