Bill, > I've noticed that when multiple message parts match different clamav > signatures, *all* the signature names must be listed in > @virus_name_to_spam_score_maps for it to be considered spam.
Yes, as documented in RELEASE_NOTES: [...] When a virus scanner returns names of viruses, and all provided names are matched by the @virus_name_to_spam_score_maps, and no other virus scanner has anything more sinister to report, then a message is _not_ flagged as a virus, but a corresponding spam score is contributed to other spam results [...] This is a key issue here. Your test example after enabling /^MAIL$/ (which requests that a full message is passed to virus scanners, besides each decoded part), clamd starts to report _two_ malware names. As the 'Phishing.Email' was not in your @virus_name_to_spam_score_maps list, such mail did not fulfill the requirement that _all_ reported names must be in the list for the result to be turned into spam, so you ended up with a quarantined 'virus'. > So, amavisd-new splits of the headers into a temporary file called > email.001 (for example) and the body into a temporary file called email.002 > (for example) Not entirely true. There is never a part that would only contain a mail header. Each mail part (i.e. a temporary file to be passed to each virus scanner) contains either a decoded MIME part or an archive component of a mail, or the entire mail (if /^MAIL$/ is in @keep_decoded_original_maps, or if some decoder declares it can not do its job properly, e.g. due to a corrupted or password-protected archive). Steve, thanks for your help in understanding the matter! Mark ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
