Need help with rule set

Wed Jul 29 21:31:39 IST 2009

> Here's a thought. It's not well thought out and may have holes, but if
> there were a new MailScanner setting that could be a ruleset along the
> lines of:
>
> Virus Report Action = virus
>
> which would preserve the current behavior but allow a ruleset where I
> could say
>
> Virus: (something to match in the virus report) virus
> Virus: (something else to match in the virus report) spam
> Virus: (yet something else to match in the virus report) high-spam

 From the SaneSecurity list I know that people using Amavisd can score  
ClamAV report matches like this:

amavisd.conf:

@virus_name_to_spam_score_maps =
  (new_RE(  # the order matters!
    [ qr'^Phishing\.'                                             => 4.1 ],
    [  
qr'^(Email|HTML|Sanesecurity)\.(Phishing|Spear|(Spam|Scam)[a-z0-9]?)\.'i  
=> 4.1 ],
    [ qr'^Sanesecurity\.(Malware|Trojan)\.'             => undef ],
    [ qr'^Sanesecurity\.(Test|Rogue|Casino)'            => undef ],
    [ qr'^Sanesecurity\.(Hdr|Img|ImgO|Junk|Doc)\.'x     => 6.1 ],
    [ qr'^Sanesecurity\.(Lott|Fake|SpamImg|Job|Stk)\.'x => 6.1 ],
    [ qr'^Sanesecurity\.(Loan|Porn|Bou|Dipl|Cred)\.'x   => 6.1 ],
    [ qr'^(MSRBL-Images/)'                              => 2.1 ],
    [ qr'^(MSRBL-SPAM\.)'                               => 5.1 ],
    [ qr'^MBL_'                             => undef ],  # keep as infected
  ));

Setting the score means it's spammy, setting it to undef means it's a  
virus. These scores are added to the scores from SpamAssassin, AIUI.

Something like this in MailScanner would be _really_ nice. Some of the  
third-party databases are known to be prone to false positives, but given  
a low score could still help to stop spam if the message also triggers  
other SpamAssassin rules.

Anthony
-- 
www.fonant.com - Quality web sites