Gene Heskett wrote: > But, I do wish that clamd would send me a substitute email advising that > it has stashed a suspect incoming email into the > mailfile /var/spool/mail/virii. I try to look that file over for FP's, > but quickly get lost in the visual garbage because its probably a zip'd > file.
This depends on exactly where clamdscan is being called in your mail processing; ClamAV just does a bunch of pattern matching and returns a result in most configurations. On my personal server, I call Clam from the MIMEDefang milter such that all signature-based hits get discarded sight unseen, but any hits on any phishing or "Heuristics" tests get a header added for consideration by SpamAssassin, precisely because of things like: I just looked over 260kb of what clamd id'd as virii, but which in > fact are 5 messages from my bank about a new CC they were sending me, > and some 5 or 6 were propaganda from AARP. And 3 shipping notices > regarding stuff I bought thru ebay. In this case, an FP rate in excess > of 90%! That is so high that I am expunging the clamd recipe from > my .procmailrc as the next thing I do. Only two files > containing .zip's, were real suspects, and I do have a delete button. I suspect those FP hits are Heuristics.Phishing.Email.SpoofedDomain hits. A lot of organizations that should really know better tend to trigger this with third-party mailings or promotional mailings where the link text says "mybank.com", but the link address is "tracking.example.com". -kgd _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
