[sanesecurity] Re: virus_name_to_spam_score_maps
- From: "Steve Basford" <steveb_clamav@xxxxxxxxxxxxxxxx>
- To: sanesecurity@xxxxxxxxxxxxx
- Date: Mon, 29 Nov 2010 08:17:31 -0000
> Good morning list.
>
> Can anyone advise as to where one may get the latest
> virus_name_to_spam_score_maps ?
Hi Tom,
Here's a couple of sample ones...
@virus_name_to_spam_score_maps =
(new_RE( # the order matters!
[ qr'^Phishing\.' => 6.1 ],
[ qr'^Email.Spam\d{1,4}-SecuriteInfo' => 4.1 ],
[ qr'^(?:Email|HTML|Sanesecurity)\.(?:Phishing|SpearL?)\.'i => 6.1 ],
[ qr'^(?:Email|HTML|Sanesecurity)\.(?:Spam|Scam)[a-z0-9]?\.'i => 4.6 ],
[ qr'^Sanesecurity\.(?:Malware|Trojan)\.' => undef ],
[ qr'^Sanesecurity\.(?:Test|Rogue)' => undef ],
[ qr'^Sanesecurity\.(?:Hdr|Img|ImgO|Junk|Doc|Casino)\.'x => 6.1 ],
[ qr'^Sanesecurity\.(?:Lott|Fake|SpamImg|Job|Stk)\.'x => 6.1 ],
[ qr'^Sanesecurity\.(?:Loan|Porn|Bou|Dipl|Cred)\.'x => 6.1 ],
[ qr'^Sanesecurity\.Jurlbl\.Auto\.'x => 1.6 ],
[ qr'^Sanesecurity\.Jurlbl\.'x => 2.6 ],
[ qr'^Sanesecurity\.SpamAttach_'x => 4.1 ],
[ qr'^ScamNailer\.Phish\.'x => 2.6 ],
[ qr'^Doppelstern\.Attachment\.'x => 4.1 ],
[ qr'^Doppelstern\.(?:Job|Junk|Loan|Lott|Phishing|Scam4)\.'x =>2.6],
[ qr'^winnow\.(?:botnets?|phish|complex|mailer)\.'x => 6.1 ],
[ qr'^winnow\.image\.'x => 4.1 ],
[ qr'^winnow\.spam(?:domain)?\.'x => 2.6 ],
[ qr'^winnow\.(?:malware|trojan|compromised)\.'x => undef ],
[ qr'^winnow\.'x => 2.6 ],
[ qr'^INetMsg\.SpamDomain-2w\.' => 3.0 ],
[ qr'^INetMsg\.' => 2.0 ],
[ qr'^MSRBL-Images\.' => 2.1 ],
[ qr'^MSRBL-SPAM\.' => 5.1 ],
[ qr'^MBL_' => undef ], # keep as infected
));
@virus_name_to_spam_score_maps =
(new_RE( # the order matters!
[ qr'^Structured\.(SSN|CreditCardNumber)\b' => 0.1 ],
[ qr'^(Heuristics\.)?Phishing\.' => 0.1 ],
[ qr'^(Email|HTML)\.Phishing\.(?!.*Sanesecurity)' => 0.1 ],
[ qr'^Sanesecurity\.(Malware|Rogue|Trojan)\.' => undef ],# keep as
infected
[ qr'^Sanesecurity\.' => 0.1 ],
[ qr'^Sanesecurity_PhishBar_' => 0 ],
[ qr'^Sanesecurity.TestSig_' => 0 ],
[ qr'^Email\.Spam\.Bounce(\.[^., ]*)*\.Sanesecurity\.' => 0 ],
[ qr'^Email\.Spammail\b' => 0.1 ],
[ qr'^MSRBL-(Images|SPAM)\b' => 0.1 ],
[ qr'^VX\.Honeypot-SecuriteInfo\.com\.Joke' => 0.1 ],
[ qr'^VX\.not-virus_(Hoax|Joke)\..*-SecuriteInfo\.com(\.|\z)' => 0.1 ],
[ qr'^Email\.Spam.*-SecuriteInfo\.com(\.|\z)' => 0.1 ],
[ qr'^Safebrowsing\.' => 0.1 ],
[ qr'^winnow\.(phish|spam)\.' => 0.1 ],
[ qr'^INetMsg\.SpamDomain' => 0.1 ],
[ qr'^Doppelstern\.(Scam4|Phishing)' => 0.1 ],
[ qr'^ScamNailer\.Phish\.' => 0.1 ],
[ qr'^HTML/Bankish' => 0.1 ], #
F-Prot
[ qr'-SecuriteInfo\.com(\.|\z)' => undef ], # keep as infected
[ qr'^MBL_NA\.UNOFFICIAL' => 0.1 ], # false positives
[ qr'^MBL_' => undef ], # keep as infected
));
Note: neither include CRDF signature names.
If anyone can produce a default template then I'll add one to the website.
Hope it helps,
Steve
Sanesecurity
Other related posts:
