Combatting Virus Spam with Spamassassin and RSS

by Adam Trachtenberg

In the last week or so, I've gone from getting 2-300 hundred pieces of spam a day to about 500 message a day. While I'm sure there are many other people out there who get 10 times as many messages as I do, I'm still not pleased at this development. Even worse, almost 20 of these messages are making it though my spam filtering combo of spamassassin (sa) and I used to only get one or two uncaught messages.

Fortunately, most of the messages that slip through aren't spam per se. They're not trying to sell me anything. Spamassassin does a great job at nabbing those. Instead, they're virus e-mail trying to get me to click on a Windows file. Too bad I use a Mac, so they're not only annoying, but useless.

Normally, when a big spamming virus starts flooding my account with messages, I write a custom sa rule to block it. However, I don't really want to be in the business of writing spam filters. Partially, I just don't have the time and partially because I'm always afraid I'll accidentally filter out something important.

So, I've come up with a solution to my problem. What I want and would find really useful is a sa virus rules RSS feed. Then, whenever a nasty virus comes around, I'm automatically notified and presented with a rule I can cut and paste into my user_prefs file to filter it out of my life. (I don't trust automated filter updates because I prefer not to be forced to dig out legitimate messages from my spam box if the filter is too loose.)

Does such a thing exist? I checked out the sa wiki, but they only have virus bounce rules. Does somebody want to start one? I can guarantee one customer.

How do you combat virus spam with spamassassin?


2004-02-25 13:29:18
An alternate solution for the viruses
For virus mail itself you can front-end your mail server with one of the virus scanners. ClamAV is a nice free one, with regular and aggressive virus database updates.
2004-02-26 05:15:14
I second that.
I'm soooo subscribed to that rss feed.
2004-02-26 10:23:24
SA virus/spam RSS Feed updater
There isnt really a need for a RSS feed updater for SA rulesets.

There already exists a script that will auto-grab all new ruleset updates (As many as you can plug into it) directly from the sources, and implement them into your SA configuration.
It's called RulesDuJour by Chris Thielen.
2004-02-26 10:26:38
RSS Feed
Sorry, didnt see your comments about not 'trusting automated updates'.
I fail to see the relevance in a RSS feed to notify you of virus outbreaks. Why not simply vew a webpage everyday that has one of the hundreds of AV companies Virus Alerts on it and make a decision based on them whether or not you want to exert any effort in protecting yourself or your users?
2004-02-26 11:12:36
RSS Feed
You sort of answer your own question. Having to check a Web page every day, while not terribly time consuming, seems unnecessary. With that perspective, why have XML feeds at all on the Web? Google's API must be useless, because I can just visit Google and search for myself. Why do blogs have feeds, when I can just visit the blog every day?

The feed he mentions also specifically has carefully-written rules, so his only decision is whether to copy and paste a particular one (or a few of them). Combined with an aggregator, even this simple decision only has to be made whenever there is a new Microsoft worm or something running around. While this is a frequent event, it is not (yet) every day.