Rulesets for SA

Richard Mealing richard at fastnet.co.uk
Fri Dec 11 16:04:02 GMT 2009 

Hi everyone,

 

I have been adding rulesets into SA with the following in the "Virus
Names Which Are Spam" - Sane*UNOFFICIAL HTML/* ScamNailer.Phish*
winnow.malware* winnow.botnet.ff.trojans* winnow.botnets*

 

It's working great for me, so I thought I would share this with you all
if you are interested - 

 

The scores have been changed a few times but as I say, this works great
for me. All you should need to do is replace the ORGNAME.

I've also added the ScamVirus at the bottom (and above) as I'm just
downloading it periodically into the clam directory.

 

#Sanesecurity Signature (jurlbl.ndb)

header SPAMVIRUSJurlblAuto X-ORGNAME-MailScanner-SpamVirus-Report =~
/Sanesecurity.Jurlbl.Auto/i

score SPAMVIRUSJurlblAuto 3.0

 

#SaneSecurity Signature (phish.ndb)

header SPAMVIRUSDoc X-ORGNAME-MailScanner-SpamVirus-Report =~
/Sanesecurity.Doc/i

score SPAMVIRUSDoc 3.0

header SPAMVIRUSFake X-ORGNAME-MailScanner-SpamVirus-Report =~
/Sanesecurity.Fake/i

score SPAMVIRUSFake 3.0

header SPAMVIRUSPhishingAuction X-ORGNAME-MailScanner-SpamVirus-Report
=~ /Sanesecurity.Phishing.Auction./i

score SPAMVIRUSPhishingAuction 3.0

header SPAMVIRUSPhishingAzon X-ORGNAME-MailScanner-SpamVirus-Report =~
/Sanesecurity.Phishing.Azon/i

score SPAMVIRUSPhishingAzon 3.0

header SPAMVIRUSPhishingBank X-ORGNAME-MailScanner-SpamVirus-Report =~
/Sanesecurity.Phishing.Bank/i

score SPAMVIRUSPhishingBank 3.0

header SPAMVIRUSPhishingCard X-ORGNAME-MailScanner-SpamVirus-Report =~
/Sanesecurity.Phishing.Card/i

score SPAMVIRUSPhishingCard 3.0

header SPAMVIRUSPhishingCur X-ORGNAME-MailScanner-SpamVirus-Report =~
/Sanesecurity.Phishing.Cur/i

score SPAMVIRUSPhishingCur 3.0

header SPAMVIRUSPhishingDca X-ORGNAME-MailScanner-SpamVirus-Report =~
/Sanesecurity.Phishing.Dca/i

score SPAMVIRUSPhishingDca 3.0

header SPAMVIRUSPhishingFake X-ORGNAME-MailScanner-SpamVirus-Report =~
/Sanesecurity.Phishing.Fake/i

score SPAMVIRUSPhishingFake 3.0

header SPAMVIRUSPhishingGiftCard X-ORGNAME-MailScanner-SpamVirus-Report
=~ /Sanesecurity.Phishing.GiftCard/i

score SPAMVIRUSPhishingGiftCard 3.0

header SPAMVIRUSPhishingHex X-ORGNAME-MailScanner-SpamVirus-Report =~
/Sanesecurity.Phishing.Hex/i

score SPAMVIRUSPhishingHex 3.0

header SPAMVIRUSPhishingIvt X-ORGNAME-MailScanner-SpamVirus-Report =~
/Sanesecurity.Phishing.Ivt/i

score SPAMVIRUSPhishingIvt 3.0

header SPAMVIRUSPhishingJsc X-ORGNAME-MailScanner-SpamVirus-Report =~
/Sanesecurity.Phishing.Jsc/i

score SPAMVIRUSPhishingJsc 3.0

header SPAMVIRUSPhishingNam X-ORGNAME-MailScanner-SpamVirus-Report =~
/Sanesecurity.Phishing.Nam/i

score SPAMVIRUSPhishingNam 3.0

header SPAMVIRUSPhishingOnf X-ORGNAME-MailScanner-SpamVirus-Report =~
/Sanesecurity.Phishing.Onf/i

score SPAMVIRUSPhishingOnf 3.0

header SPAMVIRUSPhishingPay X-ORGNAME-MailScanner-SpamVirus-Report =~
/Sanesecurity.Phishing.Pay/i

score SPAMVIRUSPhishingPay 3.0

header SPAMVIRUSPhishingRdi X-ORGNAME-MailScanner-SpamVirus-Report =~
/Sanesecurity.Phishing.Rdi/i

score SPAMVIRUSPhishingRdi 3.0

header SPAMVIRUSPhishingRock X-ORGNAME-MailScanner-SpamVirus-Report =~
/Sanesecurity.Phishing.Rock/i

score SPAMVIRUSPhishingRock 3.0

header SPAMVIRUSPhishingRockGen X-ORGNAME-MailScanner-SpamVirus-Report
=~ /Sanesecurity.Phishing.RockGen/i

score SPAMVIRUSPhishingRockGen 3.0

header SPAMVIRUSPhishingShop X-ORGNAME-MailScanner-SpamVirus-Report =~
/Sanesecurity.Phishing.Shop/i

score SPAMVIRUSPhishingShop 3.0

header SPAMVIRUSPhishingSlw X-ORGNAME-MailScanner-SpamVirus-Report =~
/Sanesecurity.Phishing.Slw/i

score SPAMVIRUSPhishingSlw 3.0

header SPAMVIRUSPhishingUrl X-ORGNAME-MailScanner-SpamVirus-Report =~
/Sanesecurity.Phishing.Url/i

score SPAMVIRUSPhishingUrl 3.0

header SPAMVIRUSPhishingWrd X-ORGNAME-MailScanner-SpamVirus-Report =~
/Sanesecurity.Phishing.Wrd/i

score SPAMVIRUSPhishingWrd 3.0

header SPAMVIRUSPhishingTestSig X-ORGNAME-MailScanner-SpamVirus-Report
=~ /Sanesecurity.PhishingTestSig/i

score SPAMVIRUSPhishingTestSig 3.0

header SPAMVIRUSTestSig_Type3_Bdy X-ORGNAME-MailScanner-SpamVirus-Report
=~ /TestSig_Type3_Bdy/i

score SPAMVIRUSTestSig_Type3_Bdy 3.0

header SPAMVIRUSTestSig_Type4_Bdy X-ORGNAME-MailScanner-SpamVirus-Report
=~ /TestSig_Type4_Bdy/i

score SPAMVIRUSTestSig_Type4_Bdy 3.0

header SPAMVIRUSTestSig_Type4_Hdr X-ORGNAME-MailScanner-SpamVirus-Report
=~ /TestSig_Type4_Hdr/i

score SPAMVIRUSTestSig_Type4_Hdr 3.0

#SaneSecurity Signature (scam.ndb)

header SPAMVIRUSSpam X-ORGNAME-MailScanner-SpamVirus-Report =~
/Sanesecurity.Spam/i

score SPAMVIRUSSpam 3.0

header SPAMVIRUSCred X-ORGNAME-MailScanner-SpamVirus-Report =~
/Sanesecurity.Cred/i

score SPAMVIRUSCred 3.0

header SPAMVIRUSDipl X-ORGNAME-MailScanner-SpamVirus-Report =~
/Sanesecurity.Dipl/i

score SPAMVIRUSDipl 3.0

header SPAMVIRUSHdr X-ORGNAME-MailScanner-SpamVirus-Report =~
/Sanesecurity.Hdr/i

score SPAMVIRUSHdr 3.0

header SPAMVIRUSImg X-ORGNAME-MailScanner-SpamVirus-Report =~
/Sanesecurity.Img/i

score SPAMVIRUSImg 3.0

header SPAMVIRUSJob X-ORGNAME-MailScanner-SpamVirus-Report =~
/Sanesecurity.Job/i

score SPAMVIRUSJob 3.0

header SPAMVIRUSLoan X-ORGNAME-MailScanner-SpamVirus-Report =~
/Sanesecurity.Loan/i

score SPAMVIRUSLoan 3.0

header SPAMVIRUSPorn X-ORGNAME-MailScanner-SpamVirus-Report =~
/Sanesecurity.Porn/i

score SPAMVIRUSPorn 3.0

header SPAMVIRUSImgo X-ORGNAME-MailScanner-SpamVirus-Report =~
/Sanesecurity.Imgo/i

score SPAMVIRUSImgo 3.0

header SPAMVIRUSScam4 X-ORGNAME-MailScanner-SpamVirus-Report =~
/Sanesecurity.Scam4/i

score SPAMVIRUSScam4 3.0

header SPAMVIRUSScamL X-ORGNAME-MailScanner-SpamVirus-Report =~
/Sanesecurity.ScamL/i

score SPAMVIRUSScamL 3.0

header SPAMVIRUSStk X-ORGNAME-MailScanner-SpamVirus-Report =~
/Sanesecurity.Stk/i

score SPAMVIRUSStk 3.0

header SPAMVIRUSTestSig X-ORGNAME-MailScanner-SpamVirus-Report =~
/Sanesecurity.TestSig/i

score SPAMVIRUSTestSig 3.0

 

#SaneSecurity Signature (junk.ndb)

header SPAMVIRUSJunk X-ORGNAME-MailScanner-SpamVirus-Report =~
/Sanesecurity.Junk/i

score SPAMVIRUSJunk 3.0

#SaneSecurity Signature (rogue.hdb)

header SPAMVIRUSRogue X-ORGNAME-MailScanner-SpamVirus-Report =~
/Sanesecurity.Rogue/i

score SPAMVIRUSRogue 4.0

header SPAMVIRUSTrogan X-ORGNAME-MailScanner-SpamVirus-Report =~
/Sanesecurity.Trojan/i

score SPAMVIRUSTrogan 4.0

 

#SaneSecurity Signature (lott.ndb)

header SPAMVIRUSLott X-ORGNAME-MailScanner-SpamVirus-Report =~
/Sanesecurity.Lott/i

score SPAMVIRUSLott 3.0

 

#SaneSecurity Signature (spear.ndb)

header SPAMVIRUSSpear X-ORGNAME-MailScanner-SpamVirus-Report =~
/Sanesecurity.Spear/i

score SPAMVIRUSSpear 3.0

 

#SaneSecurity Signature (spamimg.hdb)

header SPAMVIRUSSpamImg X-ORGNAME-MailScanner-SpamVirus-Report =~
/Sanesecurity.SpamImg/i

score SPAMVIRUSSpamImg 3.0

 

#SaneSecurity Signature (spam.ldb)

header SPAMVIRUSSpamldg X-ORGNAME-MailScanner-SpamVirus-Report =~
/Sanesecurity.Spam.ldb/i

score SPAMVIRUSSpamldg 3.0

 

#SaneSecurity Signature (winnow_malware.hdb)

header SPAMVIRUSwinmalware X-ORGNAME-MailScanner-SpamVirus-Report =~
/winnow.malware/i

score SPAMVIRUSwinmalware 2.0

 

#SaneSecurity Signature (winnow_malware_links.ndb)

header SPAMVIRUSwinmalwarelink X-ORGNAME-MailScanner-SpamVirus-Report =~
/winnow.botnet.ff.trojans/i

score SPAMVIRUSwinmalwarelink 3.0

header SPAMVIRUSwinmalwarelinkbot X-ORGNAME-MailScanner-SpamVirus-Report
=~ /winnow.botnets/i

score SPAMVIRUSwinmalwarelinkbot 3.0

 

#ScamNailer Config! New...

header SCAMNAILER X-ORGNAME-MailScanner-SpamVirus-Report =~
/ScamNailer.Phish/i

score SCAMNAILER 2.0

 

 

Thanks,

 

Rich

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091211/1f7b478f/attachment.html

More information about the MailScanner mailing list