<div dir="ltr">No, it's just a simple test with one receiver.<div><br></div><div>I've read the code of Spam.pm (analyze_spam sub)</div><div><br></div><div><div>if (my $hit = $queue->{clamav_heuristic} ) {</div><div> my $score = $queue->{clamav_heuristic_score};</div><div> my $descr = "ClamAV heuristic test: $hit";</div><div> my $rule = 'ClamAVHeuristics';</div><div> $sa_score += $score;</div><div> $list .= $list ? ",$rule" : $rule;</div><div> push @$sa_scores, { score => $score, rule => $rule, desc => $descr };</div><div> }</div><div><br></div><div> </div><div><br></div><div> my ($csec, $usec) = gettimeofday ();</div><div><br></div><div> my $spamtest = $queue->{sa};</div><div><br></div><div> # only run SA in testmode or when clamav_heuristic did not confirm spam (score < 5)</div><div> if ($msginfo->{testmode} || ($sa_score < 5)) {</div></div><div><br></div><div><br></div><div>Seems that the sa scan is not triggered ony if clamav heuristic is in place.</div><div>I've added something like just before the if :</div><div><br></div><div><div> </div><div> if ( $queue->{vinfo_avast} ) {</div><div> my $score = 5 ;</div><div> my $descr = "Avast Virus: 1";</div><div> my $rule = '<span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">AvastVirusFound</span>';</div><div> $sa_score += $score;</div><div> $list .= $list ? ",$rule" : $rule;</div><div> push @$sa_scores, { score => $score, rule => $rule, desc => $descr };</div><div> }</div><div><br></div><div>And in this way when avast found eicar the spam scan is not triggered and the only rule found is <span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">AvastVirusFound.</span></div><div><br></div><div><br></div><div> </div></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Apr 17, 2018 at 11:40 AM, Dietmar Maurer <span dir="ltr"><<a href="mailto:dietmar@proxmox.com" target="_blank">dietmar@proxmox.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Maybe that mail has more than one receiver, and you only block one of them?<br>
<br>
> On April 17, 2018 at 11:30 AM Davide Bozzelli <<a href="mailto:davide.bozzelli@gmail.com">davide.bozzelli@gmail.com</a>><br>
<span class="">> wrote:<br>
> <br>
> <br>
> This is the email i've receive to admin when <a href="http://eicar.com" rel="noreferrer" target="_blank">eicar.com</a> triggers avast:<br>
> <br>
> Proxmox Notification:<br>
> <br>
> Sender: xxx<br>
> Receiver: xxx<br>
</span>> Targets: x <<a href="mailto:buzzz@zartech.it">buzzz@zartech.it</a>>xxx<br>
<div class="HOEnZb"><div class="h5">> <br>
> Subject: Automatic greetings virus<br>
> <br>
> <br>
> Matching Rule: IN - Quarantine Viruses & Alert<br>
> <br>
> Rule: IN - Quarantine Viruses & Alert<br>
> Receiver: xxx<br>
> Action: Move to quarantine.<br>
> Action: notify xxx<br>
> Action: notify __RECEIVERS__<br>
> <br>
> <br>
> Virus Info: EICAR Test-NOT virus!!! (avast)<br>
> <br>
> Spam detection results: 4<br>
> ALL_TRUSTED -1 Passed through trusted hosts only via SMTP<br>
> BAYES_50 0.8 Bayes spam probability is 40 to 60%<br>
> DCC_CHECK 1.1 Detected as bulk mail by DCC (<a href="http://dcc-servers.net" rel="noreferrer" target="_blank">dcc-servers.net</a>)<br>
> DIGEST_MULTIPLE 0.293 Message hits more than one network digest check<br>
> KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any<br>
> anti-forgery methods<br>
> MISSING_MID 0.497 Missing Message-Id: header<br>
> PYZOR_CHECK 1.392 Listed in Pyzor (<a href="http://pyzor.sf.net/" rel="noreferrer" target="_blank">http://pyzor.sf.net/</a>)<br>
> TVD_SPACE_RATIO 0.001 -<br>
> <br>
> <br>
> <br>
> As you can see ALL the spam rules are triggered.<br>
> <br>
> <br>
> On Tue, Apr 17, 2018 at 11:24 AM, Dietmar Maurer <<a href="mailto:dietmar@proxmox.com">dietmar@proxmox.com</a>><br>
> wrote:<br>
> <br>
> ><br>
> > > I've notice that event if a virus is found a spam scanning is performed.<br>
> ><br>
> > Not really. If you block the virus, the SPAM analysis should not be called<br>
> > at<br>
> > all.<br>
> ><br>
> > ______________________________<wbr>_________________<br>
> > pmg-devel mailing list<br>
> > <a href="mailto:pmg-devel@pve.proxmox.com">pmg-devel@pve.proxmox.com</a><br>
> > <a href="https://pve.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel" rel="noreferrer" target="_blank">https://pve.proxmox.com/cgi-<wbr>bin/mailman/listinfo/pmg-devel</a><br>
> ><br>
> <br>
> <br>
> <br>
> -- <br>
> Got problems with Windows? - ReBooT<br>
> Got problems with Linux? - Be RooT<br>
<br>
______________________________<wbr>_________________<br>
pmg-devel mailing list<br>
<a href="mailto:pmg-devel@pve.proxmox.com">pmg-devel@pve.proxmox.com</a><br>
<a href="https://pve.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel" rel="noreferrer" target="_blank">https://pve.proxmox.com/cgi-<wbr>bin/mailman/listinfo/pmg-devel</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">Got problems with Windows? - ReBooT<br>Got problems with Linux? - Be RooT </div>
</div>