spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Wreski <dwre...@guardiandigital.com>
Subject Re: sneaky spams w/zipped URL file, easily caught by "Thread-Index"
Date Tue, 27 Mar 2018 16:03:47 GMT
Hi,

>> Excellent... except for one potential problem... this is in their 
>> "foxhole_all.cdb" file which they label as "high false positive risk" 
>> - which could scare some away!
>>
>> For those who don't score very high on ClamAv and/or who are able to 
>> score DIFFERENTLY based on different types of Sanesecurity and/or 
>> ClamAv results, this is probably OK. But for others who prefer to 
>> either outright block or score high on ClamAv, that MIGHT present a 
>> problem. On the other hand, maybe Sanesecurity is just being overly 
>> cautious (or considering more theoretical FNs?), and such actual FPs 
>> in real world mail flow are actually extremely rare?
>>
>> Any Thoughts? Anyone know?
>>
> 
> That's interesting because I probably wouldn't have started using 
> foxhole_all.cdb if it had been classified like that then.  I am not 
> getting any reports or finding any problems with FPs.

foxhole_all is just a few dozen(?) lines of rules to tag file types 
within zip/rar/7z/arj/exe files.

Perhaps because you're outright rejecting many of these file types already?

Regards,
Dave

> 
> 3,110,729 total messages* since March 15th
> 112,477 spam blocked
> 2,071 total viruses found
> 8 Foxhole viruses found
> 
> *After MTA rejects based on RBLs and other DNS checks
> 
> -- 
> Dave Jones

Mime
View raw message