ClamAV is now marking phishing messages as virus-positive. I think it's a bit ludicrous to consider phishing messages as viruses rather than spam -- they share far more traits with spam than viruses, I think, although I can see why anti-virus software works well for this with their rapid-rule-deployment infrastucture.
Anyway, ClamAV can do what they want, but I think everyone building a corpus needs to put ClamAV phishing positive messages into their spam corpus rather than classifying them as viral and removing them from their corpus. I strongly suspect this is throwing off some of our forgery and anti-phishing rules. Daniel -- Daniel Quinlan http://www.pathname.com/~quinlan/
