spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Wreski <>
Subject Re: sneaky spams w/zipped URL file, easily caught by "Thread-Index"
Date Tue, 27 Mar 2018 16:03:47 GMT

>> Excellent... except for one potential problem... this is in their 
>> "foxhole_all.cdb" file which they label as "high false positive risk" 
>> - which could scare some away!
>> For those who don't score very high on ClamAv and/or who are able to 
>> score DIFFERENTLY based on different types of Sanesecurity and/or 
>> ClamAv results, this is probably OK. But for others who prefer to 
>> either outright block or score high on ClamAv, that MIGHT present a 
>> problem. On the other hand, maybe Sanesecurity is just being overly 
>> cautious (or considering more theoretical FNs?), and such actual FPs 
>> in real world mail flow are actually extremely rare?
>> Any Thoughts? Anyone know?
> That's interesting because I probably wouldn't have started using 
> foxhole_all.cdb if it had been classified like that then.  I am not 
> getting any reports or finding any problems with FPs.

foxhole_all is just a few dozen(?) lines of rules to tag file types 
within zip/rar/7z/arj/exe files.

Perhaps because you're outright rejecting many of these file types already?


> 3,110,729 total messages* since March 15th
> 112,477 spam blocked
> 2,071 total viruses found
> 8 Foxhole viruses found
> *After MTA rejects based on RBLs and other DNS checks
> -- 
> Dave Jones

View raw message