On Wed, Sep 19, 2007 at 07:44:08PM +0300, Török Edvin wrote: > See bug #551 about that.
Ew. The discussion there only makes me want to make the disabled heuristic setting permanent. On Wed, Sep 19, 2007 at 12:11:10PM -0500, Noel Jones wrote: > I think it would be insane to reject or discard mail based on > "PhishingScanURLs yes" on anything bigger than a home/hobby server > because of the high false positive rate. I have to agree. Unfortunately, most mail gateway software interfacing to virus scanners doesn't make this distinction. If the scanner thinks it's a virus, it's rejected, otherwise it is passed. That's how virus scanners used to work, anyway. > A significant percentage (I'm guessing 10% or more) of the > "Phishing.Heuristics.*" detections here are false, which I then > release from quarantine and submit to the signature team as a false > positive. This is in contrast to the rest of the clamav detections > which have a FP rate approaching zero percent. Yes, I'm satisfied with the rest of the scanning. Even if I ignore all detected phishing mail, clamav still detects more viruses than our commercial scanners. However, we use our virus scanners as a reason for rejecting or even discarding the email - which we feel confident to do because of the very low false positive ratio of the scanners. If that's not the case, I cannot use it. Fortunately, we can change the scanner so it doesn't use detection methods which cause a high FP rate. > It's probably important to note that these aren't strictly "false > positives" as the messages invariably contain some sort of funky URL > redirect that triggers the detection. That is a very liberal interpretation of the meaning of "not a false positive". I would seriously suggest anyone with an urge to educate all senders of broken, dangerous, silly or dumb email to go and write the appropriate SpamAssassin plugin, and launch a campaign to reach the ignorant masses that produce such atrocities. Good luck. Really. May I suggest Mail::SpamAssassin::Plugin::DonQuixote ? But please, in any case, stay away from virus scanning, because it has nothing to do with that. -- Jan-Pieter Cornet <[EMAIL PROTECTED]> !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
