[sanesecurity] Re: winnow false positive
- From: Bill Landry <bill@xxxxxxxxxxx>
- To: sanesecurity@xxxxxxxxxxxxx
- Date: Thu, 30 Apr 2009 08:52:09 -0700
Robert Schetterer wrote:
> Tom Shaw schrieb:
>> At 4:25 PM +0200 4/30/09, GrayHat wrote:
>>> Noticed it while grepping some logs, it sounds
>>> like the winnow.phish.pt.irs.249807.UNOFFICIAL
>>> is causing some F/Ps I can say that since it
>>> flagged an email from Microsoft as "infected"
>>> the sending IP was ok (not hotmail but for sure
>>> a microsoft "internal" one) yet the AV flagged
>>> the email as bad; pity I don't have a sample
>>> of the email, but I'd really like to know some
>>> more about that signature
>> Corrected early this AM.
>>
>> The sig was originally a IRS phish when it was released. Twit later
>> suspended the site and the revisit devolved to that sig. I have
>> corrected the revisit code not to devolve the signature.
>>
>> Tom.
>>
>
> seems winnow is too sensitve
> it just reported my daily postmaster pflogsum mail
> as winnow.phish.pt.ebay.247616.UNOFFICIAL
> thats really ugly, i removed winnow completly now
What do you expect? Don't scan locally submitted mail, especially the
output of pflogsum, which should contain lots of stuff that would be
found by clamav scans.
With Postfix, try adding the following under the "pickup" line in your
master.cf file:
pickup fifo n - n 60 1 pickup
-o content_filter=
Bill
Other related posts:
