P3Scan, virus scans, and spam

spam
antivirus
v7
mail

(Eddie Atherton) #1

I currently use P3Scan to pull e-mails from an external pop-provider and have a couple of questions regarding the virus scanning and spam detection.

Recently I’ve had a couple of e-mails wrongly flagged as a virus, which means I only get the notification page, instead of the mail. I wanted to report these to Sanesecurity as false positives, but it appears that the original mail is just dropped. Is it possible to quarantine these mails instead.

Also, is there a way to select which signatures are used.

For spam, I have the following settings:

However, I cannot find any Junk folder, nor do I ever get any messages with the prefix added, so I’m not sure what’s happening to the mails with a score between 5 and 15 as I can’t really believe that I don’t get any slightly-questionable mails.

Cheers.
Eddie


(Markus Neuberger) #2

Hi @EddieA,

which mail client and which protocol do you use? Try an IMAP client, roundcube or webtop, for instance. There you should see the junk/spam folder. With your settings the prefix is added but the spam mail is moved to junk folder.


(Filippo Carletti) #3

No, pop3 is a “simple” protocol and p3scan can’t quarantine mails.
You could probably use getmail (the pop3 connector) to deliver to a mailbox on nethserver and get the email from there (btw, this won’t satisfy your requirements for quarantine, too).


(Eddie Atherton) #4

It’s P3Scan that replaces the original e-mail with the text to say it was a virus. I’m assuming you mean is that it currently can’t do that. It probably could, if someone wanted to resurrect the code and enhance it, as development ceased some time ago.

That’s how I did it in NS6, but switched to P3Scan in NS7 so I didn’t have to create a user for every e-mail account I wanted to retrieve from.

How is anti-virus handled in this scenario.

Clients are Thunderbird and Outlook, and as it’s P3Scan it has to be POP3.

Not really an option. Also see above as to why I switched to P3Scan.

I realised after @filippo_carletti’s comment, that the Junk folder I was used to seeing was when using the POP3 connector which means there are “real” mailboxes on the NS server and so the mail can be moved to a Junk folder. P3Scan is effectively a pass-through.

Except I am NOT seeing ANY mail with that prefix.

Cheers.


(Filippo Carletti) #5

@EddieA could you try to remove the “justdelete” line in p3scan.conf and look in /var/spool/p3scan ?


(Eddie Atherton) #6

@filippo_carletti
Thank you. That keeps the original e-mail for me to view later. It will be a simple exercise to write a tidy-up script to toss these after a number of days.

But looking at those now raises a couple of questions regarding which application is used to scan the e-mails depending on how they are received, do SpamAssassin and ClamAV step on each others toes, and what ClamAV thinks is a “virus”. I’ll probably open another thread to discuss that, instead of cluttering this one further.

Cheers.