Question about scoring with sanesecurity signatures

Noel Jones njones at megan.vbhcs.org
Wed Oct 10 23:11:43 CEST 2012


On 10/10/2012 3:49 PM, Nikolaos Milas wrote:
> On 5/9/2012 8:57 μμ, Noel Jones wrote:
> 
>> @virus_name_to_spam_score_maps =
>>    (new_RE(  # the order matters!
>>      [ qr'^ScamNailer\.Phish'  => 5.0 ], # phish scored at 5.
>>      [ qr'^ScamNailer\.'  => 4.0 ],  # others scored at 4.
>>   ));
> 
> By the way, what happens with dbases which differ only in extensions?
> 
> For example, "doppelstern.ndb" is medium, whereas "doppelstern.hdb"
> is low.
> 
> How would we require scoring for doppelstern.ndb only (and blocking
> for doppelstern.hdb) ?

In the score maps list, it looks for a match for the name.  If the
name if found, the score is applied (first match wins if there are
multiple matches).  If the name isn't found, the mail is handled as
a virus.  So your expressions would need to match those you want
scored, not match those you want rejected.

In the case of doppelstern, you would need to be careful of the
virus names used.  A quick look at the files suggests this might be
possible, but you'll need to check the virus names more carefully.



  -- Noel Jones


More information about the amavis-users mailing list