> On 1/15/09, Eddy Beliveau wrote: >> Hi! Networkers, >> >> We are using, with success, amavisd-new + clamav >> >> We are using http://www200.pair.com/mecham/spam/amavis-sanesecurity_v2.cf >> for scoring based on clamav analysis. >> >> Lately, we notice, in our logs, that some email hits the rule >> AV:Phishing.Heuristics.Email.SpoofedDomain >> which score as 0.1, but amavis-sanesecurity_v2.cf does not hits the >> rule L_AV_Phish
The AV:Phishing.Heuristics.Email.SpoofedDomain is a ClamAv heuristically determined spoofed domain. It is fairly prone to false positives, so it might not be a good idea to place it in the meta-group L_AV_Phish, which are signature-based. Heuristic checks should have low scores so that a false positive doesn't count too much against the spam score. See: https://wiki.clamav.net/Main/MalwareNaming >> >> So I edit that cf file with the following difference: >> >> @@ -1,4 +1,4 @@ >> -header L_AV_Phish X-Amavis-AV-Status =~ >> m{\bAV:(Email|HTML)\.Phishing\.}i >> +header L_AV_Phish X-Amavis-AV-Status =~ >> m{\bAV:(|(Email|HTML)\.)Phishing\.}i >> You can consider creating a separate rule if you just want to increase the score of heuristic spoofed domain checks. >> Cheers, >> Eddy ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
