Dear Steffen,
I am replying this to amavis-user list, which would be better option
than sanesecurity list.
We had similar problem, but we were unable to reproduce it. If you can
reproduce the issue, i think Mark Martinec would be really happy. We
were runninng amavisd-new running in debug mode for 14 days and none of
this happened ...
If you have any additional logs and version information, let Mark know
about it.
cheers, Jernej
Steffen Ille wrote:
> I've received an E-Mail with PayPal Phishing content.
> In Amavis I now use Virus Name to Spam Score Maps, so
> the Mail should be marked as Pam, not as Virusmail.
>
> ClamAV Logfile:
> -- snipp --
> ClamAV: Sanesecurity.Phishing.Bank.3132.UNOFFICIAL FOUND
> -- snipp --
>
> amavisd.conf:
> -- snipp --
> @virus_name_to_spam_score_maps =
> (new_RE( # the order matters!
> [ qr'^Phishing\.' => 5.0 ],
> [ qr'^Structured\.(SSN|CreditCardNumber)\b' => 5.0 ],
> [ qr'^(Email|HTML)\.Phishing\.(?!.*Sanesecurity)' => 5.0 ],
> [ qr'^Sanesecurity\.(Malware|Rogue|Trojan)\.' => undef ],
> [ qr'^Sanesecurity\.' => 5.0 ],
> [ qr'^Sanesecurity_PhishBar_' => 5.0 ],
> [ qr'^Sanesecurity.TestSig_' => 5.0 ],
> [ qr'^Email\.Spam\.Bounce(\.[^., ]*)*\.Sanesecurity\.' => 5.0 ],
> [ qr'^Email\.Spammail\b' => 5.0 ],
> [ qr'^MSRBL-(Images|SPAM)\b' => 5.0 ],
> [ qr'^VX\.Honeypot-SecuriteInfo\.com\.Joke' => 5.0 ],
> [ qr'^VX\.not-virus_(Hoax|Joke)\..*-SecuriteInfo\.com(\.|\z)'=> 5.0 ],
> [ qr'^Email\.Spam.*-SecuriteInfo\.com(\.|\z)' => 5.0 ],
> [ qr'^Safebrowsing\.' => 5.0 ],
> [ qr'^winnow\.(phish|spam)\.' => 5.0 ],
> [ qr'^INetMsg\.SpamDomain' => 5.0 ],
> [ qr'-SecuriteInfo\.com(\.|\z)' => undef ],
> [ qr'^MBL_NA\.UNOFFICIAL' => 3.0 ],
> [ qr'^MBL_' => undef ],
> ));
> -- snipp --
>
> But it isn't - I got an "VIRUS () in mail TO YOU from ... " Message.
> Now I've got 2 Questions:
>
> 1) Why the Rule [ qr'^Sanesecurity\.' => 5.0 ], didn't match it?
> I think this Expression should match the Virusname?
>
> 2) why the Virusname isn't reported correctly? The Mail should be
> "VIRUS (Sanesecurity.Phishing.Bank.3132.UNOFFICIAL) in mail TO YOU from
> ... "
> and not blank ()? I've tested this with Eicar and there it works.
>
> amavisd.conf:
> -- snipp --
> @av_scanners = (
> ['ClamAV-clamd',
> \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],
> qr/\bOK$/m, qr/\bFOUND$/m,
> qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
>
> ['Avira AntiVir', ['avscan'],
> '-s --batch --alert-action=none {}', [0], qr/FUND:/,
> qr/FUND: ([^;.]+) ;/m ],
> );
>
> @av_scanners_backup = (
> ['ClamAV-clamscan', 'clamscan',
> "--stdout --no-summary -r --tempdir=$TEMPBASE {}",
> [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
>
> ['always-clean', sub {0}],
> );
> -- snipp --
>
> Any help and/or hints would be apprecheated.
>
> Ceers,
> Steffen
>
>
>
------------------------------------------------------------------------------
Enter the BlackBerry Developer Challenge
This is your chance to win up to $100,000 in prizes! For a limited time,
vendors submitting new applications to BlackBerry App World(TM) will have
the opportunity to enter the BlackBerry Developer Challenge. See full prize
details at: http://p.sf.net/sfu/Challenge
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
