sa_mail_body_size_limit and attachments

Matus UHLAR - fantomas uhlar at fantomas.sk
Sat Feb 26 18:33:17 CET 2022


>> > On Thu, Feb 24, 2022 at 10:30:44AM +0100, Matus UHLAR - fantomas wrote:
>> > > malware should be detected by clamav or other AV.
>>
>> On 25.02.22 07:23, Henrik K wrote:
>> > .. because ClamAV is such an infallible tool and "malware" can
>> > never be catched with "spam" indicators?

>On Fri, Feb 25, 2022 at 01:46:33PM +0100, Matus UHLAR - fantomas wrote:
>> because clamav should be more efficient than SA when searching for malware.
>>
>> especially with binary data that are not matched by SA rules afaik
>>
>> and in cases mail exceeds sa_mail_body_size_limit so some content is
>> unscanned by SA
>>
>> > Unwanted mail is unwanted mail, use all the tools you have and forget about
>> > silly classifications from decade ago.

>> some tools are simply not suited for some uses.
>>
>> ... I've been filtering mail with SA before clamav was available and SA
>> worked nicely. But I still think that clamav should be more efficient here.

On 25.02.22 17:00, Henrik K wrote:
>"Efficiency" is vague and can mean scanning speed or detection ratio etc.
>It's still pretty meaningless, especially the "speed" (unless you handle
>bazillion mails a day).  You should use as many tools as possible to catch
>as much unwanted stuff as possible.  ClamAV searches with different methods
>and signatures than SA, nothing mysterious about that.  Combined results are
>good and converting most of the ClamAV third party "spam"-signatures into SA
>score with @virus_name_to_spam_score_maps can reduce FPs.

What I wanted to say is:

1. Alex (OP) asked about sa_mail_body_size_limit, if it applies to atachments too
- it does apply to all text content, not to binary attachments.
- There are also other limits (number of tokens for bayes).
- The content is truncated, so data up to this limit ARE used for SA scanning.


2. Damian misunderstood and asked about scanning of all content (malware)
- the Subject: explicitly contains sa_mail_body_size_limit which means SA
- clamav and other AV should be used for scanning of binary attachments 
   and sa_mail_body_size_limit is not used there.


Finally, Alex reported FP with 8MB file, but didn't answer which rule caused 
it.
Alex, if you read this, please provide the file (if possible) or which 
SA rules caused the FP, possibly with text they matched.


-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95


More information about the amavis-users mailing list