Re: SA and Amavisd-new 2.5.0

Mon, 14 May 2007 22:46:53 -0700 

Jerry Durand wrote the following on 5/14/2007 10:00 PM -0800:
> Sorry for the posting on this list, someone mentioned that even though
> the man for amavisd is essentially empty, this feature is mentioned
> elsewhere.  I only recently got on the amavisd-new announce list so
> didn't see anything about it.
>
> I just don't like seeing users getting mail with low spam scores that
> ClamAV has already tagged as infected.
>
These are not actually infected message, per say (virus, malware,
trojan, etc), they are phish, scan, spam type messages.  You can
increase the score for these messages either within amavisd.config
(these scores will get added to the overall SA score):

@virus_name_to_spam_score_maps =
  (new_RE( [ qr'^(Email|HTML)\.(Phishing|Spam|Scam[a-z0-9]?)\.'i => 7.5 ],
           [ qr'^(Email|Html)\.Malware\.Sanesecurity\.'          => undef ],
           [ qr'^(Email|Html)(\.[^., ]*)*\.Sanesecurity\.'       => 5.5 ],
           [ qr'^(MSRBL-Images/|MSRBL-SPAM\.)'                   => 5.5 ],
  ));

or by adding rules within SA to monitor and tag based on the headers
that Amavisd-New adds to the message.  Mark Martinec posted the
following SA rules examples to the amavis list awhile back:

header L_AV_Phish      X-Amavis-AV-Status =~ m{\b(Email|HTML)\.Phishing\.}i
header L_AV_SS_Phish   X-Amavis-AV-Status =~
m{\b(Email|Html)\.Phishing(\.[^.]*)*\.Sanesecurity\.}
header L_AV_SS_Scam    X-Amavis-AV-Status =~
m{\b(Email|Html)\.(Scam[A-Za-z0-9]?)(\.[^.]*)\.Sanesecurity\.}
header L_AV_SS_Spam    X-Amavis-AV-Status =~
m{\b(Email|Html)\.(Spam|Hdr|Bou|Stk|Loan|Cred|Job|Dipl|Doc)(\.[^.]*)*\.Sanesecurity\.}
header L_AV_SS_Hdr     X-Amavis-AV-Status =~
m{\b(Email|Html)\.Hdr(\.[^.]*)*\.Sanesecurity\.}
header L_AV_SS_Img     X-Amavis-AV-Status =~
m{\b(Email|Html)\.(Img|ImgO)(\.[^.]*)*\.Sanesecurity\.}
header L_AV_MSRBL_Img  X-Amavis-AV-Status =~ m{\bMSRBL-Images/}
header L_AV_MSRBL_Spam X-Amavis-AV-Status =~ m{\bMSRBL-SPAM\.}

score  L_AV_Phish      14
score  L_AV_SS_Phish   -3
score  L_AV_SS_Scam    6
score  L_AV_SS_Spam    6
score  L_AV_SS_Hdr     3
score  L_AV_SS_Img     3
score  L_AV_MSRBL_Img  3
score  L_AV_MSRBL_Spam 6

Watch for line wrapping.

Bill

Reply via email to