On 9/14/10 6:00 AM, "Alex" <[email protected]> wrote:
> Turns out that it matches underconstruction.networksolutions.com. Is
> it possible to make these signatures score a few points instead of
> being a poison pill, and killing the email entirely?
It depends on how you have glued in clamav and spamassassin. I use the
following in amavisd as a way to score. Your mileage may vary:
@virus_name_to_spam_score_maps =
(new_RE( # the order matters!
[ qr'^Phishing\.' => 6.1 ],
[ qr'^Email.Spam\d{1,4}-SecuriteInfo' => 4.1 ],
[ qr'^(?:Email|HTML|Sanesecurity)\.(?:Phishing|SpearL?)\.'i => 6.1 ],
[ qr'^(?:Email|HTML|Sanesecurity)\.(?:Spam|Scam)[a-z0-9]?\.'i => 4.6 ],
[ qr'^Sanesecurity\.(?:Malware|Trojan)\.' => undef ],
[ qr'^Sanesecurity\.(?:Test|Rogue)' => undef ],
[ qr'^Sanesecurity\.(?:Hdr|Img|ImgO|Junk|Doc|Casino)\.'x => 6.1 ],
[ qr'^Sanesecurity\.(?:Lott|Fake|SpamImg|Job|Stk)\.'x => 6.1 ],
[ qr'^Sanesecurity\.(?:Loan|Porn|Bou|Dipl|Cred)\.'x => 6.1 ],
[ qr'^Sanesecurity\.Jurlbl\.Auto\.'x => 1.6 ],
[ qr'^Sanesecurity\.Jurlbl\.'x => 2.6 ],
[ qr'^Sanesecurity\.SpamAttach_'x => 4.1 ],
[ qr'^ScamNailer\.Phish\.'x => 2.6 ],
[ qr'^Doppelstern\.Attachment\.'x => 4.1 ],
[ qr'^Doppelstern\.(?:Job|Junk|Loan|Lott|Phishing|Scam4)\.'x =>2.6],
[ qr'^winnow\.(?:botnets?|phish|complex|mailer)\.'x => 6.1 ],
[ qr'^winnow\.image\.'x => 4.1 ],
[ qr'^winnow\.spam(?:domain)?\.'x => 2.6 ],
[ qr'^winnow\.(?:malware|trojan|compromised)\.'x => undef ],
[ qr'^winnow\.'x => 2.6 ],
[ qr'^INetMsg\.SpamDomain-2w\.' => 3.0 ],
[ qr'^INetMsg\.' => 2.0 ],
[ qr'^MSRBL-Images\.' => 2.1 ],
[ qr'^MSRBL-SPAM\.' => 5.1 ],
[ qr'^MBL_' => undef ], # keep as infected
));
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
