clamav and virus_name_to_spam_score_maps

Mark Martinec Mark.Martinec+amavis at ijs.si
Mon Oct 24 20:26:26 CEST 2011 

Alex,

> I have a fedora15 install with spamassassin-3.3.2, amavisd-new-2.6.6,
> and clamav-0.97.2 and I'd like to figure out how to use
> virus_name_to_spam_score_maps effectively.
> 
> I don't have this map defined in my current config file. How can I see
> what the current configuration for this map is?

Defaults are documented in the file amavisd.conf-default, which comes
with the amavisd distribution. The ultimate authority is the amavisd file
itself: search for: @virus_name_to_spam_score_maps
and a multiline assignment to it (the second search match I believe).

> Why are the scores for their entries so low?

This is explained in release notes when the feature was first
introduced:

  The information is also available to SA rules in a form of a synthetic
  header field X-Amavis-AV-Status which will be seen by SA only (not inserted
  into passed or quarantined mail). One has a choice to adjust scores either
  in the @virus_name_to_spam_score_maps in amavisd.conf, or by providing rules
  to match on the provided header field. Doing it by SA rules has an advantage
  of letting other SA rules contribute their score points, possibly preventing
  a false positive of a ClamAV rule, or pushing score even higher for a clean
  bounce suppression. It also allows auto-whitelisting in SpamAssassin to
  account for these score points. In addition, it makes more sense when checks
  are cached and result reused later for some other message with the same
  contents in body.

  Here is one example of such SA rules (some long lines are wrapped,
  these should be unwrapped before placing them into local.cf):

    header L_AV_Phish      X-Amavis-AV-Status =~
      m{\b(Email|HTML)\.Phishing\.}im
    header L_AV_SS_Phish   X-Amavis-AV-Status =~
      m{\b(Email|Html)\.Phishing(\.[^., ]*)*\.Sanesecurity\.}m
    header L_AV_SS_Scam    X-Amavis-AV-Status =~
      m{\b(Email|Html)\.(Scam[A-Za-z0-9]?)(\.[^., ]*)*\.Sanesecurity\.}m
    header L_AV_SS_Spam    X-Amavis-AV-Status =~
      m{\b(Email|Html)\.(Spam|Bou|Stk|Loan|Lott|Cred|Job|Dipl|Doc)
        (\.[^., ]*)*\.Sanesecurity\.}m
    header L_AV_SS_Hdr     X-Amavis-AV-Status =~
      m{\b(Email|Html)\.Hdr(\.[^., ]*)*\.Sanesecurity\.}m
    header L_AV_SS_Img     X-Amavis-AV-Status =~
      m{\b(Email|Html)\.(Img|ImgO)(\.[^., ]*)*\.Sanesecurity\.}m
    header L_AV_MSRBL_Img  X-Amavis-AV-Status =~ m{\bMSRBL-Images/}m
    header L_AV_MSRBL_Spam X-Amavis-AV-Status =~ m{\bMSRBL-SPAM\.}m
    header L_AV_Scam       X-Amavis-AV-Status =~ m{\bScamNailer\.}i

    score  L_AV_Phish      14
    score  L_AV_SS_Phish   -3
    score  L_AV_SS_Scam    8
    score  L_AV_SS_Spam    8
    score  L_AV_SS_Hdr     6
    score  L_AV_SS_Img     3.5
    score  L_AV_MSRBL_Img  3.5
    score  L_AV_MSRBL_Spam 6
    score  L_AV_Scam       8




Btw, here is my current set of SpamAssassin rules (in local.cf) to deal
with X-Amavis-AV-Status:

header L_AV_Phish       X-Amavis-AV-Status =~ m{\bAV:(Email|HTML)\.Phishing\.}i
header L_AV_Scam        X-Amavis-AV-Status =~ m{\bAV:ScamNailer\.Phish\.}i
header L_AV_Spam        X-Amavis-AV-Status =~ m{\bAV:Email\.Spammail}i
header L_AV_PhishHeur   X-Amavis-AV-Status =~ m{\bAV:Phishing\.Heuristics\.}i
header L_AV_DS_Phish    X-Amavis-AV-Status =~ m{\bAV:Doppelstern\.Phishing\.}i
header L_AV_DS_Scam     X-Amavis-AV-Status =~ m{\bAV:Doppelstern\.Scam}i
header L_AV_DS_Junk     X-Amavis-AV-Status =~ m{\bAV:Doppelstern\.Junk\.}i
header L_AV_SS_PhishBar X-Amavis-AV-Status =~ m{\bAV:Sanesecurity_PhishBar_}
header L_AV_SS_Phish    X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.Phishing\.}
header L_AV_SS_TestSig  X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.TestSig_}
header L_AV_SS_Spear    X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.Spear}
header L_AV_SS_Malware  X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.(Malware|Rogue|Trojan)\.}
header L_AV_SS_Scam     X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.(Scam[A-Za-z0-9]?)}
header L_AV_SS_Spam     X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.(Bou|Cred|Dipl|Job|Loan|Lott|Porn|Spam[A-Za-z0-9]?|Stk|Junk)\.}
header L_AV_SS_Hdr      X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.Hdr\.}
header L_AV_SS_Img      X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.(Img|ImgO|SpamImg)\.}
header L_AV_SpamDomain  X-Amavis-AV-Status =~ m{^INetMsg\.SpamDomain\b}
header L_AV_SS_Bounce   X-Amavis-AV-Status =~ m{\.Spam\.Bounce(\.[^., ]*)*\.Sanesecurity\b}
header __L_AV_SS        X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.}
meta   L_AV_SS_other    __L_AV_SS && !(L_AV_SS_PhishBar|| L_AV_SS_Phish || L_AV_SS_TestSig || L_AV_SS_Spear || L_AV_SS_Scam || L_AV_SS_Spam || 
L_AV_SS_Malware || L_AV_SS_Hdr || L_AV_SS_Img || L_AV_SS_Bounce)
header L_AV_MSRBL_Img   X-Amavis-AV-Status =~ m{\bAV:MSRBL-Images\b}
header L_AV_MSRBL_Spam  X-Amavis-AV-Status =~ m{\bAV:MSRBL-SPAM\.}
header L_AV_MBL         X-Amavis-AV-Status =~ m{\bAV:MBL_(?!NA\.UNOFFICIAL)}
header L_AV_SecInf      X-Amavis-AV-Status =~ m{-SecuriteInfo\.com\b}
header L_AV_Any         X-Amavis-AV-Status =~ m{\bAV:}

score  L_AV_Phish       14
score  L_AV_Scam        10
score  L_AV_Spam        5
score  L_AV_SpamDomain  6
score  L_AV_PhishHeur   5
score  L_AV_DS_Phish    14
score  L_AV_DS_Scam     10
score  L_AV_DS_Junk     8
score  L_AV_SS_Phish    5
score  L_AV_SS_PhishBar 0.5
score  L_AV_SS_TestSig  0.123
score  L_AV_SS_Spear    4
score  L_AV_SS_Scam     8
score  L_AV_SS_Spam     8
score  L_AV_SS_Hdr      6
score  L_AV_SS_Img      3.5
score  L_AV_SS_Bounce   0.1
score  L_AV_SS_other    1
score  L_AV_SS_Malware  14
score  L_AV_MBL         14
score  L_AV_MSRBL_Img   3.5
score  L_AV_MSRBL_Spam  6
score  L_AV_SecInf      8
score  L_AV_Any         2



and the corresponding assignment in amavisd.conf:

@virus_name_to_spam_score_maps =
  (new_RE(  # the order matters!
    [ qr'^Structured\.(SSN|CreditCardNumber)\b'            => 0.1 ],
    [ qr'^(Heuristics\.)?Phishing\.'                       => 0.1 ],
    [ qr'^(Email|HTML)\.Phishing\.(?!.*Sanesecurity)'      => 0.1 ],
    [ qr'^Sanesecurity\.(Malware|Rogue|Trojan)\.' => undef ],# keep as infected
    [ qr'^Sanesecurity\.'                                  => 0.1 ],
    [ qr'^Sanesecurity_PhishBar_'                          => 0   ],
    [ qr'^Sanesecurity.TestSig_'                           => 0   ],
    [ qr'^Email\.Spam\.Bounce(\.[^., ]*)*\.Sanesecurity\.' => 0   ],
    [ qr'^Email\.Spammail\b'                               => 0.1 ],
    [ qr'^MSRBL-(Images|SPAM)\b'                           => 0.1 ],
    [ qr'^VX\.Honeypot-SecuriteInfo\.com\.Joke'            => 0.1 ],
    [ qr'^VX\.not-virus_(Hoax|Joke)\..*-SecuriteInfo\.com(\.|\z)' => 0.1 ],
    [ qr'^Email\.Spam.*-SecuriteInfo\.com(\.|\z)'          => 0.1 ],
    [ qr'^Safebrowsing\.'                                  => 0.1 ],
    [ qr'^winnow\.(phish|spam)\.'                          => 0.1 ],
    [ qr'^INetMsg\.SpamDomain'                             => 0.1 ],
    [ qr'^Doppelstern\.(Scam4|Phishing|Junk)'              => 0.1 ],
    [ qr'^ScamNailer\.'                                    => 0.1 ],
    [ qr'^HTML/Bankish'                                    => 0.1 ],  # F-Prot
    [ qr'-SecuriteInfo\.com(\.|\z)'         => undef ],  # keep as infected
    [ qr'^MBL_NA\.UNOFFICIAL'               => 0.1 ],    # false positives
    [ qr'^MBL_'                             => undef ],  # keep as infected
  ));



> What is the proper syntax to make InetMsg.SpamDomain a posion pill,
> and convert the message to spam (or virus, as the case may be)
> immediately?

Included in the above example (L_AV_SpamDomain).

  Mark

More information about the amavis-users mailing list