On 5 Sep 2011, at 15:18, Matus UHLAR - fantomas wrote:
> Hello,
>
> I'm trying to distinguish between phishing and other signatures on a mail
> server - phishing reports should be passed to our abuse@ account, but not
> elsewhere.
>
> Therefore, it's not possible to play with options to disable phishing
> signatures detection ClamAV or use multiple clamav daemons - I just need to
> distinguish them from viruses and possibly other unwanted content.
>
> Do you have an idea how should I detect if a mail is a phish, or any other
> content (which?) that should our abuse@ teram know about?
You can use an ACL to set a message variable, which will probably use something
vaguely like this untested
warn
malware = *
set acl_m_phish = true
condition = eq{${substr{0}{15}{$malware_name}}{Email.Phishing.}
Then, in your subsequent ACLs, you can exempt this email from rejection (or to
use, control=fakereject). And in your routers, you can test $acl_m_phish to get
the email delivered to the right place.
An alternative approach is to use control=freeze - then you have manual control
over what to do with the message.
Oh, and I would consider directing the email to a different email address, so
that your abuse team can distinguish the mail from stuff that really was
addressed to abuse@. And, add a header so that they can see who the original
recipients were.
> I currently exempt ^HTML., ^Email. and .Phishing from being rejected.
>
--
Ian Eiloart
Postmaster, University of Sussex
+44 (0) 1273 87-3148
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
