Re: [AMaViS-user] Modified scoring of ClamAV spam hits

Mark Martinec wrote:
> John,
>
>>> I'm still getting a few ZIPs, PDF, etc. getting though. I just noticed
>>> this scoring in one of the headers. Note the score for the
>>> sanesecurity=0.1:
>>>
>>> Res, score=5.819 tagged_above=2 required=4
>>> tests=[AV:Email.Stk.Gen592.Sanesecurity.07071801.pdf=0.1, BAYES_99=3.5,
>>> DKIM_POLICY_SIGNSOME=0, TVD_SPACE_RATIO=2.219]
>>>
>>> I am using amavisd-new with clamav 91.1. Where can I adjust this
>>> scoring?
>
> Bill Landry writes:
>> That depends on whether you are using a spamassassin .cf file for scoring
>> the header entries or if your scoring them in amavisd.conf. I would guess
>> amavisd.conf since you would probably know if you setup a .cf file for
>> scoring these.
>>
>> In amavisd.conf, look for the section starting with:
>> @virus_name_to_spam_score_maps =
>> You can then adjust the individual SaneSecurity and/or MSRBL scores there.
>
> Right. Or better yet, add rules to a SpamAssassin config file (e.g. local.cf),
> as suggested in release notes. This is also a reason why scores assigned
> by amavisd itself are near-zero.
>

Figures, I missed reading the release notes...

I am using amavisd-new to call SA, so is SA called AFTER clamav (using
SA local.cf)? Just making sure which method will work best.

john

> amavisd-new-2.5.0 release notes
>
> Here is one example of such SA rules (some long lines are wrapped,
> these should be unwrapped before placing them into local.cf):
>
> header L_AV_Phish X-Amavis-AV-Status =~
> m{\b(Email|HTML)\.Phishing\.}i
> header L_AV_SS_Phish X-Amavis-AV-Status =~
> m{\b(Email|Html)\.Phishing(\.[^., ]*)*\.Sanesecurity\.}
> header L_AV_SS_Scam X-Amavis-AV-Status =~
> m{\b(Email|Html)\.(Scam[A-Za-z0-9]?)(\.[^., ]*)*\.Sanesecurity\.}
> header L_AV_SS_Spam X-Amavis-AV-Status =~
> m{\b(Email|Html)\.(Spam|Bou|Stk|Loan|Cred|Job|Dipl |Doc)
> (\.[^., ]*)*\.Sanesecurity\.}
> header L_AV_SS_Hdr X-Amavis-AV-Status =~
> m{\b(Email|Html)\.Hdr(\.[^., ]*)*\.Sanesecurity\.}
> header L_AV_SS_Img X-Amavis-AV-Status =~
> m{\b(Email|Html)\.(Img|ImgO)(\.[^., ]*)*\.Sanesecurity\.}
> header L_AV_MSRBL_Img X-Amavis-AV-Status =~ m{\bMSRBL-Images/}
> header L_AV_MSRBL_Spam X-Amavis-AV-Status =~ m{\bMSRBL-SPAM\.}
>
> score L_AV_Phish 14
> score L_AV_SS_Phish -3
> score L_AV_SS_Scam 8
> score L_AV_SS_Spam 8
> score L_AV_SS_Hdr 6
> score L_AV_SS_Img 3.5
> score L_AV_MSRBL_Img 3.5
> score L_AV_MSRBL_Spam 6
>
>
> Mark
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems? Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> AMaViS-user mailing list
> AMaViS-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/...fo/amavis-user
> AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
> AMaViS-HowTos:http://www.amavis.org/howto/

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/...fo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/