Jiri Demel wrote: > Is there any possiility to have some sort of a local whitelist > for the phishing heuristics in ClamAV? > Or should I try to "solve" it in MimeDefang from which I call ClamAV?
Since you're using MIMEDefang to call ClamAV, I'd suggest something like what I've done; phishing "viruses" get some internal state added during MD's processing, and instead of treating these as viruses, they get passed down the chain and run through SpamAssassin as well, with a bit of a score bump for the ClamAV hit. On one system this extra state data is a local variable I use later in mimedefang-filter to bump the SA score and add a rule name to the list actually returned by SA; on another I add a header and let a real header rule in SA match and increase the score on the message. I have to note these are both relatively low-volume systems hosting ISP mail services, but in more than a year with this configuration I've yet to have a false positive reported on either one that could be traced to this setup. -kgd _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
