We use SA 3.1.7 with Postfix and amavisd-new 2.4.4 and clamav. I received several PDF's this morning even though we have updated protection. They all came from one server, so I did a lookup in the mail logs to find 'Hits: -', that's it. After some more searching on different servers, I see this frequently, what does it mean as far as score?
Logged in as the amavisd user 'vscan' and running sa test, it clearly scores well above the 5.0 threshold. Any ideas why these type of messages would have gotten through SA? esmtp# bzcat /var/log/maillog.0.bz2 | grep "ysHkeL+S2PmL" Jul 17 19:03:43 esmtp amavis[51729]: (51729-14) Passed CLEAN, [89.214.60.100] [108.83.93.165] <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>, quarantine: clean-ysHkeL+S2PmL.gz, Message-ID: <[EMAIL PROTECTED]>, mail_id: ysHkeL+S2PmL, Hits: -, queued_as: 0787037B4FA, 821 ms esmtp# su vscan $ spamassassin -t < /var/virusmails/clean-ysHkeL+S2PmL <snip> Content analysis details: (11.7 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 2.4 MIME_BOUND_DIGITS_15 Spam tool pattern in MIME boundary 4.5 BOTNET_NORDNS Relay's IP address has no PTR record [botnet_nordns,ip=89.214.60.100] 2.0 GMD_PDF_FUZZY2_T3 BODY: Fuzzy MD5 Match 3D4E25DE4A05695681D694716D579474 1.8 RCVD_IN_WHOIS_BOGONS RBL: CompleteWhois: sender on bogons IP block [108.83.93.165 listed in combined-HIB.dnsiplists.completewhois.com] 1.0 TVD_PDF_FINGER01 Mail matches standard pdf spam fingerprint Thanks for any help! -- Robert