Mark, On 10/28/08 1:03 PM, Mark Martinec wrote: > Gary, Mike, > > Took me a while, but now I plunged into updating my third-party > signatures for clamd. This is what I came up with:
Good stuff - more below... > > (amavisd.conf): > > @virus_name_to_spam_score_maps = > (new_RE( # the order matters! > [ qr'^Sanesecurity\.(Malware|Rogue|Trojan)\.' => undef ],# keep as > infected > [ qr'^Sanesecurity(\.[^., ]*)*\.' => 0.1 ], > [ qr'^Sanesecurity_PhishBar_' => 0 ], > [ qr'^Email\.Spam\.Bounce(\.[^., ]*)*\.Sanesecurity\.' => 0 ], > [ qr'^(MSRBL-Images/|MSRBL-SPAM\.)' => 0.1 ], > [ qr'^MBL_' => undef ], # keep as > infected > [ qr'^VX\.Honeypot-SecuriteInfo\.com\.Joke' => 0.1 ], > [ qr'^VX\.not-virus_(Hoax|Joke)\..*-SecuriteInfo\.com(\.|\z)' => 0.1 ], > [ qr'^Email\.Spam.*-SecuriteInfo\.com(\.|\z)' => 0.1 ], > [ qr'-SecuriteInfo\.com(\.|\z)' => undef ], # keep as > infected > )); > # Sanesecurity http://www.sanesecurity.co.uk/ > # MSRBL- http://www.msrbl.com/site/contact > # MBL http://www.malware.com.br/index.shtml > # -SecuriteInfo.com http://clamav.securiteinfo.com/malwares.html > > Actualy the /^MBL_/ and /-SecuriteInfo\.com(\.|\z)/ rules are > redundant, but help document the fact that these malware names > are intentionally NOT converted to spam, but kept as virus names. > > > and accompanying SpamAssassin rules > (local.cf, watch for line wraps by your MUA): > > header L_AV_SS_PhishBar X-Amavis-AV-Status =~ m{\bAV:Sanesecurity_PhishBar_} > header L_AV_SS_Phish X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.Phishing\.} > header L_AV_SS_Malware X-Amavis-AV-Status =~ > m{\bAV:Sanesecurity\.(Malware|Rogue|Trojan)\.} > header L_AV_SS_Scam X-Amavis-AV-Status =~ > m{\bAV:Sanesecurity\.(Scam[A-Za-z0-9]?)} > header L_AV_SS_Spam X-Amavis-AV-Status =~ > m{\bAV:Sanesecurity\.(Bou|Cred|Dipl|Job|Loan|Porn|Spam[A-Za-z0-9]?|Stk|Junk)\.} > header L_AV_SS_Hdr X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.Hdr\.} > header L_AV_SS_Img X-Amavis-AV-Status =~ > m{\bAV:Sanesecurity\.(Img|ImgO)\.} > header L_AV_SS_Bounce X-Amavis-AV-Status =~ m{\.Spam\.Bounce(\.[^., > ]*)*\.Sanesecurity\b} > header __L_AV_SS X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.} > meta L_AV_SS_other __L_AV_SS&& !(L_AV_SS_Phish || L_AV_SS_Scam || > L_AV_SS_Spam || L_AV_SS_Malware || L_AV_SS_Hdr || > L_AV_SS_Img || L_AV_SS_Bounce) > header L_AV_MSRBL_Img X-Amavis-AV-Status =~ m{\bAV:MSRBL-Images/} > header L_AV_MSRBL_Spam X-Amavis-AV-Status =~ m{\bAV:MSRBL-SPAM\.} > header L_AV_MBL X-Amavis-AV-Status =~ m{\bAV:MBL_} > header L_AV_SecInf X-Amavis-AV-Status =~ m{-SecuriteInfo\.com\b} > > score L_AV_Phish 14 This one (L_AV_Phish) is missing a header rule above. Did you mean this to be __L_AV_SS instead? > score L_AV_SS_Phish 5 > score L_AV_SS_PhishBar 0.5 > score L_AV_SS_Scam 8 > score L_AV_SS_Spam 8 > score L_AV_SS_Hdr 6 > score L_AV_SS_Img 3.5 > score L_AV_SS_Bounce 0.1 > score L_AV_SS_other 1 > score L_AV_SS_Malware 14 > score L_AV_MBL 14 > score L_AV_MSRBL_Img 3.5 > score L_AV_MSRBL_Spam 6 > score L_AV_SecInf 8 > > > The reason for keeping scoring with SpamAssassin and not as score boost > in amavisd is to let SpamAssassin's autolearning (Bayes and AWL) benefit > form the final score. Also it plays better with cached scores in amavisd. I recall reading this good advice in the RELEASE_NOTES. Your post here prompted me to finally convert. Thanks. Mike > > Mark ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ AMaViS-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
