Chr. v. Stuckrad wrote:
On Mon, 23 Jul 2007, John Scully wrote:
... After adding the sanesecurity sigs to clamd last
week not one PDF has made it through. And since clamd unpacks and examines
every attachment anyway it is no additional load. In fact, due to the
messages not hitting SA it probably reduced load slightly.
I have a 'political problem' with that. We 'drop' knowv viruses into
a quarantine directory without further notice, and only once in years
somebody complained and wanted his virus back :-)
We *only* TAG spam with headers, then users decide to drop, move, or read it.
So if I 'simply insert' those clamav sigs, spam would be handled as a virus,
not as 'our spam', which I'm not allowed to destroy.
Did somebody of you create an extra 'instance' of clamad-filter to fight
spam with spam-sigs only, without scaning for virus-sigs? Does that
sound feasible?
What I did for nearly the same reason is:
Using amavisd-new which scans ONLY the attachments - which is OK for me,
when these PDF get treated as virus.
But I didn't want the other (especially scam, spam and stuff) rules to
treat the mail as virus...
So I added the clamplugin to SA which receives the WHOLE mail and sorts
out the rest then...
This is configurable in amavisd-new if you want to hand the full mail to
clamav or only the attachments - this solved the problem for me.
If you want it to be more separate, you'll have to run two clamav
instances which isn't that hard either but uses a bit more resources...
You basically just need a separate startup script and a second directory
with the signatures and a config file pointing to them - I vaguely
remember having seen instructions for such a setup somewhere on msrbl or
sanesecurity if I'm not mistaken.
Matt
