Spam-Virus Header and SpamAssassin custom rules

[Ricky Boone]

This may be a simple question, but wanted to run it by the mailing list.

Some virus signatures that can be classified as spam and phishing sometimes
have different reliability rates (lots of false positives on some, fewer on
others).  Rather than just having a SpamAssassin rule (currently
MS_FOUND_SPAMVIRUS) that looks for the existence of the
X-foo-MailScanner-SpamVirus-Report header, I'm thinking some rules can be
set up to look for different patterns in the value of this header and score
accordingly.

I've been looking at some of the code related to how this header is
generated.  Unfortunately I don't know the best way to test this (outside
of a test system, uncommenting out lines that will likely dump to STDERR,
etc.).  I'm not sure if the X-foo-MailScanner-SpamVirus-Report header
contains something similar to what MailScanner logs:

Jul 21 02:50:06 mailscanner1 clamd[11617]:
/var/spool/MailScanner/incoming/11566/E609120168F6.A21E7.message:
Heuristics.Phishing.Email.SpoofedDomain FOUND
Jul 21 02:50:06 mailscanner1 MailScanner[11566]:
Clamd::INFECTED::Heuristics.Phishing.Email.SpoofedDomain ::
./E609120168F6.A21E7/
Jul 21 02:50:06 mailscanner1 MailScanner[11566]: Found spam based virus
Heuristics.Phishing.Email.SpoofedDomain in E609120168F6.A21E7

...Or if it is formatted a different way (which might impact how the rule's
regex is defined).  Does anyone have a sample of what the generated
X-foo-MailScanner-SpamVirus-Report header would look like when SpamAssassin
processes it, or a safe way to capture what it should look like on a
running system?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20200721/8314e67e/attachment.html>