> sanesecurity site: > refrences this archived email: > says to set bypass_decode_parts=1 in amavisd.conf > Like bill says, you need one or the other.
Now, looking at readmes' and example. header L_AV_Phish X-Amavis-AV-Status =~ m{\b(Email|HTML)\.Phishing\.}i header L_AV_SS_Phish X-Amavis-AV-Status =~ m{\b(Email|Html)\.Phishing(\.[^., ]*)*\.Sanesecurity\.} header L_AV_SS_Scam X-Amavis-AV-Status =~ m{\b(Email|Html)\.(Scam[A-Za-z0-9]?)(\.[^., ]*)*\.Sanesecurity\.} header L_AV_SS_Spam X-Amavis-AV-Status =~ m{\b(Email|Html)\.(Spam|Bou|Stk|Loan|Cred|Job|Dipl|Doc)(\.[^., ]*)*\.Sanesecurity\$ header L_AV_SS_Hdr X-Amavis-AV-Status =~ m{\b(Email|Html)\.Hdr(\.[^., ]*)*\.Sanesecurity\.} header L_AV_SS_Img X-Amavis-AV-Status =~ m{\b(Email|Html)\.(Img|ImgO)(\.[^., ]*)*\.Sanesecurity\.} header L_AV_MSRBL_Img X-Amavis-AV-Status =~ m{\bMSRBL-Images/} header L_AV_MSRBL_Spam X-Amavis-AV-Status =~ m{\bMSRBL-SPAM\.} But it looks like sanesecurity sigs don't do: HTML.Sanesecurity.(?) They do: /var/amavis/tmp/amavis-20090408T171506-41905/parts/p002: Sanesecurity.TestSig_Type4_Bdy.UNOFFICIAL FOUND /var/amavis/tmp/amavis-20090408T171539-41904/parts/p002: Sanesecurity.Spam.4757.UNOFFICIAL FOUND /var/amavis/tmp/amavis-20090408T171554-41906/parts/p004: Sanesecurity.Spam.9571.UNOFFICIAL FOUND /var/amavis/tmp/amavis-20090408T171506-41905/parts/p004: Sanesecurity.Junk.7324.UNOFFICIAL FOUND /var/amavis/tmp/amavis-20090408T171539-41904/parts/p002: Sanesecurity.Scam.9460.UNOFFICIAL FOUND /var/amavis/tmp/amavis-20090408T171539-41904/parts/p001: Sanesecurity.Scam.9460.UNOFFICIAL FOUND /var/amavis/tmp/amavis-20090408T171554-41906/parts/p002: Sanesecurity.Junk.4247.UNOFFICIAL FOUND /var/amavis/tmp/amavis-20090408T171539-41904/parts/p004: Sanesecurity.Spam.10049.UNOFFICIAL FOUND /var/amavis/tmp/amavis-20090408T171506-41905/parts/p004: Sanesecurity.Spam.10049.UNOFFICIAL FOUND /var/amavis/tmp/amavis-20090408T171539-41904/parts/p002: Sanesecurity.Spam.10040.UNOFFICIAL FOUND /var/amavis/tmp/amavis-20090408T171506-41905/parts/p002: Sanesecurity.Junk.13875.UNOFFICIAL FOUND /var/amavis/tmp/amavis-20090408T171539-41904/parts/p002: Sanesecurity.Junk.13875.UNOFFICIAL FOUND /var/amavis/tmp/amavis-20090408T171506-41905/parts/p002: Sanesecurity.Junk.13875.UNOFFICIAL FOUND /var/amavis/tmp/amavis-20090408T171539-41904/parts/p002: Sanesecurity.Junk.10357.UNOFFICIAL FOUND /var/amavis/tmp/amavis-20090408T171506-41905/parts/p002: Sanesecurity.Junk.11598.UNOFFICIAL FOUND /var/amavis/tmp/amavis-20090408T171539-41904/parts/p002: Sanesecurity.Junk.414.UNOFFICIAL FOUND /var/amavis/tmp/amavis-20090408T171554-41906/parts/p003: Sanesecurity.Junk.12707.UNOFFICIAL FOUND /var/amavis/tmp/amavis-20090408T171539-41904/parts/p002: Sanesecurity.Junk.2014.UNOFFICIAL FOUND /var/amavis/tmp/amavis-20090408T171506-41905/parts/p002: Sanesecurity.Junk.11598.UNOFFICIAL FOUND /var/amavis/tmp/amavis-20090408T174419-42478/parts/p004: Sanesecurity.Spam.10049.UNOFFICIAL FOUND /var/amavis/tmp/amavis-20090408T174601-42476/parts/p004: Sanesecurity.Hdr.8289.UNOFFICIAL FOUND > amavisd says to set it to 0 if you are using bounce_killer or using > 'file' to guess the attachment type. > > (i have it set to 0, using bounce killer and file) > > (http://marc.info/?t=117951293700001&r=1&w=2) > > OT: bill, funny thing: I can't look up your DNS servers from our > internal network.. > > > http://sanesecurity.com/usage.htm > > says: uncomment the #qr'^MAIL' > > @keep_decoded_original_maps = (new_RE( > qr'^MAIL$', # retain full original message for virus checking (can be > slow) > qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains > undecipherables > qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, > # qr'^Zip archive data', # don't trust Archive::Zip > )); > > > and it looks like sane security test #2 and 3 did fail if I don't do > this in amavisd.conf: > (uncomment out the qr'^MAIL'. > > so, 'can be slow'. how slow is it? and is bill landry wrong saying I > need bypass-decode_parts=1? > is this something fixed in 2.6.2? > > > > (see above) > -- Michael Scheidell, CTO >|SECNAP Network Security Finalist 2009 Network Products Guide Hot Companies FreeBSD SpamAssassin Ports maintainer _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _________________________________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/