li...@grounded.net wrote: > I think I know what's happened. I had cut/paste some html header response > code into the message for another mailing list but their clamav must be > getting a false positive thinking that the html code is phishing code. > > Not sure but I think that's what's happened. > >
This gets us to an interesting area of spam control. What you have is not a false positive, but a policy failure and it will be difficult to explain the difference. But I'm going to try anyway ;) A false positive is a signature that will cause mail to be rejected whose delivery is actually desired. This can happen because people are capable of (and often do) writing messages that are indistinguishable from common spam. Examples I've found that require support from HR to solve disputes include messages that contain explicit sexual content, for example, and which cannot be differentiated from widely distributed pornography. In such cases the sender is not a spammer, just naive about appropriate content in a business environment. A false positive is a signature that is simply too aggressive, or throws too large a net either by intent or by accident. For example the common drug \bcialis\b is probably in everyone's spam filter. But if it is there unanchored as I've shown it hear, then the word "specialist" will also trigger it. The very fact that I have written it here will trigger the reject response in many systems and this message will not be seen by all list members (that is a policy failure - mail from this list should be be filtered for spammy content if it is to be completely useful). Using the earlier naive poster's explicit message as an example, a policy failure would happen when a user receives such a message and wishes to forward it to the messaging administrator as a spam sample, and it is rejected. Again, the intention is for the message to be delivered and there is often a mandate from HR or other corporate policy that expects it will be delivered. It is a filter policy failure because mail to the administrator should not be filtered. A mail alias would be an appropriate part of the solution so that such samples are directed to the specific activity that handles them. Another policy failure is what you have done. If you have a need to share dodgy messages (how to know it's dodgy, though?) then there needs to be a supportive policy in place that allows it. Sometimes that policy is to translate the message first using http://rot13.com/ or some such thing so it will pass all tests. In this particular case though I think the signature is too weak and non-specific, prone to greater failure in a developer's environment than at the local community center, but still weak. It needs a larger context. dp _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
