Current @virus_name_to_spam_score_maps?

Stef Simoens stef+au at bgs.org
Tue Oct 28 23:16:06 CET 2014 

Good question :-)

I’m using this after analysis of the different sources.

Please note that I’m running in before-queue setup, and that viruses and spam-score > 25 are rejected during the SMTP submission.

@virus_name_to_spam_score_maps =
  (new_RE(  # the order matters, first match wins
    # junk.ndb [Low] / jurlbl.ndb [Low] / phish.ndb [Low]
    # rogue.hdb [Low] / scam.ndb [Low] / spamimg.hdb [Low]
    # spamattach.hdb [Low] / blurl.ndb [Low]
    [ qr'^Sanesecurity\.(Malware|Rogue|Trojan)\.'       => undef ],
    [ qr'^Sanesecurity\.MalwareHash\.'                  => 25.0 ],
    [ qr'^Sanesecurity\.(PhisingTestSig|TestSig)'       => 0.0 ],
    [ qr'^Sanesecurity\.Phishing\.'                     => 7.5 ],
    [ qr'^Sanesecurity\.'                               => 0.1 ],
    # ???
    [ qr'^Sanesecurity_PhishBar_'                       => 0   ],

    # winnow_malware.hdb [Low] / winnow_malware_links.ndb
    # winnow_extended_malware.hdb [Low] / winnow.attachments.hdb [Low]
    # winnow_bad_cw.hdb [Low]
    [ qr'^winnow\.(Exploit|Trojan|malware)\.'           => undef ],
    [ qr'^winnow\.(botnet|compromised|trojan)'          => undef ],
    [ qr'^winnow\.(exe|ms|JS)\.'                        => undef ],
    [ qr'^winnow\.phish\.'                              => 7.5 ],
    [ qr'^winnow\.'                                     => 0.1 ],

    # bofhland
    [ qr'^Bofhland\.Malware\.'                          => 25.0 ],
    [ qr'^BofhlandMWFile'                               => 25.0 ],
    [ qr'^Bofhland\.Phishing\.'                         => 7.5 ],
    [ qr'^Bofhland\.'                                   => 0.1 ],

    # CRDF
    [ qr'^CRDF\.(Backdoor|\.Gen\.Trojan|Malware|Trojan|Virus)'  => 25.0 ],
    [ qr'^CRDF\.'                                               => 0.10 ],

    # porcupine.ndb
    [ qr'^Porcupine\.(Malware|Trojan)\.'                => undef ],
    [ qr'^Porcupine\.(Junk|Spammer)\.'                  => 0.1 ],
    [ qr'^Porcupine\.Phishing\.'                        => 7.5 ],
    [ qr'^Porcupine\.'                                  => 0.01 ],

    # phishtank.ndb
    [ qr'^PhishTank\.Phishing\.'                        => 7.5 ],

    # SecuriteInfo.com
    [ qr'^SecuriteInfo\.com\.Spammer\.'                 => 2.5 ],

    [ qr'^Structured\.(SSN|CreditCardNumber)\b'            => 0.1 ],
    [ qr'^(Heuristics\.)?Phishing\.'                       => 0.1 ],
    [ qr'^(Email|HTML)\.Phishing\.(?!.*Sanesecurity)'      => 0.1 ],
    [ qr'^Email\.Spam\.Bounce(\.[^., ]*)*\.Sanesecurity\.' => 0   ],
    [ qr'^Email\.Spammail\b'                               => 0.1 ],
    [ qr'^MSRBL-(Images|SPAM)\b'                           => 0.1 ],
    [ qr'^VX\.Honeypot-SecuriteInfo\.com\.Joke'            => 0.1 ],
    [ qr'^VX\.not-virus_(Hoax|Joke)\..*-SecuriteInfo\.com(\.|\z)' => 0.1 ],
    [ qr'^Email\.Spam.*-SecuriteInfo\.com(\.|\z)'          => 0.1 ],
    [ qr'^Safebrowsing\.'                                  => 0.1 ],
    [ qr'^INetMsg\.SpamDomain'                             => 0.1 ],
    [ qr'^ScamNailer\.'                                    => 0.1 ],
    [ qr'^HTML/Bankish'                                    => 0.1 ],  # F-Prot
    [ qr'-SecuriteInfo\.com(\.|\z)'         => undef ],  # keep as infected
    [ qr'^MBL_NA\.UNOFFICIAL'               => 0.1 ],    # false positives
    [ qr'^MBL_'                             => undef ],  # keep as infected
  ));


> Op 28-okt.-2014, om 21:50 heeft Andy Dills <andy at xecu.net> het volgende geschreven:
> 
> 
> Hi,
> 
> I'm using the clamav-unofficial-sigs port, and it occurs to me that the 
> unofficial sigs have grown considerably in scope while my 
> @virus_name_to_spam_score_maps is the same one from years ago. I haven't 
> had any luck finding a current example...does anybody want to share their 
> map?
> 
> My current map (which was just taken from somebody else at somepoint and 
> adjusted slightly):
> 
> @virus_name_to_spam_score_maps =
>  (new_RE(  # the order matters, first match wins
>    [ qr'^Structured\.(SSN|CreditCardNumber)\b'            => 1 ],
>    [ qr'^(Heuristics\.)?Phishing\.'                       => 4 ],
>    [ qr'^(Email|HTML)\.Phishing\.(?!.*Sanesecurity)'      => 4 ],
>    [ qr'^Sanesecurity\.(Malware|Rogue|Trojan)\.' => undef ],# keep as infected
>    [ qr'^Sanesecurity\.'                                  => 1 ],
>    [ qr'^Sanesecurity_PhishBar_'                          => 0   ],
>    [ qr'^Sanesecurity.TestSig_'                           => 0   ],
>    [ qr'^Email\.Spam\.Bounce(\.[^., ]*)*\.Sanesecurity\.' => 0   ],
>    [ qr'^Email\.Spammail\b'                               => 1 ],
>    [ qr'^MSRBL-(Images|SPAM)\b'                           => 1 ],
>    [ qr'^VX\.Honeypot-SecuriteInfo\.com\.Joke'            => 1 ],
>    [ qr'^VX\.not-virus_(Hoax|Joke)\..*-SecuriteInfo\.com(\.|\z)' => 1 ],
>    [ qr'^Email\.Spam.*-SecuriteInfo\.com(\.|\z)'          => 1 ],
>    [ qr'^Safebrowsing\.'                                  => 1 ],
>    [ qr'^winnow\.(phish|spam)\.'                          => 1 ],
>    [ qr'^INetMsg\.SpamDomain'                             => 1 ],
>    [ qr'^Doppelstern\.(Spam|Scam|Phishing|Junk|Lott|Loan)'=> 1 ],
>    [ qr'^Bofhland\.Phishing'                              => 1 ],
>    [ qr'^ScamNailer\.'                                    => 1 ],
>    [ qr'^HTML/Bankish'                                    => 1 ],  # F-Prot
>    [ qr'^PORCUPINE_JUNK'                                  => 1 ],
>    [ qr'^PORCUPINE_PHISHING'                              => 1 ],
>    [ qr'^Porcupine\.Junk'                                 => 1 ],
>    [ qr'-SecuriteInfo\.com(\.|\z)'         => undef ],  # keep as infected
>    [ qr'^MBL_NA\.UNOFFICIAL'               => 0.5 ],    # false positives
>    [ qr'^MBL_'                             => undef ],  # keep as infected
>  ));
> 
> 
> Thanks,
> Andy
> 
> ---
> Andy Dills
> Xecunet, Inc.
> www.xecu.net
> 301-682-9972
> ---

More information about the amavis-users mailing list