Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: ClamAV: users

Spam No Longer ID'd as Virus

  

 
ClamAV users RSS feed   Index | Next | Previous | View Threaded


Mark at arcabama

Aug 19, 2012, 1:26 PM

Post #1 of 5 (273 views)
Permalink
Spam No Longer ID'd as Virus
My setup uses clamd + amavisd + spamassassin + postfix to filter email. It's done a great job for years. I use maia mailguard as an interface to manage verifying ham/spam.

Up until the last month or so the ratio of ham/spam/virus-infected email identified by this framework was roughly 3 hams to 20 suspected spams to 30 virus-infected emails. Recently, that's shifted to more like 3 hams to 45 suspected spams to 5 virus-infected emails.

I'm wondering if this reflects a change in the way clamav operates, or (more likely) something that needs to be adjusted in my setup. I recall checking out, years ago, some of the "virus infected" emails and noticing that it seemed like clamav was identifying stuff that came from sources it couldn't validate as virus-infected. Which was fine by me, as it saved me the trouble of reviewing them as potential spam before reporting them. I thought this might mean I was no longer getting access to some of the blacklists, but I didn't see messages to that effect in my system logs.

To be clear, things are still working fine in terms of blocking spam. It's just that now there's a lot more stuff to review before reporting. I'm just curious as to whether or not something new is going on behind the scenes.

- Mark
"Too much sanity may be madness! But maddest of all -- to see life as it is and not as it should be."


_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


ged at jubileegroup

Aug 20, 2012, 6:41 AM

Post #2 of 5 (260 views)
Permalink
Re: Spam No Longer ID'd as Virus [In reply to]
Hi there,

On Mon, 20 Aug 2012, Mark A. Olbert wrote:

> ... now there's a lot more stuff to review before reporting. ...

Your statistics seem a bit grim to me. It certainly sounds like a lot
of work which might not be necessary. On a typical business day we
see something between five and ten thousand attempts to send unwanted
mail, of which at most perhaps one or two per day will be accepted.
There will be between fifty and one hundred genuine messages. On a
good day, all of those will be accepted. :)

The vast majority of unwanted mail will be weeded out by relatively
lightweight processes. ClamAV is likely to reject only five or ten
messages per month. The vast majority of those will be detected via
third-party databases, in particular at the moment INetMsg.SpamDomain
is running at about 50% and Sansecurity about 20% of detections.

We have had a grand total of one virus infected message accepted so
far this year. As we run no Windows machines it was not a real issue
for us but it felt like a personal defeat.

Contrary to poular belief you can read an entire message (and, of
course, store it for later analysis) without accepting it. Reading
the entire message before rejecting it gives away less about the
defences than, say, rejecting on a suspicious subject line.

It isn't clear to me whether you are accepting or rejecting unwanted
mail. My advice is to reject all unwanted mail. If you accept it,
the scrotes will just send more of the stuff.

--

73,
Ged.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Mark at arcabama

Aug 20, 2012, 12:13 PM

Post #3 of 5 (259 views)
Permalink
Re: Spam No Longer ID'd as Virus [In reply to]
>>It isn't clear to me whether you are accepting or rejecting unwanted
>>mail.  My advice is to reject all unwanted mail.  If you accept it,
>>the scrotes will just send more of the stuff.

My current configuration has me accepting anything that might be spam, although, frankly, I can't remember the last time I had to rescue an email that got misclassified as spam. So maybe I should change the configuration.

- Mark
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


dennispe at inetnw

Aug 20, 2012, 12:26 PM

Post #4 of 5 (264 views)
Permalink
Re: Spam No Longer ID'd as Virus [In reply to]
On 8/20/12 6:41 AM, G.W. Haywood wrote:

> The vast majority of those will be detected via
> third-party databases, in particular at the moment INetMsg.SpamDomain
> is running at about 50% and Sansecurity about 20% of detections.

Unless something has changed again that I missed, the INetMsg signatures are no
longer maintained. They will likely continue to work if you have a copy of the
final signature set, though. More than 95% of the hits here are Sane Security
signatures.

dp
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


steveb_clamav at sanesecurity

Aug 21, 2012, 1:03 AM

Post #5 of 5 (260 views)
Permalink
Re: Spam No Longer ID'd as Virus [In reply to]
> Unless something has changed again that I missed, the INetMsg signatures
> are no
> longer maintained.

That's still correct... just in case anyone else missed the updates,
here's the last two announcements, as there were a few new databases too:

http://www.freelists.org/post/sanesecurity/database-changes
http://www.freelists.org/post/sanesecurity/New-database-winnow-bad-cwhdb

Cheers,

Steve
Sanesecurity

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

ClamAV users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.