Steffen,
> I've received an E-Mail with PayPal Phishing content.
> In Amavis I now use Virus Name to Spam Score Maps, so
> the Mail should be marked as spam, not as Virusmail.
>
> ClamAV Logfile:
> ClamAV: Sanesecurity.Phishing.Bank.3132.UNOFFICIAL FOUND
>
> amavisd.conf:
> @virus_name_to_spam_score_maps =
> (new_RE( # the order matters!
> [ qr'^Phishing\.' => 5.0 ],
> [ qr'^Structured\.(SSN|CreditCardNumber)\b' => 5.0 ],
> [ qr'^(Email|HTML)\.Phishing\.(?!.*Sanesecurity)' => 5.0 ],
> [ qr'^Sanesecurity\.(Malware|Rogue|Trojan)\.' => undef ],
> [ qr'^Sanesecurity\.' => 5.0 ],
> [ qr'^Sanesecurity_PhishBar_' => 5.0 ],
> [ qr'^Sanesecurity.TestSig_' => 5.0 ],
> [ qr'^Email\.Spam\.Bounce(\.[^., ]*)*\.Sanesecurity\.' => 5.0 ],
> [ qr'^Email\.Spammail\b' => 5.0 ],
> [ qr'^MSRBL-(Images|SPAM)\b' => 5.0 ],
> [ qr'^VX\.Honeypot-SecuriteInfo\.com\.Joke' => 5.0 ],
> [ qr'^VX\.not-virus_(Hoax|Joke)\..*-SecuriteInfo\.com(\.|\z)'=> 5.0 ],
> [ qr'^Email\.Spam.*-SecuriteInfo\.com(\.|\z)' => 5.0 ],
> [ qr'^Safebrowsing\.' => 5.0 ],
> [ qr'^winnow\.(phish|spam)\.' => 5.0 ],
> [ qr'^INetMsg\.SpamDomain' => 5.0 ],
> [ qr'-SecuriteInfo\.com(\.|\z)' => undef ],
> [ qr'^MBL_NA\.UNOFFICIAL' => 3.0 ],
> [ qr'^MBL_' => undef ],
> ));
>
> But it isn't - I got an "VIRUS () in mail TO YOU from ... " Message.
> Now I've got 2 Questions:
>
> 1) Why the Rule [ qr'^Sanesecurity\.' => 5.0 ], didn't match it?
> I think this Expression should match the Virusname?
Because the captured virus name was empty for some reason,
so it couldn't match the @virus_name_to_spam_score_maps list.
> 2) why the Virusname isn't reported correctly?
Yes, that's the core issue here. The #1 is just a consequence.
> The Mail should be
> "VIRUS (Sanesecurity.Phishing.Bank.3132.UNOFFICIAL) in mail TO YOU from
> ... "
> and not blank ()? I've tested this with Eicar and there it works.
>
> amavisd.conf:
> @av_scanners = (
> ['ClamAV-clamd',
> \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],
> qr/\bOK$/m, qr/\bFOUND$/m,
> qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
>
> ['Avira AntiVir', ['avscan'],
> '-s --batch --alert-action=none {}', [0], qr/FUND:/,
> qr/FUND: ([^;.]+) ;/m ],
> );
Looks like the regexp:
qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ]
failed to collect a virus name from the output of a virus
scanner - it should have been captured in $1, i.e. in the (.*)
part of the regular expression.
Please examine the log at log level 5 (or 4) and see what
actually comes from a virus scanner, and check the above
regexp if it can really capture the virus name from the
returned string. I suspect the culprit lies there.
One possibility would be if the final /m flag in '...FOUND$/m'
were missing, like in the case reported by Christian Meyer,
although in your shown AV entry this looks alright.
Jernej Porenta writes:
> I am replying this to amavis-user list, which would be better option
> than sanesecurity list.
>
> We had similar problem, but we were unable to reproduce it. If you can
> reproduce the issue, i think Mark Martinec would be really happy. We
> were runninng amavisd-new running in debug mode for 14 days and none of
> this happened ...
>
> If you have any additional logs and version information, let Mark know
> about it.
This is a different issue. In Jernej's case the virus name was
properly collected from a response of a virus scanner, as the
log from his posting shows, it just failed to match with the
@virus_name_to_spam_score_maps list for some (still unknown) reason:
Apr 27 08:59:26 avs3 amavis[8589]: (08589-03) run_av (ClamAV-clamd):
/var/amavis/tmp/amavis-20090427T083452-08589/parts INFECTED:
winnow.phish.pt.paypal.m248493.UNOFFICIAL
Apr 27 08:59:26 avs3 amavis[8589]: (08589-03) virus_scan:
(winnow.phish.pt.paypal.m248493.UNOFFICIAL), detected
by 1 scanners: ClamAV-clamd
Apr 27 08:59:26 avs3 amavis[8589]: (08589-03) Virus
winnow.phish.pt.paypal.m248493.UNOFFICIAL matches (?-xism:^),
sender addr ignored
Apr 27 08:59:26 avs3 amavis[8589]: (08589-03) Blocked INFECTED
(winnow.phish.pt.paypal.m248493.UNOFFICIAL), [...]
Mark
------------------------------------------------------------------------------
Enter the BlackBerry Developer Challenge
This is your chance to win up to $100,000 in prizes! For a limited time,
vendors submitting new applications to BlackBerry App World(TM) will have
the opportunity to enter the BlackBerry Developer Challenge. See full prize
details at: http://p.sf.net/sfu/Challenge
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
