> I'm also now noticing there are hundreds or thousands of messages > erroneously quarantined as a result of this rule. It appears to expand > to: > > # sigtool --find-sigs MBL_303159 | sigtool --decode-sigs > Does anyone know what's going on with this domain? It doesn't look > like a domain thousands of my users would be including in their email > on Aug 7th, so I don't know whether the emails were really spam...
Hi Alex, The problem I think was that the sig was bad and it matching anything "www." hence the huge number of FP's.... Cheers, Steve Sanesecurity _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
