Please give a full definition of Spam and Malware/Viruses that do not intersect, and will never intersect for all future Spam and Malware such that we can be sure we know what you are requesting.
After reading the 100+ messages in this thread, I've gotta say I'm disappointed that nobody has stated the obvious answer:
ClamAV should block things that propagate "automatically". If it's something that is released into the wild, then propagates without intervention from a central organizing authority, then it obviously won't be changing and can be analyzed and a signature developed.[1]
One-time-mailings, such as spam and phishing schemes, will change with every iteration. There is no hope of generating a signature for these, and any attempt to construct one will merely overload us with useless signatures that slow down the scanner and lead to false positives.
[1] I realize this leaves the slightly shady area of trojans. Personally, I wouldn't mind if clamav didn't catch those. I want it to stop the latest threats that are attacking en masse. Missing an occasional targeted threat isn't such a big deal by comparison. So, if the developers insist on pursuing this silly phishing/spam signature thing, how about putting it in its own database that people can optionally download? Just don't corrupt the main database with it. It's a LOT easier for people to get two databases and combine them than for people to remove the "stupid" signatures from a single database.
A few other notes for the general discussion:
Virus blocking is "easy", because it is a reactive process. We are given a virus sample. That sample contains all information about how the virus will behave in the future. You can therefore construct a signature to stop it. Furthermore, false positives can be easily checked for and eliminated. It is therefore safe to reject tagged mails without further review. In the unlikely event of a false positive, the original sender will be notified.
Spam blocking is "hard", because it must be a proactive process. No two spams are alike. Creating a signature for one spam is unlikely to be useful against another. As a result, any signatures must, of necessity, be so short as to lead to false positives. This requires a more advanced system to determine whether or not to flag a message, namely scoring. Users can choose a threshold they feel comfortable with.
Finally, a rant:
When I first saw the subject line, I thought it was some clueless newbie asking us to turn ClamAV into SA, and I expected a lot of bashing of newb stupidity for not using the right tool for the right job. Then I noticed the word "not" in the subject line, and wondered why there was so much discussion on such a basic concept. After reading 100+ messages, I'm somewhat frustrated. Really, folks. This is simple. Stop arguing. Just read the above and accept it. Oh, and stop claiming that "almost everyone" is on your side. Posting volume does not equal number of people. Especially when it's the same 3 people posting 20 times each.
Damian Menscher -- -=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| <[EMAIL PROTECTED]> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- _______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
