Yes, it is 6.2, sorry for the typo. To give you the full explanation, our
MTA is Exim. We use SpamAssassin separately and various RBLs. ClamAV with
SaneSecurity is purely for Virus/phishing/scam scanning. We drop anything
that ClamAV+ SaneSecurity objects to, hence the need to be absolutely sure
to eliminate FP.
I tried to whitelist the offending signatures, but it grew, so the best
thing was to get rid of junk.ndb, which was causing most problem.
Cheers
Sujit
-----Original Message-----
From: sanesecurity-bounce@xxxxxxxxxxxxx
[mailto:sanesecurity-bounce@xxxxxxxxxxxxx] On Behalf Of Peter
Sent: 01 September 2016 11:04
To: sanesecurity@xxxxxxxxxxxxx
Subject: [sanesecurity] Re: False Positive
I hope you mean CentOS 6.2, not 2.6!
You still haven't said what software is passing your mail to clamd though -
on its own it will not intercept anything, so something must be calling it!
(Admittedly that's a bit off-topic on this list, but it is where you need to
be looking)
But if you are happy to just remove the whole junk.ndb instead of
whitelisting the particular sender/recipient, that's fine.
Cheers
--
Peter
On 31/08/2016 16:22, Sujit Acharyya-choudhury wrote:
I am using clamav on CentOS 2.6. I start/stop clamd using
/etc/init.d/clamd
and the signatures are in /var/lib/clamav.
What I did in order not use junk.ndb was to comment out junk.ndb in
/etc/clamav-unofficial-sigs/master.conf.
This file is read, when /usr/local/bin/clamav-unofficial-sigs.sh is
called.
The delay is in-built.
I also deleted junk.ndb from /var/lib/clamav.
Regards
Sujit
-----Original Message-----
From: sanesecurity-bounce@xxxxxxxxxxxxx
[mailto:sanesecurity-bounce@xxxxxxxxxxxxx] On Behalf Of Joel Esler ;
(jesler)
Sent: 31 August 2016 16:11
To: sanesecurity@xxxxxxxxxxxxx
Subject: [sanesecurity] Re: False Positive
It definitely helps if you share your fix back with the list, as it may
help
others in the future.
On Aug 31, 2016, at 10:49 AM, Peter <sanesecurity@xxxxxxxxxxxxxxxxx>wrote:
particular sender would need to be done at that stage - once it has got
Sujit,
You haven't told us what program is calling clamav, but whitelisting a
to
clamd, it won't process any mail headers etc.
'Whitelist /path/to/a/file' parameter. Then create that file (ensuring
If you are using clamav-milter, edit /etc/clamav-milter.conf and add a
appropriate permissions) and put in it 'From:messagelabs.com' or
whatever
the sender address/domain is.
you are using.
If you aren't using clamav-milter, consult the documentation for
whatever
junk.ndb
--
Peter
On 30/08/2016 15:54, Sujit Acharyya-choudhury wrote:
Sorry got my answer, modified the master.conf file and commented out
that?file.
Sujit
-----Original Message-----
From: sanesecurity-bounce@xxxxxxxxxxxxx
[mailto:sanesecurity-bounce@xxxxxxxxxxxxx] On Behalf Of Sujit
Acharyya-choudhury
Sent: 30 August 2016 15:19
To: sanesecurity@xxxxxxxxxxxxx
Subject: [sanesecurity] Re: False Positive
Junk database hitting too many FP for our liking on our system.
I think I will have to stop using the junk database. How do I
achieve
problem-----Original Message-----
From: sanesecurity-bounce@xxxxxxxxxxxxx
[mailto:sanesecurity-bounce@xxxxxxxxxxxxx] On Behalf Of Sujit
Acharyya-choudhury
Sent: 26 August 2016 12:32
To: sanesecurity@xxxxxxxxxxxxx
Subject: [sanesecurity] Re: False Positive
Many thanks Steve. I would rather keep junk.ndb and I have added the
few
offending signature names to the *.ign2 list. I am sure most of the
thatwill go away.
Regards
Sujit
-----Original Message-----
From: sanesecurity-bounce@xxxxxxxxxxxxx
[mailto:sanesecurity-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Basford
Sent: 26 August 2016 12:11
To: sanesecurity@xxxxxxxxxxxxx
Subject: [sanesecurity] Re: False Positive
On Fri, August 26, 2016 11:46 am, Sujit Acharyya-choudhury wrote:
Shall I add something like thisThat's won't work.
echo "spammanager" >> /var/lib/clamav/local.ign2 and will it work?
I
am not using ClamAV+SaneSecurity with SpamAssassin, I am using
ClamAV
as a virus scanner.
If all the signatures that are hitting so far are
Sanesecurity.Junk.xxxxx
file.I think the best thing to do is not use junk.ndb database as whole.
or just carry on adding in each signature name that hits into the
.ign2
actuallyThat's one of the issues with having this type of "spam report" that
but ifdisplay part of the spam itself, you can work around it with
scoring...
you don't use scoring :(
Sorry this is a bit of a rushed reply...
Cheers,
Steve
Web : sanesecurity.com
Twitter: @sanesecurity
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
