On Sat, 2009-10-31 at 07:29 -0500, Chris wrote:
> On Sat, 2009-10-31 at 07:46 +0000, rich...@buzzhost.co.uk wrote:
> > http://pastebin.com/m53a550ce
> >
> > Somewhat unfortunately seen coming out of The Dana-Farber Cancer
> > Institute.
> >
> > Looking at it objectively there is little for a filter to go on other
> > than the words:
> >
> > username password followed by a webmail type email address
> >
> > in the body.
> >
> >
> >
> Short Circuit rule hit here due to ClamAv plug-in firing:
>
> -0.1 RCVD_IN_HOSTKARMA_NO RBL: HostKarma: relay in NO-BL (varies)
> [155.52.251.101 listed in
> hostkarma.junkemailfilter.com]
> 20 CLAMAV Clam AntiVirus detected a virus
>
> X-Spam-Virus: Yes (Sanesecurity.Spear.9873.UNOFFICIAL)
>
My clamav is on a milter ahead of SA, my thinking being I don't bother
scanning anything that has a virus - drop it with an SMTP 5xx. I had no
virus/attachment with this mail, hence why it scanned and scored low.
I'm not sure if this is the spammer dropping a cog and not attaching
anything.
