Question about scoring with sanesecurity signatures

Noel Jones njones at megan.vbhcs.org
Sat Oct 13 18:22:06 CEST 2012 

On 10/13/2012 9:04 AM, Nikolaos Milas wrote:
> On 11/10/2012 12:11 πμ, Noel Jones wrote:
> 
>> In the case of doppelstern, you would need to be careful of the
>> virus names used.  A quick look at the files suggests this might be
>> possible, but you'll need to check the virus names more carefully.
> 
> Thanks Noel,
> 
> How can I get a list of virus names used in each file (e.g. in
> "doppelstern.ndb" and in "doppelstern.hdb")?
> 
> If we browse the file "doppelstern.ndb" (with a text editor), I see
> entries of the form:
> ...
> Doppelstern.Hoax.3:4:*:53686f636b696e6720696e666f2061626f7574206e6577204a455355532066696c6d202d20506c6561736520667764
> 
> Doppelstern.Lott.37:4:*:46726f6d3a20224555524f204d494c4c494f4e
> Doppelstern.Loan.14:4:*:4c6f616e204f666665722047756172616e74656564
> Doppelstern.Lott.39:7:0:77652061726520706c6561736520746f20616e6e6f756e636520746f20796f75207468617420796f757220656d61696c206164647265737320656d657267656420616c6f6e6720736964652034206f746865727320617320612063617465676f727920322077696e6e6572
> 
> Doppelstern.Scam4.160:7:0:6d757475616c2062656e65666974
> ...
> So, does this mean we can specify (in order to force scoring for
> these signatures):
> 
> @virus_name_to_spam_score_maps =
>    (new_RE(  # the order matters!
>      [ qr'^Doppelstern\.Hoax\.'  => 5.0 ],
>      [ qr'^Doppelstern\.Lott\.'  => 5.0 ],
>      [ qr'^Doppelstern\.Loan\.'  => 5.0 ],
>      [ qr'^Doppelstern\.Scam4\.'  => 5.0 ],
>      ...
>   ));
> 
> and the like, for other "Medium"-rated databases?

Yes, that's the right way.  You should make sure these names aren't
used in any of the other databases; I don't know if Doppelstern has
any kind of published policy regarding name separation.

> Also, would you deem a value of "5.0" as a sensible *initial* value
> (based on experience) to avoid FPs? I have not used these rules
> again in the past, and I would appreciate some advice before
> migrating our production systems (i.e. our mail gateways) to the
> Postfix/Amavis/ClamAV/SpamAssassin platform.

Depends on your spam cutoff score.  I would suggest starting with a
score 3 points or so below your spam score, so that this single rule
doesn't determine something to be spam.


  -- Noel Jones

More information about the amavis-users mailing list