Re: razor and pyzor
On Sunday 13 May 2007 23:25, Gary V wrote: On Sunday 13 May 2007 12:28, Gary V wrote: Thanks for the excellent notes! The run 'pyzor discover'. This creates /root/.pyzor/servers which is a file that contains the IP address and port to the main pyzor server. Don't use that server. Edit and change to 82.94.255.100:24441 Why? -- Phil Barnett Pyzor is not actively maintained. It has not been for a while. All new pyzor installations use the main pyzor server. That server is overloaded and queries will often timeout (5 seconds wasted). Some generous person (Milton?) created a mirror a while ago and it responds much quicker. The mailing list archives tell the tale: https://sourceforge.net/mailarchive/forum.php?forum_name=pyzor-users Gary V Do you mind if I include your notes with attribution to my document on building a MailServer applicance? -- Phil Barnett AI4OF SKCC #600
PYZOR /Msg with attachments
I see the Pyzor rule often hitting msgs without body content which include an attachment (.doc. .xls, etc) Anybody else? Thanks Alex
Spamd
Hello Group/Everyone, I am trying to setup SPAMD on Fedora Core but no luck. I would appreciate if anyone can point to the documentation which guides though step-by-step to get started with Spamd :-) I will appreciate any help. -- Sunil SSL Certificates @ $12 www.rapidsslonline.com
Re: razor and pyzor
Phil Barnett wrote: On Sunday 13 May 2007 23:25, Gary V wrote: On Sunday 13 May 2007 12:28, Gary V wrote: Thanks for the excellent notes! The run 'pyzor discover'. This creates /root/.pyzor/servers which is a file that contains the IP address and port to the main pyzor server. Don't use that server. Edit and change to 82.94.255.100:24441 Why? -- Phil Barnett Pyzor is not actively maintained. It has not been for a while. All new pyzor installations use the main pyzor server. That server is overloaded and queries will often timeout (5 seconds wasted). Some generous person (Milton?) created a mirror a while ago and it responds much quicker. The mailing list archives tell the tale: https://sourceforge.net/mailarchive/forum.php?forum_name=pyzor-users Gary V Do you mind if I include your notes with attribution to my document on building a MailServer applicance? Will your notes be available online ? // ouT
Does anyone catch this....
http://www.coders.co.uk/slipped.through.txt It has sailed through both a SA3.1.8 and SA3.2.0 (3.2.0-pre2-r512851) running on recent versions of MailScanner cheers Matt
Re: Does anyone catch this....
On Mon, May 14, 2007 11:32, Matt Hampton wrote: http://www.coders.co.uk/slipped.through.txt It has sailed through both a SA3.1.8 and SA3.2.0 (3.2.0-pre2-r512851) running on recent versions of MailScanner The ClamAV engine tends to work well on a large number of that type of phish. Local testing shows DCC hitting it, but that's about it. Doesn't help that Halifax don't publish SPF records.
create script sa-learn
Hi all, Necessary of aid to create one script that it reads the folder .Trainings inside of the Maildir of the user and train as Spam. Soon after the trainings the same script has that to move this message for the Inbox of a called user Spam. One of the problems and use of the vpopmail, the users of the same are not recorded in the /etc/shadow archive. Suggestions of as to mount this script are comings well. Inf. of System: FreeBSD 6.1 Spamassassin 3.1.x Vpopmail Thz, Bruno Oliveira.
Re: Does anyone catch this....
On Mon, 14 May 2007, Duncan Hill wrote: From: Duncan Hill [EMAIL PROTECTED] To: users@spamassassin.apache.org Date: Mon, 14 May 2007 11:41:24 +0100 (BST) Subject: Re: Does anyone catch this On Mon, May 14, 2007 11:32, Matt Hampton wrote: http://www.coders.co.uk/slipped.through.txt It has sailed through both a SA3.1.8 and SA3.2.0 (3.2.0-pre2-r512851) running on recent versions of MailScanner The ClamAV engine tends to work well on a large number of that type of phish. Local testing shows DCC hitting it, but that's about it. Doesn't help that Halifax don't publish SPF records. In particular the Sanesecurity additions to ClamAV detect this as: Html.Phishing.Bank.Sanesecurity.06030604 We've detected (and rejected) over 1300 copies of this particular phishing scam over the last couple of weeks or so. -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK [EMAIL PROTECTED] Phone: +44 1225 386101
Re: Does anyone catch this....
Dennis Davis schrieb: On Mon, 14 May 2007, Duncan Hill wrote: From: Duncan Hill [EMAIL PROTECTED] To: users@spamassassin.apache.org Date: Mon, 14 May 2007 11:41:24 +0100 (BST) Subject: Re: Does anyone catch this On Mon, May 14, 2007 11:32, Matt Hampton wrote: http://www.coders.co.uk/slipped.through.txt It has sailed through both a SA3.1.8 and SA3.2.0 (3.2.0-pre2-r512851) running on recent versions of MailScanner The ClamAV engine tends to work well on a large number of that type of phish. Local testing shows DCC hitting it, but that's about it. Doesn't help that Halifax don't publish SPF records. In particular the Sanesecurity additions to ClamAV detect this as: Html.Phishing.Bank.Sanesecurity.06030604 We've detected (and rejected) over 1300 copies of this particular phishing scam over the last couple of weeks or so. Link: http://sanesecurity.co.uk/clamav/usage.htm For Debian the example script (Example 1) had to be fixed (paths dont match), dont know if you need to fix it for other distris too ... For testing use the sample fishing attachment. -- hth MH Dont send mail to: [EMAIL PROTECTED] --
RE: Does anyone catch this....
-Original Message- From: Matthias Haegele [mailto:[EMAIL PROTECTED] Sent: Monday, May 14, 2007 8:30 AM To: SpamAssassin Subject: Re: Does anyone catch this Dennis Davis schrieb: On Mon, 14 May 2007, Duncan Hill wrote: From: Duncan Hill [EMAIL PROTECTED] To: users@spamassassin.apache.org Date: Mon, 14 May 2007 11:41:24 +0100 (BST) Subject: Re: Does anyone catch this On Mon, May 14, 2007 11:32, Matt Hampton wrote: http://www.coders.co.uk/slipped.through.txt It has sailed through both a SA3.1.8 and SA3.2.0 (3.2.0-pre2-r512851) running on recent versions of MailScanner The ClamAV engine tends to work well on a large number of that type of phish. Local testing shows DCC hitting it, but that's about it. Doesn't help that Halifax don't publish SPF records. In particular the Sanesecurity additions to ClamAV detect this as: Html.Phishing.Bank.Sanesecurity.06030604 We've detected (and rejected) over 1300 copies of this particular phishing scam over the last couple of weeks or so. Link: http://sanesecurity.co.uk/clamav/usage.htm For Debian the example script (Example 1) had to be fixed (paths dont match), dont know if you need to fix it for other distris too ... For testing use the sample fishing attachment. I just sent Steve an updated script that accommodates the trailing back slash the debian adds to the clam db dir in the debug output and add -m 1 to the grep so it short circuits finding the clam db dir (so it now takes less than a second), and I added rsync for the MSRBL-* files since that site not only supports it but prefers it be handled that way. I would imagine Steve will have it up sometime today, I have been testing it since he made the last change to the mirroring methods last week. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: Does anyone catch this....
Rick Cooper schrieb: -Original Message- From: Matthias Haegele [mailto:[EMAIL PROTECTED] Sent: Monday, May 14, 2007 8:30 AM To: SpamAssassin Subject: Re: Does anyone catch this Dennis Davis schrieb: On Mon, 14 May 2007, Duncan Hill wrote: From: Duncan Hill [EMAIL PROTECTED] To: users@spamassassin.apache.org Date: Mon, 14 May 2007 11:41:24 +0100 (BST) Subject: Re: Does anyone catch this On Mon, May 14, 2007 11:32, Matt Hampton wrote: http://www.coders.co.uk/slipped.through.txt It has sailed through both a SA3.1.8 and SA3.2.0 (3.2.0-pre2-r512851) running on recent versions of MailScanner The ClamAV engine tends to work well on a large number of that type of phish. Local testing shows DCC hitting it, but that's about it. Doesn't help that Halifax don't publish SPF records. In particular the Sanesecurity additions to ClamAV detect this as: Html.Phishing.Bank.Sanesecurity.06030604 We've detected (and rejected) over 1300 copies of this particular phishing scam over the last couple of weeks or so. Link: http://sanesecurity.co.uk/clamav/usage.htm For Debian the example script (Example 1) had to be fixed (paths dont match), dont know if you need to fix it for other distris too ... For testing use the sample fishing attachment. I just sent Steve an updated script that accommodates the trailing back slash the debian adds to the clam db dir in the debug output and add -m 1 to the grep so it short circuits finding the clam db dir (so it now takes less than a second), and I added rsync for the MSRBL-* files since that site not only supports it but prefers it be handled that way. I would imagine Steve will have it up sometime today, I have been testing it since he made the last change to the mirroring methods last week. Ralf Hildebrandt Blog contains a download link to the (working) script: http://www.amazon.com/gp/blog/A1XJVH38GHOSHB thx, again for it good work... Rick -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: razor and pyzor
On Monday 14 May 2007 06:20, Mikael Syska wrote: Will your notes be available online ? Yes. -- Phil Barnett AI4OF SKCC #600
Re: razor and pyzor
Do you mind if I include your notes with attribution to my document on building a MailServer applicance? -- Phil Barnett No, of course I don't mind, and credit isn't necessary. But thanks. Gary V _ More photos, more messages, more storageget 2GB with Windows Live Hotmail. http://imagine-windowslive.com/hotmail/?locale=en-usocid=TXT_TAGHM_migration_HM_mini_2G_0507
spamc -H favors one host (v3.2.0)
We have just upgraded from v3.1.8 to v3.2.0. We invoke spamc as follows: spamc -H -E -t 180 -s 20 -d spamd.ornl.gov # nslookup spamd.ornl.gov Name:spamd.ornl.gov Addresses: 160.91.4.92, 160.91.1.172 This used to connect equally to the two hosts, but now it makes almost all the connections to one host (.92). Has the host randomization logic changed? Is it broken?
Re: Massive Spam Attack?
On Sun, 13 May 2007, Jason Frisvold wrote: Here's a sample of the hits I'm getting ... As you can see, its a bunch of different IPs in various ranges.. I've decided to just block the ranges at this point.. I have no idea if there's anything legit in there, but I'll take that risk... baseball142.pamwheeled.com (66.96.245.142) baseball15.hammersmoky.com (66.96.245.15) baseball167.pamwheeled.com (66.96.245.167) baseball168.pamwheeled.com (66.96.245.168) baseball184.itlivestock.com (66.96.245.184) This looks like what is being called Snowshow spammers on Spam-L . They will have a rather large block and just cycle through until their whols space is used up, then get more. Block liberally. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/
Re: Massive Spam Attack?
On Sun, 13 May 2007, Jason Frisvold wrote: later112.itbobble.com (216.74.88.112) source238.wearisen.com (216.74.120.238) You can safely block all of 216.74.64.0/18 -- that's 216.75.64 - 216.74.127 == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/
Re: Massive Spam Attack?
On 5/14/07, Christopher X. Candreva [EMAIL PROTECTED] wrote: This looks like what is being called Snowshow spammers on Spam-L . They will have a rather large block and just cycle through until their whols space is used up, then get more. Ugh.. I had heard about this tactic some time ago, but until recently, I thought that Spamhaus and the other RBLs were blocking these. It boggles my mind that these blocks are not listed in any of the RBLs yet... Block liberally. Done.. And I'm working on an automated system to detect and block these and other similar addresses.. I'll release details when I have it working.. :) == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] http://blog.godshell.com
RE: Does anyone catch this....
On Mon, 14 May 2007, Rick Cooper wrote: From: Rick Cooper [EMAIL PROTECTED] To: 'SpamAssassin' users@spamassassin.apache.org Date: Mon, 14 May 2007 09:04:57 -0400 Subject: RE: Does anyone catch this ... I just sent Steve an updated script that accommodates the trailing back slash the debian adds to the clam db dir in the debug output and add -m 1 to the grep so it short circuits finding the clam db dir (so it now takes less than a second), and I added rsync for the MSRBL-* files since that site not only supports it but prefers it be handled that way. I would imagine Steve will have it up sometime today, I have been testing it since he made the last change to the mirroring methods last week. [Posted to both the [EMAIL PROTECTED] and users@spamassassin.apache.org mailing lists. Please followup appropriately.] Steve tells me he has just updated the download script on the main site (www.sanesecurity.com). Blog additions are coming, but might not make it until tomorrow. -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK [EMAIL PROTECTED] Phone: +44 1225 386101
RE: SA Rules Auto-Update ?
- Original Message - Most common usage is: $ sa-update Or, if you want to see what it's doing: $ sa-update -D Unless you are adding extra channels or doing something strange with it, you shouldn't need more than that. OK, got all those RTFM answers :-) - I get that... But when was this introduced and what is it for and what is a channel? I use rulesdejur is this a replacement for that or is it specificly to update the SA rules so we don't have to update the whole package all the time. The man does not answer these questions. I'm just trying to understand what it is all about. Thanks. Despite the controversy that this seems to have set off... Could someone - anyone - please direct me to someplace that I can read up on my questions... They remain un-answered and the man page simply is a terse usage explanation. I would like to read up on the principle and purpose. Thanks. = Kevin W. Gagel Network Administrator Information Technology Services (250) 562-2131 local 448 My Blog: http://mail.cnc.bc.ca/blogs/gagel --- The College of New Caledonia, Visit us at http://www.cnc.bc.ca Virus scanning is done on all incoming and outgoing email. Anti-spam information for CNC can be found at http://avas.cnc.bc.ca ---
RE: SA Rules Auto-Update ?
On Mon, 14 May 2007, Kevin W. Gagel wrote: - Original Message - Most common usage is: $ sa-update Or, if you want to see what it's doing: $ sa-update -D Unless you are adding extra channels or doing something strange with it, you shouldn't need more than that. OK, got all those RTFM answers :-) - I get that... But when was this introduced and what is it for and what is a channel? I use rulesdejur is this a replacement for that or is it specificly to update the SA rules so we don't have to update the whole package all the time. The man does not answer these questions. I'm just trying to understand what it is all about. Thanks. Despite the controversy that this seems to have set off... Could someone - anyone - please direct me to someplace that I can read up on my questions... They remain un-answered and the man page simply is a terse usage explanation. I would like to read up on the principle and purpose. Perhaps this is what you're looking for: http://wiki.apache.org/spamassassin/RuleUpdates
+36% incomining spam
With respect to the previous Monday. Just wondering why. Are they close to vacation and need to rise some money to bring their children in vacation? Anybody knows which is the pattern behind this things? Regards, Giampaolo
Re: perl version
Abba Communications wrote: Is there a standard perl version that the SA team aspires to and uses as a baseline or some sort? From the README file: Perl 5.6.1 or a later version is required. -- Kelson Vibber SpeedGate Communications www.speed.net
RE: SA Rules Auto-Update ?
- Original Message - Despite the controversy that this seems to have set off... Could someone - anyone - please direct me to someplace that I can read up on my questions... They remain un-answered and the man page simply is a terse usage explanation. I would like to read up on the principle and purpose. Perhaps this is what you're looking for: http://wiki.apache.org/spamassassin/RuleUpdates Thankyou Duane, That was exactly what I was looking for. = Kevin W. Gagel Network Administrator Information Technology Services (250) 562-2131 local 448 My Blog: http://mail.cnc.bc.ca/blogs/gagel --- The College of New Caledonia, Visit us at http://www.cnc.bc.ca Virus scanning is done on all incoming and outgoing email. Anti-spam information for CNC can be found at http://avas.cnc.bc.ca ---
Re: perl version
Is there a standard perl version that the SA team aspires to and uses as a baseline or some sort? From the README file: Perl 5.6.1 or a later version is required. But 5.8.8 is the workhorse of the day... Mark
whitelist Limit
Is there a limit to how many entries a whitelist can have and still run efficiently? The box is a PIII 550 512 ram- Its now scanning approx 3000 messages per day- Someone asked me if it was possible to add their entire address book ( roughly 600 addresses) to the whitelist ( we have sitewide config) - currently the whitelist has about 35 addresses. Jean-Paul Natolau Network Administrator Information Technology Family Care International 588 Broadway Suite 503 New York, NY 10012 Phone:212-941-5300 xt 36 Fax: 212-941-5563 Mailto: [EMAIL PROTECTED]
sa-compile fails Make
When I run sa-compile, it breaks while trying to run make: [EMAIL PROTECTED] ~]$ sudo sa-compile [32101] info: generic: base extraction starting. this can take a while... [32101] info: generic: extracting from rules of type body_0 100% [===] 36.75 rules/sec 00m28s DONE 100% [===] 30.40 bases/sec 01m37s DONE [32101] info: body_0: 2404 base strings extracted in 126 seconds [...] re2c -i -b -o scanner13.c scanner13.re /usr/bin/perl5.8.7 Makefile.PL PREFIX=/tmp/.spamassassin32101UQHVCjtmp/ignored INSTALLSITEARCH=/var/lib/spamassassin/compiled/3.002000 Writing Makefile for Mail::SpamAssassin::CompiledRegexps::body_0 make cp body_0.pm blib/lib/Mail/SpamAssassin/CompiledRegexps/body_0.pm /usr/bin/perl5.8.7 /usr/lib/perl5/5.8.7/ExtUtils/xsubpp -typemap /usr/lib/perl5/5.8.7/ExtUtils/typemap body_0.xs body_0.xsc mv body_0.xsc body_0.c make: *** No rule to make target `/usr/lib/perl5/5.8.7/i386-linux/CORE/EXTERN.h', needed by `body_0.o'. Stop. command failed! at /usr/bin/sa-compile line 276. I have the proper version of re2c mentioned in the FAQ, but this symptom does not match at all. [EMAIL PROTECTED] ~]$ rpm - -b -e -F -i -q -t -U -V [EMAIL PROTECTED] ~]$ rpm -q re2c re2c-0.12.0-0.1.20060mlcs4 I've tried sa-compile on several flavors of Mandriva linux and have had similar results. This particular one is: [EMAIL PROTECTED] ~]$ uname -a Linux ca.austinenergy.com 2.6.12-29mdk #1 Wed Jan 3 12:05:41 MST 2007 i686 AMD Athlon(tm) XP 2400+ unknown GNU/Linux [EMAIL PROTECTED] ~]$ sudo cat /etc/mandriva-release Mandriva Linux Corporate Server release 2006.0 (Official) for i586 The package is from cooker, recompiled for Corporate Server 4: [EMAIL PROTECTED] ~]$ rpm -q perl-Mail-SpamAssassin perl-Mail-SpamAssassin-3.2.0-0.1.20060mlcs4 Any thoughts for getting sa-compile to work would be most appreciated.
Re: 3 spamc questions, version 3.2
On 10 May 2007 at 18:40, Daryl C. W. O'Shea wrote: no one has ideas why the SA3.2 is complaining about having rights to the .spamassassin file when the same non-root user is being used for spamd and spamc ? If I had to guess I'd say that the non-root user doesn't have rights to the .spamassassin file, which is actually a directory, or at least should be. Check your filesystem permissions. Daryl Yes, that was it. The .spamassassin was created prior to the user being assigned to spamd and spamc as the user to use. Thanks!
Re: Spamd
On 14 May 2007 at 15:07, Sunil Chelaramani wrote: Hello Group/Everyone, I am trying to setup SPAMD on Fedora Core but no luck. I would appreciate if anyone can point to the documentation which guides though step-by-step to get started with Spamd :-) I will appreciate any help. -- Are you trying to compile and install from source or with a premade RPM package?
Re: razor and pyzor
On Monday 14 May 2007 09:48, Gary V wrote: Do you mind if I include your notes with attribution to my document on building a MailServer applicance? -- Phil Barnett No, of course I don't mind, and credit isn't necessary. But thanks. Great, now if I can learn how to properly spell applicance, I'll be all set... -- Phil Barnett AI4OF SKCC #600
X-Spam-Status: No, hits=? required=?
Hi all Anyone know why see X-Spam-Status: No, hits=? required=? in the email header after delivery and spam scanning ? My local.cf file looks like this required_score 8.0 report_safe 1 rewrite_header Subject *SPAM* regards
SA and Amavisd-new 2.5.0
I was reviewing our mail logs and saw items marked as virus infected being delivered to our users with only a junk mail warning. Not good! I investigated and found it's a new feature of Amavisd. You can now set a list of infections that are reclassified as spam. I don't have a problem with that as an option, but the default gives them a spam rating of 0.1, so SA doesn't see much wrong with them. To disable this feature, set @virus_name_to_spam_score_maps = undef; I wonder what other surprises are in there? --- Jerry Durand, Durand Interstellar, Inc. Los Gatos, California, USA tel: +1-408-356-3886, USA Toll Free: 866-356-3886 www.interstellar.com, skype: jerrydurand
RE: SA and Amavisd-new 2.5.0
Not 100% sure I would call this a surprise, as it was discussed on the amavisd-new list and is in README. (and you should join the amavisd-new list where issues like this are discussed since they are not dependent on SA) -- Michael Scheidell, CTO Join Me at SecureWorld Philadelphia May 17 for roundtable discussion on Endpoint security. http://www.secnap.com/events for free and discounted seminar tickets _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _
Re: SA and Amavisd-new 2.5.0
Sorry for the posting on this list, someone mentioned that even though the man for amavisd is essentially empty, this feature is mentioned elsewhere. I only recently got on the amavisd-new announce list so didn't see anything about it. I just don't like seeing users getting mail with low spam scores that ClamAV has already tagged as infected.
RE: SA and Amavisd-new 2.5.0
-Original Message- From: Jerry Durand [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 15, 2007 1:00 AM To: Jerry Durand Cc: users@spamassassin.apache.org Subject: Re: SA and Amavisd-new 2.5.0 Sorry for the posting on this list, someone mentioned that even though the man for amavisd is essentially empty, this feature is mentioned elsewhere. I only recently got on the amavisd-new announce list so didn't see anything about it. Its in release notes as well: http://www.ijs.si/software/amavisd/release-notes.txt I just don't like seeing users getting mail with low spam scores that ClamAV has already tagged as infected. _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _
Re: SA and Amavisd-new 2.5.0
Jerry Durand wrote the following on 5/14/2007 10:00 PM -0800: Sorry for the posting on this list, someone mentioned that even though the man for amavisd is essentially empty, this feature is mentioned elsewhere. I only recently got on the amavisd-new announce list so didn't see anything about it. I just don't like seeing users getting mail with low spam scores that ClamAV has already tagged as infected. These are not actually infected message, per say (virus, malware, trojan, etc), they are phish, scan, spam type messages. You can increase the score for these messages either within amavisd.config (these scores will get added to the overall SA score): @virus_name_to_spam_score_maps = (new_RE( [ qr'^(Email|HTML)\.(Phishing|Spam|Scam[a-z0-9]?)\.'i = 7.5 ], [ qr'^(Email|Html)\.Malware\.Sanesecurity\.' = undef ], [ qr'^(Email|Html)(\.[^., ]*)*\.Sanesecurity\.' = 5.5 ], [ qr'^(MSRBL-Images/|MSRBL-SPAM\.)' = 5.5 ], )); or by adding rules within SA to monitor and tag based on the headers that Amavisd-New adds to the message. Mark Martinec posted the following SA rules examples to the amavis list awhile back: header L_AV_Phish X-Amavis-AV-Status =~ m{\b(Email|HTML)\.Phishing\.}i header L_AV_SS_Phish X-Amavis-AV-Status =~ m{\b(Email|Html)\.Phishing(\.[^.]*)*\.Sanesecurity\.} header L_AV_SS_ScamX-Amavis-AV-Status =~ m{\b(Email|Html)\.(Scam[A-Za-z0-9]?)(\.[^.]*)\.Sanesecurity\.} header L_AV_SS_SpamX-Amavis-AV-Status =~ m{\b(Email|Html)\.(Spam|Hdr|Bou|Stk|Loan|Cred|Job|Dipl|Doc)(\.[^.]*)*\.Sanesecurity\.} header L_AV_SS_Hdr X-Amavis-AV-Status =~ m{\b(Email|Html)\.Hdr(\.[^.]*)*\.Sanesecurity\.} header L_AV_SS_Img X-Amavis-AV-Status =~ m{\b(Email|Html)\.(Img|ImgO)(\.[^.]*)*\.Sanesecurity\.} header L_AV_MSRBL_Img X-Amavis-AV-Status =~ m{\bMSRBL-Images/} header L_AV_MSRBL_Spam X-Amavis-AV-Status =~ m{\bMSRBL-SPAM\.} score L_AV_Phish 14 score L_AV_SS_Phish -3 score L_AV_SS_Scam6 score L_AV_SS_Spam6 score L_AV_SS_Hdr 3 score L_AV_SS_Img 3 score L_AV_MSRBL_Img 3 score L_AV_MSRBL_Spam 6 Watch for line wrapping. Bill
Re: SA and Amavisd-new 2.5.0
On May 14, 2007, at 10:46 PM, Bill Landry wrote: These are not actually infected message, per say (virus, malware, trojan, etc), they are phish, scan, spam type messages. You can increase the score for these messages either within amavisd.config (these scores will get added to the overall SA score): I understand they're not true virus files, but the default value of 0.1 is way low and was causing them to be passed on to users. It seems the SA rules to catch these should be in the standard set. I just set the maps to undef, it was easier than writing a bunch of rules. Now they all skip delivery again. Is there any reason SA needs to see these messages? Seems simply deleting them before they even get to SA is faster and does the same thing.