On 11/29/2010 12:17 AM, Steve Basford wrote:
Good morning list. Can anyone advise as to where one may get the latest virus_name_to_spam_score_maps ?Hi Tom, Here's a couple of sample ones... @virus_name_to_spam_score_maps = (new_RE( # the order matters! [ qr'^Phishing\.' => 6.1 ], [ qr'^Email.Spam\d{1,4}-SecuriteInfo' => 4.1 ], [ qr'^(?:Email|HTML|Sanesecurity)\.(?:Phishing|SpearL?)\.'i => 6.1 ], [ qr'^(?:Email|HTML|Sanesecurity)\.(?:Spam|Scam)[a-z0-9]?\.'i => 4.6 ], [ qr'^Sanesecurity\.(?:Malware|Trojan)\.' => undef ], [ qr'^Sanesecurity\.(?:Test|Rogue)' => undef ], [ qr'^Sanesecurity\.(?:Hdr|Img|ImgO|Junk|Doc|Casino)\.'x => 6.1 ], [ qr'^Sanesecurity\.(?:Lott|Fake|SpamImg|Job|Stk)\.'x => 6.1 ], [ qr'^Sanesecurity\.(?:Loan|Porn|Bou|Dipl|Cred)\.'x => 6.1 ], [ qr'^Sanesecurity\.Jurlbl\.Auto\.'x => 1.6 ], [ qr'^Sanesecurity\.Jurlbl\.'x => 2.6 ], [ qr'^Sanesecurity\.SpamAttach_'x => 4.1 ], [ qr'^ScamNailer\.Phish\.'x => 2.6 ], [ qr'^Doppelstern\.Attachment\.'x => 4.1 ], [ qr'^Doppelstern\.(?:Job|Junk|Loan|Lott|Phishing|Scam4)\.'x =>2.6], [ qr'^winnow\.(?:botnets?|phish|complex|mailer)\.'x => 6.1 ], [ qr'^winnow\.image\.'x => 4.1 ], [ qr'^winnow\.spam(?:domain)?\.'x => 2.6 ], [ qr'^winnow\.(?:malware|trojan|compromised)\.'x => undef ], [ qr'^winnow\.'x => 2.6 ], [ qr'^INetMsg\.SpamDomain-2w\.' => 3.0 ], [ qr'^INetMsg\.' => 2.0 ], [ qr'^MSRBL-Images\.' => 2.1 ], [ qr'^MSRBL-SPAM\.' => 5.1 ], [ qr'^MBL_' => undef ], # keep as infected )); @virus_name_to_spam_score_maps = (new_RE( # the order matters! [ qr'^Structured\.(SSN|CreditCardNumber)\b' => 0.1 ], [ qr'^(Heuristics\.)?Phishing\.' => 0.1 ], [ qr'^(Email|HTML)\.Phishing\.(?!.*Sanesecurity)' => 0.1 ], [ qr'^Sanesecurity\.(Malware|Rogue|Trojan)\.' => undef ],# keep as infected [ qr'^Sanesecurity\.' => 0.1 ], [ qr'^Sanesecurity_PhishBar_' => 0 ], [ qr'^Sanesecurity.TestSig_' => 0 ], [ qr'^Email\.Spam\.Bounce(\.[^., ]*)*\.Sanesecurity\.' => 0 ], [ qr'^Email\.Spammail\b' => 0.1 ], [ qr'^MSRBL-(Images|SPAM)\b' => 0.1 ], [ qr'^VX\.Honeypot-SecuriteInfo\.com\.Joke' => 0.1 ], [ qr'^VX\.not-virus_(Hoax|Joke)\..*-SecuriteInfo\.com(\.|\z)' => 0.1 ], [ qr'^Email\.Spam.*-SecuriteInfo\.com(\.|\z)' => 0.1 ], [ qr'^Safebrowsing\.' => 0.1 ], [ qr'^winnow\.(phish|spam)\.' => 0.1 ], [ qr'^INetMsg\.SpamDomain' => 0.1 ], [ qr'^Doppelstern\.(Scam4|Phishing)' => 0.1 ], [ qr'^ScamNailer\.Phish\.' => 0.1 ], [ qr'^HTML/Bankish' => 0.1 ], # F-Prot [ qr'-SecuriteInfo\.com(\.|\z)' => undef ], # keep as infected [ qr'^MBL_NA\.UNOFFICIAL' => 0.1 ], # false positives [ qr'^MBL_' => undef ], # keep as infected )); Note: neither include CRDF signature names. If anyone can produce a default template then I'll add one to the website.
There are so many different signature name definitions that is would be difficult to create a single entry for all of them:
CRDF.ABC CRDF.AIDSII CRDF.ARCV CRDF.AdWare CRDF.Adware CRDF.AfterShake CRDF.Alabama-B CRDF.Amstrad-740 CRDF.AntiCAD-4096 CRDF.Application CRDF.Application-Generic CRDF.April-1st CRDF.BACKDOOR CRDF.BFD CRDF.BOO CRDF.BackDoor CRDF.Backdoor CRDF.Backfont-905 CRDF.BadTaste CRDF.Bandit-1641 CRDF.Betty CRDF.BlackWizard CRDF.Boot CRDF.Bootache CRDF.C-Virus CRDF.CALA CRDF.CAZ CRDF.CB-1530 CRDF.Cannabis CRDF.CaptainTrips CRDF.Cheeba CRDF.Chromo-20 CRDF.Clipper CRDF.Close CRDF.Comspec CRDF.Cookie-7360 CRDF.Cookie-7392 CRDF.Cossiga CRDF.DDoS CRDF.DLOADER CRDF.DOS CRDF.DSPDH CRDF.Dalian CRDF.Dark-Avenger-1063 CRDF.Dark-Avenger-1801 CRDF.DarkApocalypse CRDF.DarkAvenger CRDF.DarkAvenger-1947 CRDF.DarkEvil CRDF.Darklord CRDF.Darkray CRDF.Datacrime CRDF.Datacrime-II CRDF.Datalock CRDF.Davis CRDF.December24th CRDF.DeepScan CRDF.Delyrium-Pest CRDF.Destructor CRDF.Dialer-722 CRDF.Diamond CRDF.DieLamer CRDF.Doom-II CRDF.Dr CRDF.Dracula CRDF.Dropped CRDF.Dropper CRDF.Durban CRDF.EICAR CRDF.ELF CRDF.Ear CRDF.EasternDigit-1600 CRDF.Eddie-2 CRDF.Enigma-1755 CRDF.Enola CRDF.Erasmus CRDF.Eternity-565 CRDF.Exploit CRDF.Explosion CRDF.F-You-593 CRDF.F-You-635 CRDF.FakeAV CRDF.FakeAlert CRDF.FaxFree-1536 CRDF.Fellowship-2 CRDF.Fingers CRDF.Fist CRDF.Flash CRDF.Flip CRDF.Flower CRDF.Fu-Manchu CRDF.GOV-Overwrite CRDF.GP-1 CRDF.Gen CRDF.Gotcha CRDF.Greemlin CRDF.Grog CRDF.H-1024 CRDF.HLLM CRDF.HLLW CRDF.HackTool CRDF.Hacker CRDF.Hafen CRDF.Halloechen CRDF.Harikiri CRDF.Havoc CRDF.Helloween CRDF.Hero CRDF.Heur CRDF.Hiperion-249 CRDF.Horse-A CRDF.Horse-B CRDF.Hymn CRDF.IMI CRDF.IMI-1538 CRDF.IRC CRDF.Ice CRDF.Icelandic-Saratoga CRDF.Immortal CRDF.Internal CRDF.Intruder CRDF.Intruder-1555 CRDF.Invol CRDF.ItaVir CRDF.Italian CRDF.JS CRDF.Jabberwocky CRDF.Jerk-Miky CRDF.Jerusalem CRDF.Jerusalem-CVEX CRDF.Jerusalem-Einstein CRDF.Jerusalem-Moctezuma CRDF.Jerusalem-PuertoExe CRDF.Jerusalem-USA CRDF.Joke CRDF.Joker CRDF.July13th CRDF.KeyboardBug CRDF.Keypress-II CRDF.Kharkov-1024 CRDF.KissG CRDF.Kit CRDF.Kylie CRDF.Liberty CRDF.LittlePieces CRDF.Lucifer CRDF.MIR CRDF.MIX1 CRDF.MIX1-B CRDF.MPCP CRDF.MSTU CRDF.MULDROP CRDF.MadSatan CRDF.Magnitogorsk CRDF.Maltese_Amoeba CRDF.Malware CRDF.Malware-Generic CRDF.Mannequin CRDF.Mayak CRDF.MemScan CRDF.MerryXmas CRDF.Mirror CRDF.Mix-664 CRDF.MonitoringTool CRDF.Mosquito CRDF.Mummy-1 CRDF.NPox CRDF.NPox-1722 CRDF.NV-71 CRDF.Natas-b CRDF.Nazi CRDF.Ncu-Li CRDF.Necropolis-1 CRDF.New-COM CRDF.NewHaifa CRDF.NextGen CRDF.NoFrills CRDF.Nov30 CRDF.November17 CRDF.OS2 CRDF.OldYankee CRDF.Ontario CRDF.Oropax CRDF.Other CRDF.Overwrite-3008 CRDF.Overwrite-4032 CRDF.Overwrite-4752 CRDF.PS-MPC CRDF.PS-MPC-based CRDF.PSMPC CRDF.PSQR CRDF.PWS CRDF.Packed CRDF.Paris CRDF.Parite CRDF.PcVrsDs CRDF.Perl CRDF.Pest CRDF.Phonix CRDF.Plastique CRDF.Platinum CRDF.Pojer CRDF.Possessed-E CRDF.Predator CRDF.Prudents CRDF.Quake CRDF.Quinine CRDF.RNA CRDF.Rat CRDF.Raubkopie CRDF.Rogue CRDF.Rushhour CRDF.S-Vir CRDF.SVC-3 CRDF.SVC-3112 CRDF.SVC-5 CRDF.SVC-6 CRDF.SVC40-A CRDF.Sadist CRDF.Saratoga CRDF.Satan2 CRDF.Satan3 CRDF.Sector CRDF.Sentinel CRDF.Shark CRDF.Shiny CRDF.Shirley CRDF.Shirley-Vivaldi CRDF.Slovakia CRDF.Slow CRDF.Smack CRDF.Small CRDF.Softomate CRDF.Spammer CRDF.Spanish CRDF.Spyer CRDF.Spyware CRDF.Star-Dot CRDF.Star-Dot-801 CRDF.Sunday CRDF.Suriv-3 CRDF.Surrender CRDF.Sverdlov CRDF.Syslock3551 CRDF.TR CRDF.TaiPan-438 CRDF.TaiPan-666 CRDF.Teller CRDF.Tequila CRDF.Terminator-1 CRDF.Terror CRDF.Thursday12th CRDF.Tokyo CRDF.Tool CRDF.Totor-A CRDF.Traceback CRDF.Traceback-3030 CRDF.Traveller CRDF.Trojan CRDF.Trojan-Generic CRDF.TrojanClicker CRDF.TrojanDownloader CRDF.TrojanDropper CRDF.TrojanSpy CRDF.Trust CRDF.USSR-1049 CRDF.USSR-1689 CRDF.USSR-2144 CRDF.USSR-948 CRDF.V-1L CRDF.V-981 CRDF.V2000 CRDF.V2100 CRDF.VComm CRDF.VGEN CRDF.VTech CRDF.Vacsina CRDF.Varicell CRDF.Vgen CRDF.Victor CRDF.Vienna CRDF.Vienna-5520 CRDF.VirTool CRDF.Virtool CRDF.Virus CRDF.Virus101 CRDF.Vkit CRDF.Vlad-Sister CRDF.Voodo CRDF.Voronezh CRDF.W32 CRDF.WIN CRDF.Warrior CRDF.Westwood CRDF.Willow CRDF.Win32 CRDF.Windows-Virus CRDF.Witch CRDF.Wonder CRDF.Word-B CRDF.Word-C CRDF.Worm CRDF.Yankee CRDF.Yankee-1150 CRDF.Yanshort-1961 CRDF.Yeke-1204 CRDF.Yellow-1 CRDF.ZK-900 CRDF.Zherkov-1915 CRDF.Zherkov-2970 CRDF._2623 CRDF.notAnd a few are duplicated only with different upper/lower case letter combinations:
CRDF.AdWare CRDF.Adware CRDF.BACKDOOR CRDF.BackDoor CRDF.Backdoor CRDF.VirTool CRDF.VirtoolHowever, if all of these are considered virus/malware/trojan/etc., then it would not really be appropriate to pass them onto SpamAssassin and potentially deliver them anyway. Let ClamAV deal with them like it does with any other of these types of signatures, typically quarantining them.
The score maps posted above are really meant to deliver suspected spam to SpamAssassin so it can score them and possibly deliver any false-positives, not process virus/malware/trojan/etc type emails.
Bill
