Is there an equivalent X-Amavis-AV-Status header for AM.PENPAL

steve steve at mailinglists.spectrumcs.net
Wed Nov 18 18:02:23 CET 2015 


Hi,

Perhaps I jumped the gun by emailing the list. Further research suggests that if a sender was a PenPal and thier message scored between $penpals_threshold_low and $sa_kill_level_deflt (so in my case higher than 1 but less than 10.0) then a negative score would be added based on how long ago the sender last sent the receipient a message (a maximum of minus $penpals_bonus_score).


$penpals_bonus_score = undef;  # maximal (positive) score value by which spam
# score is lowered when sender is known to have previously received mail
# from our local user from this mail system. Zero or undef disables
# pen pals lookups in Redis or in SQL tables msgs and msgrcpt, and
# is a default.
$penpals_halflife = 7*24*60*60; # exponential decay time constant in seconds;
# pen pal bonus is halved for each halflife period since the last mail
# sent by a local user to a current message's sender
$penpals_threshold_low = 1.0;   # SA score below which pen pals lookups are
# not performed to save time; undef lets the threshold be ignored;
$penpals_threshold_high = undef;
# when (SA_score - $penpals_bonus_score > $penpals_threshold_high)
# pen pals lookup will not be performed to save time, as it could not
# influence blocking of spam even at maximal penpals bonus (age=0);
# usual choice for value would be a kill level or other reasonably high
# value; undef lets the threshold be ignored and is a default (useful
# for testing and statistics gathering);

My conclusaion now is that I don't need Amavis AM.PENPAL status in spamassassin as Amavis will handle this after spamassasin's scanned the (message as long as the message scores less than 10 anyway)..

In fact, how I now read it is that Amavis doesn't perform a PenPal check until after SA has run so wouldn't be able to pass AM.PENPAL status to spamassassin in the first place.

Regards

Steve

-------- Original Message --------
Subject: Is there an equivalent X-Amavis-AV-Status header for AM.PENPAL (18-Nov-2015 16:33)
From:    steve <steve at mailinglists.spectrumcs.net>
To:      steve at mailinglists.spectrumcs.net

> 
> 
> Hi,
> 
> Today a lot of my users have been receiving a email with a dynamic Word 
> attachment which contains a macro.
> 
> I've tweaked the score I had for (Heuristics\.)?OLE2\.ContainsMacros from 4 
> to 10 in virus_name_to_spam_score_maps which is blocking the messages for 
> now. 
> 
> @virus_name_to_spam_score_maps =
>  (
>   new_RE (
>    ...
>    [ qr'^(Heuristics\.)?OLE2\.ContainsMacros' => 10.0 ],
>    ...
>   )
>  );
> 
> However I know from past experience that when I ramp up this score I get 
> complains from end users they they've not received a email "they always 
> used to get". I''m sure we all agree that sending or receiving emails with 
> macros enabled attachments is a no no, but unfortunately in the real work 
> daft things happen.
> 
> During further research I found this http://lists.amavis.org/pipermail/
> amavis-users/2011-October/000934.html which has allowed me to utilise 
> Amavis / ClamAVs detection of the macro in SpamAssassion
> 
> header __SCS_AV_MACRO X-Amavis-AV-Status =~ m{\bAV:(Heuristics\.)?OLE2\.
> ContainsMacros}i
> 
> What I was wondering is there a way I can pass Amavis AM.PENPAL status to 
> spamassassin? The long term goal being a meta rule in spamassassin which 
> checks if you're a PENPAL and a Macro sender then knock a few points off (
> or more likely if you're a Macro sender and not a PENPAL then add a load of 
> points on!)
> 
> Any thoughts gratefully received.
> 
> Regards
> 
> Steve
> This email is from Spectrum Computer Solutions Limited (Company Number 
> 04591631), a company registered in England and Wales with its registered 
> office at 331 Ansty Road, Wyken, Coventry, CV2 3FN.
> 
> DISCLAIMER
> This email is for the use of the intended recipient(s) only. If you have 
> received this email in error, please notify the sender immediately and then 
> delete it. 
> If you are not the intended recipient, you must not keep, use, disclose, 
> copy or distribute this email without the author’s prior permission. 
> We have taken precautions to minimise the risk of transmitting software 
> viruses, but we advise you to carry out your own virus checks on any 
> attachment to this message.
> We cannot accept liability for any loss or damage caused by software 
> viruses.
> The information contained in this communication may be confidential and may 
> be subject to the attorney-client privilege. 
> If you are the intended recipient and you do not wish to receive similar 
> electronic messages from us in future then please respond to the sender to 
> this effect.
> 
> 
> 
> To: amavis-users at amavis.org

This email is from Spectrum Computer Solutions Limited (Company Number 04591631), a company registered in England and Wales with its registered office at 331 Ansty Road, Wyken, Coventry, CV2 3FN.

DISCLAIMER
This email is for the use of the intended recipient(s) only. If you have received this email in error, please notify the sender immediately and then delete it. 
If you are not the intended recipient, you must not keep, use, disclose, copy or distribute this email without the author’s prior permission. 
We have taken precautions to minimise the risk of transmitting software viruses, but we advise you to carry out your own virus checks on any attachment to this message.
We cannot accept liability for any loss or damage caused by software viruses.
The information contained in this communication may be confidential and may be subject to the attorney-client privilege. 
If you are the intended recipient and you do not wish to receive similar electronic messages from us in future then please respond to the sender to this effect.

More information about the amavis-users mailing list