Matt, You are right, these are viruses being sent. I have been working with SA for about 6 months now, and I must say...originally I was confused about the 'features' of SA, but have since learned that SA has nothing to do with viruses. I probably eluded to the idea that I was worried SA wasn't scoring high enough; hence, making everything think that I felt SA should give a higher score b/c of the virus attached, but that is not what I was getting at. You are also right that I need to send an email out to the users, and let them know about the virus outbreak. No message has made it through without being tagged, so the servers are working as they should. I mainly sent out the email to see if others were seeing an influx also.
Thanks for the information. As always, if it were not for this active mailing list, I would not be as knowledgeable as I am now...but I would still be considered a "novice," much like what you and Julian have been discussing on the MailScanner list. Casey -----Original Message----- From: Matt Kettler [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 22, 2005 9:47 AM To: Casey King; SpamAssassin Users Subject: Re: New Spammer? At 09:56 AM 11/22/2005, Casey King wrote: >This morning we have been getting drilled by spam/virus emails. Are they spam, or viruses? Not the same thing. >40 so far. I should be so lucky to see as few as 40/hour during any kind of outbreak > Been getting a lot of phone calls from across the company about these > emails. At least my mailscanner boxes are stripping the files, and > tagging it as spam, but what worries me, is the low scores these messages > are receiving. SpamAssassin is a spam scanner. It's official policy is to EXPLICITLY not care about virus emails. No effort is made to try to catch them, because doing so would dilute the scores of the spam ruleset. No effort is made to try to avoid tagging them either. They're just removed from the corpus and handled by the developers as if they don't exist. >I start tagging spam, at 3.5 so each message has been tagged, but still >sent through. Any one else seeing these emails? I see plenty of viruses, and never give them a mind. My selective greylisting helps, but so far this morning my mailscanner still got 20 of them. There was also a steep burst last Weds, 18 of them, which then leveled off through the rest of the day. *shrug*.. tell your users in a broadcast email that there is a virus outbreak, but to not be concerned unless they have a message that looks like a virus and isn't tagged. You might also want to include some standard educational notes about viruses and their auto-sending, auto-forging habits.
