Amavis header and Spamassassin

Phil Daws via amavis-users amavis-users at amavis.org
Thu Jan 16 11:29:36 CET 2014


Actually am not sure if this is a problem.  On checking the log file for when ClamAV hit with a SaneSecurity signature I see:

Jan 16 10:03:40 mx amavis[5238]: (05238-04) Turning AV infection into a spam report: score=0, AV:Sanesecurity.Jurlbl.15421.UNOFFICIAL=0
Jan 16 10:03:42 mx amavis[5238]: (05238-04) do_notify_and_quarantine: spam level exceeds quarantine cutoff level 15

so believe it is more to do with a change in how AmaViS is logging.  Previously, IIRC, if the cutoff level was exceeded it would still log the spam-tag result.  It does not appear to do that anymore unless need to enable another setting ? Thanks.

----- Original Message -----
From: "Phil Daws via amavis-users" <amavis-users at amavis.org>
To: "Steve Scotter" <amavis-users at spectrumcs.net>
Cc: amavis-users at amavis.org
Sent: Wednesday, 15 January, 2014 11:19:52 PM
Subject: Re: Amavis header and Spamassassin

Hmm, my understanding was that if its it the map then its passed through via an invisible header of X-Amavis-AV-Status to SpamAssasssin for scoring. Thanks.
----- Original Message -----
From: "Steve Scotter via amavis-users" <amavis-users at amavis.org>
To: amavis-users at amavis.org
Sent: Wednesday, 15 January, 2014 10:14:11 PM
Subject: Re: Amavis header and Spamassassin



Hi,

I may be wrong but I think you need to remove or comment out the...

 [ qr'Sanesecurity'    => 0 ],

The end result should look like...

@virus_name_to_spam_score_maps =
  (new_RE( [ qr'MSRBL'           => 0 ],
           [ qr'SecuriteInfo'    => 0 ],
           [ qr'MBL'             => 0 ],
           [ qr'winnow'          => 0 ],
           [ qr'INetMsg'         => 0 ],
           [ qr'Safebrowsing'    => 0 ],
           [ qr'ScamNailer'      => 0 ],
           [ qr'Email'           => 0 ],
           [ qr'HTML'            => 0 ],
           [ qr'JS.Redirect-2'   => 0 ],
  ));

--
http://www.ijs.si/software/amavisd/release-notes.txt states...

- make it possible for a virus scanner to derate an infection report
  to a spam report, contributing to spam score and to spam report/status.
  A new configuration variable @virus_name_to_spam_score_maps
  (also member of policy banks) can turn a reported virus name
  into a spam score. Its default setting is:

Steve

-------- Original Message --------
Subject: Amavis header and Spamassassin (15-Jan-2014 17:25)
From:    Phil Daws via amavis-users <amavis-users at amavis.org>
To:      amavis-users at spectrumcs.net

Hello all,

have just noticed an issue where emails are not being scored correctly when ClamAV is being used in conjunction with Amavisd-new and Spamassassin.  In my amavisd.conf I have set:

@keep_decoded_original_maps = (new_RE(
  qr'^MAIL$',                # let virus scanner see full original message
  qr'^MAIL-UNDECIPHERABLE$', # same as ^MAIL$ if mail is undecipherable
  qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
  qr'^Zip archive data',     # don't trust Archive::Zip
));

@virus_name_to_spam_score_maps =
  (new_RE( [ qr'Sanesecurity'    => 0 ],
           [ qr'MSRBL'           => 0 ],
           [ qr'SecuriteInfo'    => 0 ],
           [ qr'MBL'             => 0 ],
           [ qr'winnow'          => 0 ],
           [ qr'INetMsg'         => 0 ],
           [ qr'Safebrowsing'    => 0 ],
           [ qr'ScamNailer'      => 0 ],
           [ qr'Email'           => 0 ],
           [ qr'HTML'            => 0 ],
           [ qr'JS.Redirect-2'   => 0 ],
  ));

and within a local_site.cf under /etc/mail/spamassassin I have:

################################################################################
# SaneSecurity & MSRBL Signatures
################################################################################
header CLAM_SS     X-Amavis-AV-Status =~ m{Sanesecurity}
header CLAM_MSRBL  X-Amavis-AV-Status =~ m{MSRBL}
header CLAM_MBL    X-Amavis-AV-Status =~ m{MBL}
header CLAM_SI     X-Amavis-AV-Status =~ m{SecuriteInfo}
header CLAM_WN     X-Amavis-AV-Status =~ m{winnow}
header CLAM_IM     X-Amavis-AV-Status =~ m{INetMsg}
header CLAM_SB     X-Amavis-AV-Status =~ m{Safebrowsing}
header CLAM_SN     X-Amavis-AV-Status =~ m{ScamNailer}
header CLAM_CAV    X-Amavis-AV-Status =~ m{Email|HTML|JS.Redirect}
header CLAM_DS     X-Amavis-AV-Status =~ m{Doppelstern}

score  CLAM_SS     2.5
score  CLAM_MSRBL  1.5
score  CLAM_MBL    1.5
score  CLAM_SI     2.0
score  CLAM_WN     2.0
score  CLAM_IM     2.0
score  CLAM_SB     2.5
score  CLAM_SN     2.5
score  CLAM_CAV    1.0
score  CLAM_DS     1.0

but when I check my maillog mails which are hitting the Sanesecurity rules are not being converted to a score ?

Jan 15 15:42:20 mx amavis[19918]: (19918-07) run_av (ClamAV-clamd): /var/amavis/tmp/amavis-20140115T120108-19918-H3u_539H/parts INFECTED: Sanesecurity.Spam.11344.Dom.UNOFFICIAL
Jan 15 15:42:20 mx amavis[19918]: (19918-07) Turning AV infection into a spam report: score=0, AV:Sanesecurity.Spam.11344.Dom.UNOFFICIAL=0

The software revisions am running are:

amavisd-new-2.8.1-1.el6.x86_64
spamassassin-3.3.1-3.el6.x86_64
clamav-db-0.98-2.el6.x86_64
clamav-0.98-2.el6.x86_64
clamd-0.98-2.el6.x86_64

Any ideas please ? Thanks.





To: amavis-users at amavis.org


DISCLAIMER
This email is for the use of the intended recipient(s) only. If you have received this email in error, please notify the sender immediately and then delete it. 
If you are not the intended recipient, you must not keep, use, disclose, copy or distribute this email without the author’s prior permission. 
We have taken precautions to minimise the risk of transmitting software viruses, but we advise you to carry out your own virus checks on any attachment to this message.
We cannot accept liability for any loss or damage caused by software viruses.
The information contained in this communication may be confidential and may be subject to the attorney-client privilege. 
If you are the intended recipient and you do not wish to receive similar electronic messages from us in future then please respond to the sender to this effect.


More information about the amavis-users mailing list