From: Bill L. <bi...@in...> - 2007-05-31 17:38:24
|
Mark Martinec wrote the following on 5/31/2007 1:16 AM -0800: > Bill, > > >> I am marking and passing malware e-mails to a special review account for >> possible listing in URIBL Black (in their malware cluster). Just >> curious to know why amavisd would write all of the duplicate malware >> headers to a single message: >> >> X-Spam-Status: Yes, score=56 required=5 >> tests=[AV:Email.Malware.Sanesecurity.07051800=7.5, MY_TEST=3.5, >> AV:Email.Malware.Sanesecurity.07051800=7.5, >> AV:Email.Malware.Sanesecurity.07051800=7.5, >> AV:Email.Malware.Sanesecurity.07051800=7.5, >> AV:Email.Malware.Sanesecurity.07051800=7.5, >> AV:Email.Malware.Sanesecurity.07051800=7.5, >> AV:Email.Malware.Sanesecurity.07051800=7.5] >> > > amavisd passes each mail component (unless decoding is disabled) > to virus scanners. Perhaps clamd triggered on each mail part. > I have: $bypass_decode_parts = 1; > Or there may be an issue with cached results from previous attempts, > try: > $virus_check_negative_ttl=0; # time to cache contents when not infected > $virus_check_positive_ttl=0; # time to cache contents when infected > $spam_check_negative_ttl =0; # time to cache contents as not spam > $spam_check_positive_ttl =0; # time to cache contents as spam > just to rule out this possibility. > I think these are set to the defaults: $virus_check_negative_ttl= 3*60; # time to cache contents when not infected $virus_check_positive_ttl= 30*60; # time to cache contents when infected $spam_check_negative_ttl = 10*60; # time to cache contents as not spam $spam_check_positive_ttl = 30*60; # time to cache contents as spam > The final answer lies in your log. > If I find any more of these, I'll check to see what the log reports. Thanks, Bill |