Question about scoring with sanesecurity signatures

Nikolaos Milas nmilas at
Sat Oct 13 16:04:45 CEST 2012

On 11/10/2012 12:11 πμ, Noel Jones wrote:

> In the case of doppelstern, you would need to be careful of the
> virus names used.  A quick look at the files suggests this might be
> possible, but you'll need to check the virus names more carefully.

Thanks Noel,

How can I get a list of virus names used in each file (e.g. in 
"doppelstern.ndb" and in "doppelstern.hdb")?

If we browse the file "doppelstern.ndb" (with a text editor), I see 
entries of the form:
So, does this mean we can specify (in order to force scoring for these 

@virus_name_to_spam_score_maps =
    (new_RE(  # the order matters!
      [ qr'^Doppelstern\.Hoax\.'  => 5.0 ],
      [ qr'^Doppelstern\.Lott\.'  => 5.0 ],
      [ qr'^Doppelstern\.Loan\.'  => 5.0 ],
      [ qr'^Doppelstern\.Scam4\.'  => 5.0 ],

and the like, for other "Medium"-rated databases?

Also, would you deem a value of "5.0" as a sensible *initial* value 
(based on experience) to avoid FPs? I have not used these rules again in 
the past, and I would appreciate some advice before migrating our 
production systems (i.e. our mail gateways) to the 
Postfix/Amavis/ClamAV/SpamAssassin platform.


More information about the amavis-users mailing list