Thats exactly the reason for my suggestion. As I don't trust these sansecurity definitions completely, I would like to give them a lower score, so that they are not blocked, but marked as spam. If it would possible to implement this feature without hazzle, it would be great to have it....
Matti D> The idea is that there are additional clamd definitions one can use to D> scan for spam such as the MSRBL definitions ( http://www.msrbl.com/site/ D> ) and the SaneSecurity definitions ( D> http://www.sanesecurity.co.uk/clamav/ ) that have been discussed here D> earlier. D> These definitions allow one to use clamd to scan for spam in a D> definitions-based manner. They pick up spam (pharm, oem, etc), scams D> (lotto, 419, phishing, job offer, loan, mortgage), image spam, pdf spam, D> and various others. They are highly effective and carry very little risk D> of false-positives due to the strict definition-based nature of the D> detection. D> Here are a few log snippets to show what I mean: D> Jul-29-07 17:09:04 [VIRUS] ... virus detected D> 'Email.Img.Gen115.Sanesecurity.07061400' D> Jul-29-07 18:15:50 [VIRUS] ... virus detected D> 'Html.Phishing.Bank.Rockv2Gen49.Sanesecurity.07072700' D> Jul-30-07 16:42:01 [VIRUS] ... virus detected D> 'Html.Loan.Gen102.Sanesecurity.07072600' D> Jul-30-07 13:51:44 [VIRUS] ... virus detected D> 'Email.Malware.Sanesecurity.07070300' D> Jul-28-07 13:47:00 [VIRUS] ... virus detected D> 'Email.Stk.Gen592.Sanesecurity.07071801.pdf' D> Jul-28-07 17:05:10 [VIRUS] ... virus detected D> 'Email.Spam.Gen275.Sanesecurity.07030600' D> Jul-29-07 04:42:04 [VIRUS] ... virus detected 'MSRBL-SPAM.Meds.2336' D> Jul-29-07 13:04:49 [VIRUS] ... virus detected D> 'Html.Phishing.Auction.Gen011.Sanesecurity.06020103' D> And regular viruses look like this D> Jul-25-07 03:39:47 ... Trojan.Downloader-11827 D> I'm actually having a really hard time finding actual viruses in my D> logs. Looking through my logs, I find that the spam caught by clamd far D> far outweighs the real viruses caught by clamd. Numbers like 1000:1 come D> to mind. D> The use of virus scoring with regexes would allow one to score the D> email/html "viruses" differently from the D> trojan/worm/flooder/backdoor/etc real viruses. Perhaps even coming to D> the point of scoring "Email.Img" differently from "Html.Phishing". It's D> all the same to me, though. I'm fine with a virus hit being blocked D> outright because the definitions are rather fool-proof and so far have D> not resulted in any false positives for me. D> I hope that covered everything. D> Micheal Espinola Jr wrote: >> David wrote: >> >>> I think the request for virus scoring comes not to score executable >>> binary viruses, but to score the wide variety of non-virus items now >>> >>> >> >> I don't understand the concept of virus scoring for non-virus items. >> Please elaborate. >> >> ------------------------------------------------------------------------- >> This SF.net email is sponsored by: Splunk Inc. >> Still grepping through log files to find problems? Stop. >> Now Search log events and configuration files using AJAX and a browser. >> Download your FREE copy of Splunk now >> http://get.splunk.com/ >> _______________________________________________ >> Assp-user mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/assp-user >> D> ------------------------------------------------------------------------- D> This SF.net email is sponsored by: Splunk Inc. D> Still grepping through log files to find problems? Stop. D> Now Search log events and configuration files using AJAX and a browser. D> Download your FREE copy of Splunk now >> http://get.splunk.com/ D> _______________________________________________ D> Assp-user mailing list D> [email protected] D> https://lists.sourceforge.net/lists/listinfo/assp-user -- Matti Haack - Hit Haack IT Service Gmbh Poltlbauer Weg 4, D-94036 Passau +49 851 50477-22 Fax: +49 851 50477-29 http://www.haack-it.de ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Assp-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-user
