Steve wrote:
DSPAM is a statistical software and not a rule/hash based software
like an anti-virus application. Having a string or binary on witch
DSPAM would always report spam is pointless in a statistical software.
If you want, you could create your own string and train with that
string your DSPAM installation to report that string as spam.
[...]
I'm not sure I followed all of that sufficiently to be able to work
through it. Assuming I'm injecting the mail into the system as normal
(ie by sending an email) then I'm not sure how I'd tell dspam not to
train on it. I can see how I might do that from the command line but
that doesn't help me test that the mail server is processing spam
correctly. But I'm probably missing something!
Tony Earnshaw wrote:
How many different tokens would OP have to add to catch all virus,
ever, even in the future, that proper AV software already catch?
Sorry, but this is flogging a dead horse (as we in the knacker's trade
express it).
Tony, you're missing the point of what I want to do. I don't want dspam
to catch EICAR - that's the job of anti-virus software as you point out.
I want it to catch something similar (a "fake" spam) so that I can test
my dspam installation in the same way I can test my AV install using
EICAR. Eg: I can send the EICAR "virus" into or through my mail server
in various ways and see what happens. I want to similarly send a test
spam through my mail server and confirm (a) that it gets caught, (b)
check it's visible through quarantine (for the correct user), (c) check
it has correct headers inserted etc, (d) test my mail client for correct
routing of received spam as flagged by dspam, (e...) and so on.
The "wait until a spam is received for that user" approach isn't always
ideal! In particular I can't test the spam setup that way until the MX
records are pointed at the server so that it starts to collect spam.
Also, I could routinely send a welcome message to new users including
the "spam signature" which I know would end up in their quarantine and
could be part of the user training process that is usually somewhat
harder than training dspam itself :-)
At the moment, the best I can do is use dspam to call clamav, and rely
on dspam indirectly quarantining EICAR, but I have some clients who want
anti-virus but not anti-spam (and might one day have those who want the
reverse).
--
Mark Rogers // More Solutions Ltd (Peterborough Office) // 0845 45 89 555
Registered in England (0456 0902) at 13 Clarke Rd, Milton Keynes, MK1 1LG
