[pmg-devel] Spam scanning after virus is found

Davide Bozzelli davide.bozzelli at gmail.com
Tue Apr 17 11:55:28 CEST 2018


No, it's just a simple test with one receiver.

I've read the code of Spam.pm (analyze_spam sub)

if (my $hit = $queue->{clamav_heuristic} ) {
        my $score = $queue->{clamav_heuristic_score};
        my $descr = "ClamAV heuristic test: $hit";
        my $rule = 'ClamAVHeuristics';
        $sa_score += $score;
        $list .= $list ? ",$rule" : $rule;
        push @$sa_scores, { score => $score, rule => $rule, desc => $descr
};
    }



    my ($csec, $usec) = gettimeofday ();

    my $spamtest = $queue->{sa};

    # only run SA in testmode or when clamav_heuristic did not confirm spam
(score < 5)
    if ($msginfo->{testmode} || ($sa_score < 5)) {


Seems that the sa scan is not triggered ony if clamav heuristic is in place.
I've added something like just before the if :


   if (  $queue->{vinfo_avast} ) {
        my $score = 5 ;
        my $descr = "Avast Virus: 1";
        my $rule = 'AvastVirusFound';
        $sa_score += $score;
        $list .= $list ? ",$rule" : $rule;
        push @$sa_scores, { score => $score, rule => $rule, desc => $descr
};
   }

And in this way when avast found eicar the spam scan is not triggered and
the only rule found is AvastVirusFound.






On Tue, Apr 17, 2018 at 11:40 AM, Dietmar Maurer <dietmar at proxmox.com>
wrote:

> Maybe that mail has more than one receiver, and you only block one of them?
>
> > On April 17, 2018 at 11:30 AM Davide Bozzelli <davide.bozzelli at gmail.com
> >
> > wrote:
> >
> >
> > This is the email i've receive to admin when eicar.com triggers avast:
> >
> > Proxmox Notification:
> >
> > Sender:   xxx
> > Receiver: xxx
> > Targets:  x <buzzz at zartech.it>xxx
> >
> > Subject: Automatic greetings virus
> >
> >
> > Matching Rule: IN - Quarantine Viruses & Alert
> >
> > Rule: IN - Quarantine Viruses & Alert
> >   Receiver: xxx
> >   Action: Move to quarantine.
> >   Action: notify xxx
> >   Action: notify __RECEIVERS__
> >
> >
> > Virus Info: EICAR Test-NOT virus!!! (avast)
> >
> > Spam detection results:  4
> > ALL_TRUSTED                -1 Passed through trusted hosts only via SMTP
> > BAYES_50                  0.8 Bayes spam probability is 40 to 60%
> > DCC_CHECK                 1.1 Detected as bulk mail by DCC (
> dcc-servers.net)
> > DIGEST_MULTIPLE         0.293 Message hits more than one network digest
> check
> > KAM_LAZY_DOMAIN_SECURITY      1 Sending domain does not have any
> > anti-forgery methods
> > MISSING_MID             0.497 Missing Message-Id: header
> > PYZOR_CHECK             1.392 Listed in Pyzor (http://pyzor.sf.net/)
> > TVD_SPACE_RATIO         0.001 -
> >
> >
> >
> > As you can see ALL the spam rules are triggered.
> >
> >
> > On Tue, Apr 17, 2018 at 11:24 AM, Dietmar Maurer <dietmar at proxmox.com>
> > wrote:
> >
> > >
> > > > I've notice that event if a virus is found a spam scanning is
> performed.
> > >
> > > Not really. If you block the virus, the SPAM analysis should not be
> called
> > > at
> > > all.
> > >
> > > _______________________________________________
> > > pmg-devel mailing list
> > > pmg-devel at pve.proxmox.com
> > > https://pve.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
> > >
> >
> >
> >
> > --
> > Got problems with Windows? - ReBooT
> > Got problems with Linux? - Be RooT
>
> _______________________________________________
> pmg-devel mailing list
> pmg-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
>



-- 
Got problems with Windows? - ReBooT
Got problems with Linux? - Be RooT
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pve.proxmox.com/pipermail/pmg-devel/attachments/20180417/283f9924/attachment-0001.html>


More information about the pmg-devel mailing list