Need help with rule set

Michael Mansour micoots at yahoo.com
Wed Jul 29 21:50:59 IST 2009 

Hi,

--- On Thu, 30/7/09, Anthony Cartmell <ajcartmell at fonant.com> wrote:

> From: Anthony Cartmell <ajcartmell at fonant.com>
> Subject: Re: Need help with rule set
> To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
> Received: Thursday, 30 July, 2009, 6:31 AM
> > Here's a thought. It's not well
> thought out and may have holes, but if
> > there were a new MailScanner setting that could be a
> ruleset along the
> > lines of:
> > 
> > Virus Report Action = virus
> > 
> > which would preserve the current behavior but allow a
> ruleset where I
> > could say
> > 
> > Virus: (something to match in the virus report) virus
> > Virus: (something else to match in the virus report)
> spam
> > Virus: (yet something else to match in the virus
> report) high-spam
> 
> From the SaneSecurity list I know that people using Amavisd
> can score ClamAV report matches like this:
> 
> amavisd.conf:
> 
> @virus_name_to_spam_score_maps =
>  (new_RE(  # the order matters!
>    [ qr'^Phishing\.'     
>                
>                
>        => 4.1 ],
>    [
> qr'^(Email|HTML|Sanesecurity)\.(Phishing|Spear|(Spam|Scam)[a-z0-9]?)\.'i
> => 4.1 ],
>    [
> qr'^Sanesecurity\.(Malware|Trojan)\.'     
>        => undef ],
>    [
> qr'^Sanesecurity\.(Test|Rogue|Casino)'     
>       => undef ],
>    [
> qr'^Sanesecurity\.(Hdr|Img|ImgO|Junk|Doc)\.'x 
>    => 6.1 ],
>    [
> qr'^Sanesecurity\.(Lott|Fake|SpamImg|Job|Stk)\.'x => 6.1
> ],
>    [
> qr'^Sanesecurity\.(Loan|Porn|Bou|Dipl|Cred)\.'x   =>
> 6.1 ],
>    [ qr'^(MSRBL-Images/)'   
>                
>           => 2.1 ],
>    [ qr'^(MSRBL-SPAM\.)'     
>                
>          => 5.1 ],
>    [ qr'^MBL_'       
>                
>      => undef ],  # keep as
> infected
>  ));
> 
> Setting the score means it's spammy, setting it to undef
> means it's a virus. These scores are added to the scores
> from SpamAssassin, AIUI.
> 
> Something like this in MailScanner would be _really_ nice.
> Some of the third-party databases are known to be prone to
> false positives, but given a low score could still help to
> stop spam if the message also triggers other SpamAssassin
> rules.

I asked about exactly this on the list a month or two ago, and was told to use the ClamAV milter for sendmail which would allow it.

I haven't had time to look at it myself yet, but I (strongly) agree if MS can handle it like amavisd internally it would be much better, but the feature seems to be available outside of MailScanner using that milter if you really need it.

As I said above though, I'd personally prefer MailScanner to handle it, the less "packages" to worry about on a mail server the better.

Regards,

Michael.

> Anthony
> --www.fonant.com - Quality web sites
> --MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> Before posting, read http://wiki.mailscanner.info/posting
> 
> Support MailScanner development - buy the book off the
> website!


      ____________________________________________________________________________________
Access Yahoo!7 Mail on your mobile. Anytime. Anywhere.
Show me how: http://au.mobile.yahoo.com/mail

More information about the MailScanner mailing list