Honestly I'm -0.5 on this. SA isn't a virus scanner, and while it could
The magic key that to my mind makes bringing it into the core set isn't
"virus", its "phish". Agreed, SA isn't a virus scanner and probably
shouldn't be; it is quite inefficient at that sort of thing.
But to the best of my knowledge there is no dedicated "phish" scanner, and I
don't recall anyone ever having put one or more feet down and stated
categorically that "SA isn't a phish scanner!". There is the interesting
question of whether you want to reject phish outright at connect time, or
whether you maybe want to collect them and do somethig with them. I'm
inclined to the later approach; others might not be.
The nice thing about the Clam plugin is that it lets you have it either way
with phish. And yes, with virui too; but I consider that immaterial to the
discussion.
SA has some rules to detect phish. I've written quite a few myself,
although rather long ago in email years. Frankly they aren't very
comprehensive. These days the SaneSecurity stuff does an *excellent* job of
catching phish - so much so that I haven't needed to write more than one or
two specific rules in the last 6 months for these things.
By using the Clam plugin with the SaneSecurity signatures you have the
chance to catch suspected phish and do something other than rejecting them
outright.
From conversations on the user's list lots of people are using this plugin
and like it (me included), and there hasn't been any notable nagative
comment that I can recall, other than the occasional "SA isn't a virus
scanner, so don't use that plugin" comments.
Loren
