Question about scoring with sanesecurity signatures
Noel Jones
njones at megan.vbhcs.org
Tue Oct 9 17:18:18 CEST 2012
On 10/9/2012 2:58 AM, Nikolaos Milas wrote:
> On 5/9/2012 8:57 μμ, Noel Jones wrote:
>
>> @virus_name_to_spam_score_maps =
>> (new_RE( # the order matters!
>> [ qr'^ScamNailer\.Phish' => 5.0 ], # phish scored at 5.
>> [ qr'^ScamNailer\.' => 4.0 ], # others scored at 4.
>> ));
>
> Hello,
>
> Would it be possible to force scoring to 0.0 to effectively disable
> a set of rules, like:
>
> @virus_name_to_spam_score_maps =
> (new_RE(
> [ qr'^ScamNailer\.' => 0.0 ]
> ));
>
> ...??
>
I suppose that would work, but if you're not going to use an add-on
signature set, don't download it.
> Also, are there any suggestions based on experience for such
> sanesecurity score maps, aiming at eliminating (or reducing to a
> very very low rate) false positives? We can stand some false
> negatives, but it is very important to avoid false positives.
>
> Any advice or reference would be appreciated.
http://www.sanesecurity.com/databases.htm
In my experience the "FP Risk" column is correct -- I can't remember
the last FP from any "Low" list, I'm sure it's been months/millions
of messages. HOWEVER, mileage may vary; my mail is not your mail.
You'll need to come up with scores that fit your local policy.
-- Noel Jones
More information about the amavis-users
mailing list