We use SA 3.1.7 with Postfix and amavisd-new 2.4.4 and clamav. I
received several PDF's this morning even though we have updated
protection. They all came from one server, so I did a lookup in the mail
logs to find 'Hits: -', that's it. After some more searching on
different servers, I see this frequently, what does it mean as far as
score?
Logged in as the amavisd user 'vscan' and running sa test, it clearly
scores well above the 5.0 threshold. Any ideas why these type of
messages would have gotten through SA?
esmtp# bzcat /var/log/maillog.0.bz2 | grep "ysHkeL+S2PmL"
Jul 17 19:03:43 esmtp amavis[51729]: (51729-14) Passed CLEAN, [89.214.60.100]
[108.83.93.165] <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>, quarantine:
clean-ysHkeL+S2PmL.gz, Message-ID: <[EMAIL PROTECTED]>, mail_id: ysHkeL+S2PmL,
Hits: -, queued_as: 0787037B4FA, 821 ms
esmtp# su vscan
$ spamassassin -t < /var/virusmails/clean-ysHkeL+S2PmL
<snip>
Content analysis details: (11.7 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
2.4 MIME_BOUND_DIGITS_15 Spam tool pattern in MIME boundary
4.5 BOTNET_NORDNS Relay's IP address has no PTR record
[botnet_nordns,ip=89.214.60.100]
2.0 GMD_PDF_FUZZY2_T3 BODY: Fuzzy MD5 Match
3D4E25DE4A05695681D694716D579474
1.8 RCVD_IN_WHOIS_BOGONS RBL: CompleteWhois: sender on bogons IP block
[108.83.93.165 listed in combined-HIB.dnsiplists.completewhois.com]
1.0 TVD_PDF_FINGER01 Mail matches standard pdf spam fingerprint
Thanks for any help!
--
Robert
