From: Adam Katz <antis...@khopis.com> Date: Sun, 03 May 2009 18:47:21 -0400
I am under the impression that virus checking is *not* that much easier than a fully-loaded SA implementation, so therefore spam detection should run first. Counter-point: online lookups cost bandwidth and latency, virus detection doesn't (yet) require any. Have you timed ClamAV? It is essentially free. On my machine I get >100 ClamAV virus scans per second, which is *way* faster than SpamAssassin. Pause. Constructive comments and criticisms? I disagree with your premise... Time ClamAV and your fully-loaded SA implementation on a set of messages. You can time SpamAssassin with and without network tests for a more complete picture. Don't get too caught up in the above part, it is all illustrative in getting to my question below. Mail that passes SpamAssassin but gets caught by ClamAV would add value to SA's Bayesian and AWL databases and thus the message stands a chance at getting caught in the future regardless of its viral content. Feeding virus email into SpamAssassin Bayes seems like a bad idea to me. The bayes tokens aren't going to be all that useful for catching non virus spam. Adding the virus email into AWL seems somewhat reasonable since any further email from the same IP address is likely to be another virus or botnet spam. However, in practice any botnet spam will use different random email addresses so you probably won't get any awl hits on the AWL addresses learned from virus email. -jeff
