On Thu, Aug 09, 2012 at 02:07:22PM -0400, Alex wrote: > Hi, > > >> # sigtool --find-sigs MBL_303159 | sigtool --decode-sigs > >> Does anyone know what's going on with this domain? It doesn't look > >> like a domain thousands of my users would be including in their email > >> on Aug 7th, so I don't know whether the emails were really spam... > > > > Hi Alex, > > > > The problem I think was that the sig was bad and it matching anything > > "www." hence the huge number of FP's.... > > I thought the signatures were fixed? In other words, simple pattern > matching for a fixed string. > > I didn't realize it was dynamic and could match an expression, or am I > missing something?
MBL's signature download (http) is unreliable and sometimes gives out incomplete files. Obviously if the file cuts out in the middle of signature this can happen. _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
