[sanesecurity] Re: False Positive
- From: David B Funk <dbfunk@xxxxxxxxxxxxxxxxxxxxx>
- To: sanesecurity@xxxxxxxxxxxxx
- Date: Mon, 7 Jun 2010 13:59:07 -0500 (CDT)
On Mon, 7 Jun 2010, GrayHat wrote:
> I think that it would be a BETTER idea using some regexp so that the
> result of the ClamD scan will be checked and in case the hit comes
> from a given signature (or type) instead of rejecting the message it
> may then be scored; removing signatures just because someone
> says "they don't send spam" doesn't sound so good to me and btw
> if one doesn't want to block a given domain based on a given sig,
> he may just do what I wrote above but w/o impacting other users
> which may want to BLOCK what they consider to be spam
This can be done but requires a more complex system, something
which has some kind of regex engine or scoring system (EG
Amavis or spamassassin).
I do this using ClamAV and Spamassasin with the ClamAV plugin.
I have one instance of ClamAV running the strict clamav.net
signatures hooked into my MTA (via milter) to SMTP-reject messages
that hit those sigs.
I have another instance of ClamAV with the full set of sanesecurity
sigs which hooks into Spamassasin with the ClamAV plugin.
When those sigs fire Spamassasin 'sees' the results and applies a locally
written set of rules to add points. Thus I can modify the resultant
classification based upon local policy.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Other related posts:
