Gary, Mike,
> As MrC announced, there have been changes to the SaneSecurity
> database that affect amavisd-new, and potentially spamassassin:
> http://marc.info/?l=amavis-user&m=122335037818485
> Old format:
> Html.Phishing.Rdi.Gen001.Saneseurity.06030200.UNOFFICIAL
> New format:
> Sanesecurity.Phishing.Rdi.5.UNOFFICIAL
>
> What additions or changes should be made to these rules
Took me a while, but now I plunged into updating my third-party
signatures for clamd. This is what I came up with:
(amavisd.conf):
@virus_name_to_spam_score_maps =
(new_RE( # the order matters!
[ qr'^Sanesecurity\.(Malware|Rogue|Trojan)\.' => undef ],# keep as infected
[ qr'^Sanesecurity(\.[^., ]*)*\.' => 0.1 ],
[ qr'^Sanesecurity_PhishBar_' => 0 ],
[ qr'^Email\.Spam\.Bounce(\.[^., ]*)*\.Sanesecurity\.' => 0 ],
[ qr'^(MSRBL-Images/|MSRBL-SPAM\.)' => 0.1 ],
[ qr'^MBL_' => undef ], # keep as infected
[ qr'^VX\.Honeypot-SecuriteInfo\.com\.Joke' => 0.1 ],
[ qr'^VX\.not-virus_(Hoax|Joke)\..*-SecuriteInfo\.com(\.|\z)' => 0.1 ],
[ qr'^Email\.Spam.*-SecuriteInfo\.com(\.|\z)' => 0.1 ],
[ qr'-SecuriteInfo\.com(\.|\z)' => undef ], # keep as infected
));
# Sanesecurity http://www.sanesecurity.co.uk/
# MSRBL- http://www.msrbl.com/site/contact
# MBL http://www.malware.com.br/index.shtml
# -SecuriteInfo.com http://clamav.securiteinfo.com/malwares.html
Actualy the /^MBL_/ and /-SecuriteInfo\.com(\.|\z)/ rules are
redundant, but help document the fact that these malware names
are intentionally NOT converted to spam, but kept as virus names.
and accompanying SpamAssassin rules
(local.cf, watch for line wraps by your MUA):
header L_AV_SS_PhishBar X-Amavis-AV-Status =~ m{\bAV:Sanesecurity_PhishBar_}
header L_AV_SS_Phish X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.Phishing\.}
header L_AV_SS_Malware X-Amavis-AV-Status =~
m{\bAV:Sanesecurity\.(Malware|Rogue|Trojan)\.}
header L_AV_SS_Scam X-Amavis-AV-Status =~
m{\bAV:Sanesecurity\.(Scam[A-Za-z0-9]?)}
header L_AV_SS_Spam X-Amavis-AV-Status =~
m{\bAV:Sanesecurity\.(Bou|Cred|Dipl|Job|Loan|Porn|Spam[A-Za-z0-9]?|Stk|Junk)\.}
header L_AV_SS_Hdr X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.Hdr\.}
header L_AV_SS_Img X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.(Img|ImgO)\.}
header L_AV_SS_Bounce X-Amavis-AV-Status =~ m{\.Spam\.Bounce(\.[^.,
]*)*\.Sanesecurity\b}
header __L_AV_SS X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.}
meta L_AV_SS_other __L_AV_SS && !(L_AV_SS_Phish || L_AV_SS_Scam ||
L_AV_SS_Spam || L_AV_SS_Malware || L_AV_SS_Hdr ||
L_AV_SS_Img || L_AV_SS_Bounce)
header L_AV_MSRBL_Img X-Amavis-AV-Status =~ m{\bAV:MSRBL-Images/}
header L_AV_MSRBL_Spam X-Amavis-AV-Status =~ m{\bAV:MSRBL-SPAM\.}
header L_AV_MBL X-Amavis-AV-Status =~ m{\bAV:MBL_}
header L_AV_SecInf X-Amavis-AV-Status =~ m{-SecuriteInfo\.com\b}
score L_AV_Phish 14
score L_AV_SS_Phish 5
score L_AV_SS_PhishBar 0.5
score L_AV_SS_Scam 8
score L_AV_SS_Spam 8
score L_AV_SS_Hdr 6
score L_AV_SS_Img 3.5
score L_AV_SS_Bounce 0.1
score L_AV_SS_other 1
score L_AV_SS_Malware 14
score L_AV_MBL 14
score L_AV_MSRBL_Img 3.5
score L_AV_MSRBL_Spam 6
score L_AV_SecInf 8
The reason for keeping scoring with SpamAssassin and not as score boost
in amavisd is to let SpamAssassin's autolearning (Bayes and AWL) benefit
form the final score. Also it plays better with cached scores in amavisd.
Mark
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
AMaViS-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
