You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by "Steven W. Orr" <st...@syslang.net> on 2012/10/05 18:21:24 UTC

How can I get SA to tell me what CLAMAV found?

I have SA running and configured to call clamav.cf My mail server checks the 
incoming messages by running SA as a milter, so the spam is rejected before 
reception completes. My mail logfile for a specific message might look like this:

Oct  5 11:30:01 saturn sendmail[20656]: q95FTj2G020656: Milter add: header: 
X-Spam-Status: Yes, score=28.0 required=5.0 
tests=BAYES_99,CLAMAV,\n\tDATE_IN_PAST_06_12,FSL_HELO_NON_FQDN_1,HTML_MESSAGE,RCVD_IN_PBL,RCVD_IN_XBL,\n\tRDNS_NONE,UNPARSEABLE_RELAY,URIBL_BLACK,URIBL_JP_SURBL,URIBL_PH_SURBL,\n\tURIBL_WS_SURBL 
autolearn=spam version=3.3.2 country=IR

but I'd like to know which CLAMAV virus was the trigger. Is there a way to get 
output somewhere that tells me which signature(s) fired?

TIA

-- 
Time flies like the wind. Fruit flies like a banana. Stranger things have  .0.
happened but none stranger than this. Does your driver's license say Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net

Re: How can I get SA to tell me what CLAMAV found?

Posted by "Kevin A. McGrail" <KM...@PCCC.com>.

On 10/5/2012 12:21 PM, Steven W. Orr wrote:
> I have SA running and configured to call clamav.cf My mail server 
> checks the incoming messages by running SA as a milter, so the spam is 
> rejected before reception completes. My mail logfile for a specific 
> message might look like this:
>
> Oct  5 11:30:01 saturn sendmail[20656]: q95FTj2G020656: Milter add: 
> header: X-Spam-Status: Yes, score=28.0 required=5.0 
> tests=BAYES_99,CLAMAV,\n\tDATE_IN_PAST_06_12,FSL_HELO_NON_FQDN_1,HTML_MESSAGE,RCVD_IN_PBL,RCVD_IN_XBL,\n\tRDNS_NONE,UNPARSEABLE_RELAY,URIBL_BLACK,URIBL_JP_SURBL,URIBL_PH_SURBL,\n\tURIBL_WS_SURBL 
> autolearn=spam version=3.3.2 country=IR
>
> but I'd like to know which CLAMAV virus was the trigger. Is there a 
> way to get output somewhere that tells me which signature(s) fired?
>
> TIA
>
The clamav plug-in is unsupported but I believe it only logs to a header 
which you don't have because you rejected the email.

You could try changing the line

   dbg("ClamAV: result - $header");

To instead read info("ClamAV: result - $header");

Not sure where or if that will end up logging the info you want somewhere so you might be best off turning on the ClamAV debug channel http://wiki.apache.org/spamassassin/DebugChannels i.e. -D ClamAV should work.

regards,
KAM

Re: How can I get SA to tell me what CLAMAV found?

Posted by da...@chaosreigns.com.

On 10/05, Steven W. Orr wrote:
> but I'd like to know which CLAMAV virus was the trigger. Is there a
> way to get output somewhere that tells me which signature(s) fired?

Ask the clamav people?

-- 
"If you want to make an apple pie from scratch, you must first create
the universe." - Carl Sagan
http://www.ChaosReigns.com