James Cloos wrote:
> I've noticed that amavisd on my MX no longer blocks stuff flagged by
> clamav.
>
> The only difference in the logs for a message which clamav's log shows
> as having FOUND something and one which is CLEAN is that in the latter
> case amavis logs 'Hits: -' and in the FOUND case it logs 'Hits: 0.1'.
>
> The logs show that it is sending everthing to clamav, just PASSing mail
> which should be DISCARDed and quarantined.
>
> I can't find any reason why.
>
> My /etc/amavis/conf.d/50-user just sets:
>
> @local_domains_acl to a list of my local domains,
> $forward_method and $notify_method to the delivery smtpd,
> $myhostname to the correct fqdn, and:
>
> @bypass_virus_checks_maps = (); # to check everthing
> $final_virus_destiny = D_DISCARD;
> $final_banned_destiny = D_DISCARD;
>
> The quarantine had a couple of recent badh- files, but no virus-
> or banned- files for the last several months.
>
> An example of the logging:
>
>>From mail.log:
>
> Dec 29 18:33:03 mx amavis[8696]: (08696-11) Passed CLEAN, [74.238.54.136]
> <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>,
> Message-ID: <[EMAIL PROTECTED]>,
> mail_id: Ainpxge0xIwH, Hits: 0.1, size: 3648, queued_as: 585E494093, 771
> ms
>
> and the corresponding entry from clamav.log:
>
> Sat Dec 29 18:33:03 2007 ->
> /var/lib/amavis/tmp/amavis-20071229T183012-08696/parts/p001:
> HTML.Phishing.Pay-172 FOUND
>
> -JimC
So did you upgrade amavisd-new recently?
an excerpt from the amavisd-new RELEASE_NOTES:
- make it possible for a virus scanner to derate an infection
report
to a spam report, contributing to spam score and to spam
report/status.
A new configuration variable @virus_name_to_spam_score_maps
(also member of policy banks) can turn a reported virus name
into a spam score. Its default setting is:
@virus_name_to_spam_score_maps =
(new_RE( [
qr'^(Email|HTML)\.(Phishing|Spam|Scam[a-z0-9]?)\.'i => 0.1 ],
[ qr'^(Email|Html)\.Malware\.Sanesecurity\.'
=> undef ],
[ qr'^(Email|Html)(\.[^., ]*)*\.Sanesecurity\.'
=> 0.1 ],
# [
qr'^(Email|Html)\.(Hdr|Img|ImgO|Bou|Stk|Loan|Cred|Job|Dipl|Doc)
# (\.[^., ]*)* \.Sanesecurity\.'x => 0.1 ],
[ qr'^(MSRBL-Images/|MSRBL-SPAM\.)' => 0.1 ],
));
and can be replaced in amavisd.conf.
To disable the feature assign an empty list to the
configuration variable:
@virus_name_to_spam_score_maps = ();
When a virus scanner returns names of viruses, and all
provided names are
matched by the @virus_name_to_spam_score_maps, and no other
virus scanner
has anything more sinister to report, then a message is
_not_ flagged
as a virus, but a corresponding spam score is contributed
to other
spam results as returned by a normal spam scan by SA. All
the usual
spam rules are then followed. Phishing fraud as indicated
by ClamAV
is now by default treated as spam, and no longer as a virus.
--
Noel Jones
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
AMaViS-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
