[sanesecurity] Re: A little help w/ @virus_name_to_spam_score_maps

  • From: Bill Landry <bill@xxxxxxxxxxx>
  • To: sanesecurity@xxxxxxxxxxxxx
  • Date: Tue, 07 Apr 2009 08:59:46 -0700

Tom Shaw wrote:
> At 2:37 PM -0700 4/6/09, Bill Landry wrote:
>> James Ferreira wrote:
>>>  Thank you, I see the naming has changed. This works great but I still
>>>  get spam marked as Blocked INFECTED quarantine: virus-#######
>>>
>>>  I have never seen it work otherwise so maybe that is just the way it
>>> is?
>>
>> It really depends on what the virus name is and how you've setup your
>> map to handle them.  I use a very simple and generic map in my
>> amavisd.conf file, since I want all non-virus messages to be delivered
>> to SpamAssassin for bayes learning and spam scoring.
>>
>> Here is what I use:
>>
>> @virus_name_to_spam_score_maps =
>>   (new_RE( [ qr'(Sanesecurity)'    => 7.5 ],
>>            [ qr'(MSRBL)'           => 7.5 ],
>>            [ qr'(SecuriteInfo)'    => 7.5 ],
>>            [ qr'(MBL)'             => 7.5 ],
>>            [ qr'(winnow)'          => 7.5 ],
>>            [ qr'(Safebrowsing)'    => 7.5 ],
>>   ));
>>
> 
> Interesting. Bill, what was your rationale on not including heuristic
> phish detected by clamd?
> 
> Just wondering,

Hmmm, I guess because I didn't think about it - but thanks for the hint.
 I've now changed to this in amavisd.conf:

@virus_name_to_spam_score_maps =
  (new_RE( [ qr'Sanesecurity'    => 0 ],
           [ qr'MSRBL'           => 0 ],
           [ qr'SecuriteInfo'    => 0 ],
           [ qr'MBL'             => 0 ],
           [ qr'winnow'          => 0 ],
           [ qr'Safebrowsing'    => 0 ],
           [ qr'^Email'          => 0 ],
           [ qr'^HTML'           => 0 ],
  ));

With this in ClamAV.cf (in the ~/spamassassin directory):

header AV_SS     X-Amavis-AV-Status =~ m{Sanesecurity}
header AV_MSRBL  X-Amavis-AV-Status =~ m{MSRBL}
header AV_MBL    X-Amavis-AV-Status =~ m{MBL}
header AV_SI     X-Amavis-AV-Status =~ m{SecuriteInfo}
header AV_WN     X-Amavis-AV-Status =~ m{winnow}
header AV_SB     X-Amavis-AV-Status =~ m{Safebrowsing}
header AV_CAV    X-Amavis-AV-Status =~ m{\bAV:Email|\bAV:HTML}

score  AV_SS     7.5
score  AV_MSRBL  7.5
score  AV_MBL    7.5
score  AV_SI     7.5
score  AV_WN     7.5
score  AV_SB     7.5
score  AV_CAV    7.5

This configuration is based on the link that Henrik Krohns included in
his email on this subject.  This has only been running for the past few
hours, but seems to be working fine thus far.

Bill

Other related posts:

  1. Home
  2. sanesecurity
  3. Archive
  4. 04-2009