Bill,
> I like the artificial header idea. If you could at least make it an
> optional flag that would be great. Would be nice to be able to add a
> few SA points if ClamAV detects phish, image, scam, etc., messages,
> otherwise it doesn't make much sense to use the additional ClamAV
> signature files provided by SaneSucurity and MSRBL.
You already have the ability (with 2.5.0-pre3) to add score points
based on phish, image, scam, etc., the only reason why one would
like to have an artificial header field passed to SA is to be
able to have all the rules in one place (local.cf), and perhaps
for Bayes to see this information.
Nevertheless, it can't hurt to provide this ability. One has then
a choice to adjust scores either in the @virus_name_to_spam_score_maps
in amavisd.conf, or by providing rules to match on the artificial
X-Amavis-AV-Status header field, which will be seen by SA only
(not in passed or quarantined mail).
The following patch to 2.5.0-pre3 provides it:
--- amavisd.orig Mon Mar 12 21:51:24 2007
+++ amavisd Wed Mar 21 20:33:05 2007
@@ -1353,5 +1353,9 @@
@virus_name_to_spam_score_maps =
- (new_RE( [qr'^(?:Email|HTML)\.Phishing\.'i => 14] ));
+ (new_RE( [ qr'^(Email|HTML)\.(Phishing|Spam|Scam[a-z0-9]?)\.'i => 0.1 ],
+ [ qr'^(Email|Html)\.(Hdr|Img|ImgO|Bou|Stk|Loan|Cred|Job|Dipl|Doc)
+ (\.[^.]*)* \.Sanesecurity\.'x => 0.1 ],
+ [ qr'^(MSRBL-Images/|MSRBL-SPAM\.)' => 0.1 ],
+ ));
# prepend a lookup table label object for logging purposes
@@ -16973,4 +16977,6 @@
push(@lines, sprintf("X-Amavis-OS-Fingerprint: %s\n",
sanitize_str($os_fp))) if $os_fp ne '';
+ push(@lines, sprintf("X-Amavis-AV-Status: %s\n",
+ sanitize_str($msginfo->spam_status))) if $msginfo->spam_status ne '';
my($pbpath) = c('policy_bank_path');
push(@lines, sprintf("X-Amavis-PolicyBank: %s\n",$pbpath)) if $pbpath ne '';
The above just adds 0.1 score point for each match, but turns off infection flag
regardless of the actual value on the RHS. The idea is to provide additional
score points by SA rules below.
The following rules may be placed in local.cf:
header L_AV_Phish X-Amavis-AV-Status =~ m{\b(Email|HTML)\.Phishing\.}i
header L_AV_SS_Phish X-Amavis-AV-Status =~
m{\b(Email|Html)\.Phishing(\.[^.]*)*\.Sanesecurity\.}
header L_AV_SS_Scam X-Amavis-AV-Status =~
m{\b(Email|Html)\.(Scam[A-Za-z0-9]?)(\.[^.]*)*\.Sanesecurity\.}
header L_AV_SS_Spam X-Amavis-AV-Status =~
m{\b(Email|Html)\.(Spam|Hdr|Bou|Stk|Loan|Cred|Job|Dipl|Doc)(\.[^.]*)*\.Sanesecurity\.}
header L_AV_SS_Hdr X-Amavis-AV-Status =~
m{\b(Email|Html)\.Hdr(\.[^.]*)*\.Sanesecurity\.}
header L_AV_SS_Img X-Amavis-AV-Status =~
m{\b(Email|Html)\.(Img|ImgO)(\.[^.]*)*\.Sanesecurity\.}
header L_AV_MSRBL_Img X-Amavis-AV-Status =~ m{\bMSRBL-Images/}
header L_AV_MSRBL_Spam X-Amavis-AV-Status =~ m{\bMSRBL-SPAM\.}
score L_AV_Phish 14
score L_AV_SS_Phish -3
score L_AV_SS_Scam 6
score L_AV_SS_Spam 6
score L_AV_SS_Hdr 3
score L_AV_SS_Img 3
score L_AV_MSRBL_Img 3
score L_AV_MSRBL_Spam 6
Mark
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
AMaViS-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
