Question about scoring with sanesecurity signatures
njones at megan.vbhcs.org
Sat Oct 13 18:22:06 CEST 2012
On 10/13/2012 9:04 AM, Nikolaos Milas wrote:
> On 11/10/2012 12:11 πμ, Noel Jones wrote:
>> In the case of doppelstern, you would need to be careful of the
>> virus names used. A quick look at the files suggests this might be
>> possible, but you'll need to check the virus names more carefully.
> Thanks Noel,
> How can I get a list of virus names used in each file (e.g. in
> "doppelstern.ndb" and in "doppelstern.hdb")?
> If we browse the file "doppelstern.ndb" (with a text editor), I see
> entries of the form:
> So, does this mean we can specify (in order to force scoring for
> these signatures):
> @virus_name_to_spam_score_maps =
> (new_RE( # the order matters!
> [ qr'^Doppelstern\.Hoax\.' => 5.0 ],
> [ qr'^Doppelstern\.Lott\.' => 5.0 ],
> [ qr'^Doppelstern\.Loan\.' => 5.0 ],
> [ qr'^Doppelstern\.Scam4\.' => 5.0 ],
> and the like, for other "Medium"-rated databases?
Yes, that's the right way. You should make sure these names aren't
used in any of the other databases; I don't know if Doppelstern has
any kind of published policy regarding name separation.
> Also, would you deem a value of "5.0" as a sensible *initial* value
> (based on experience) to avoid FPs? I have not used these rules
> again in the past, and I would appreciate some advice before
> migrating our production systems (i.e. our mail gateways) to the
> Postfix/Amavis/ClamAV/SpamAssassin platform.
Depends on your spam cutoff score. I would suggest starting with a
score 3 points or so below your spam score, so that this single rule
doesn't determine something to be spam.
-- Noel Jones
More information about the amavis-users