Current @virus_name_to_spam_score_maps?
Andy Dills
andy at xecu.net
Tue Oct 28 21:50:38 CET 2014
Hi,
I'm using the clamav-unofficial-sigs port, and it occurs to me that the
unofficial sigs have grown considerably in scope while my
@virus_name_to_spam_score_maps is the same one from years ago. I haven't
had any luck finding a current example...does anybody want to share their
map?
My current map (which was just taken from somebody else at somepoint and
adjusted slightly):
@virus_name_to_spam_score_maps =
(new_RE( # the order matters, first match wins
[ qr'^Structured\.(SSN|CreditCardNumber)\b' => 1 ],
[ qr'^(Heuristics\.)?Phishing\.' => 4 ],
[ qr'^(Email|HTML)\.Phishing\.(?!.*Sanesecurity)' => 4 ],
[ qr'^Sanesecurity\.(Malware|Rogue|Trojan)\.' => undef ],# keep as infected
[ qr'^Sanesecurity\.' => 1 ],
[ qr'^Sanesecurity_PhishBar_' => 0 ],
[ qr'^Sanesecurity.TestSig_' => 0 ],
[ qr'^Email\.Spam\.Bounce(\.[^., ]*)*\.Sanesecurity\.' => 0 ],
[ qr'^Email\.Spammail\b' => 1 ],
[ qr'^MSRBL-(Images|SPAM)\b' => 1 ],
[ qr'^VX\.Honeypot-SecuriteInfo\.com\.Joke' => 1 ],
[ qr'^VX\.not-virus_(Hoax|Joke)\..*-SecuriteInfo\.com(\.|\z)' => 1 ],
[ qr'^Email\.Spam.*-SecuriteInfo\.com(\.|\z)' => 1 ],
[ qr'^Safebrowsing\.' => 1 ],
[ qr'^winnow\.(phish|spam)\.' => 1 ],
[ qr'^INetMsg\.SpamDomain' => 1 ],
[ qr'^Doppelstern\.(Spam|Scam|Phishing|Junk|Lott|Loan)'=> 1 ],
[ qr'^Bofhland\.Phishing' => 1 ],
[ qr'^ScamNailer\.' => 1 ],
[ qr'^HTML/Bankish' => 1 ], # F-Prot
[ qr'^PORCUPINE_JUNK' => 1 ],
[ qr'^PORCUPINE_PHISHING' => 1 ],
[ qr'^Porcupine\.Junk' => 1 ],
[ qr'-SecuriteInfo\.com(\.|\z)' => undef ], # keep as infected
[ qr'^MBL_NA\.UNOFFICIAL' => 0.5 ], # false positives
[ qr'^MBL_' => undef ], # keep as infected
));
Thanks,
Andy
---
Andy Dills
Xecunet, Inc.
www.xecu.net
301-682-9972
---
More information about the amavis-users
mailing list