X-Amavis-Alert: BANNED, message contains x.com

Benny Pedersen me at junc.eu
Thu Jul 18 00:20:18 CEST 2024 

Thomas Barth skrev den 2024-07-17 10:21:

> 250 2.7.0 Ok, discarded, id=382000-05 - BANNED: 
> .asc,5152170002814110420.bat
> 
> However, the system notifies me by e-mail when an e-mail has been 
> banned. But it really rarely happens. I just have to keep an eye on it.

okay with me :=)

but https://sanesecurity.com/ use foxhole signatures, then disabled 
banned checks in amavisd, and then selective select clamav sigs with 
score of trustness to accept or reject

in amavisd.conf

@virus_name_to_spam_score_maps =
  (new_RE( # the order matters!
   # [ qr'^Structured\.(SSN|CreditCardNumber)\b' => 0.1 ],
   # [ qr'^(Heuristics\.)?Phishing\.' => 0.1 ],
   # [ qr'^(Email|HTML)\.Phishing\.(?!.*Sanesecurity)' => 0.1 ],
   # [ qr'^Sanesecurity\.(Malware|Rogue|Trojan)\.' => undef ],# keep as 
infected
   # [ qr'^Sanesecurity\.' => 0.1 ],
   # [ qr'^Sanesecurity_PhishBar_' => 0 ],
   # [ qr'^Sanesecurity.TestSig_' => 0 ],
   # [ qr'^Email\.Spam\.Bounce(\.[^., ]*)*\.Sanesecurity\.' => 0 ],
   # [ qr'^Email\.Spammail\b' => 0.1 ],
   # [ qr'^MSRBL-(Images|SPAM)\b' => 0.1 ],
   # [ qr'^VX\.Honeypot-SecuriteInfo\.com\.Joke' => 0.1 ],
   # [ qr'^VX\.not-virus_(Hoax|Joke)\..*-SecuriteInfo\.com(\.|\z)' => 0.1 
],
   # [ qr'^Email\.Spam.*-SecuriteInfo\.com(\.|\z)' => 0.1 ],
   # [ qr'^Safebrowsing\.' => 0.1 ],
   # [ qr'^winnow\.(phish|spam)\.' => 0.1 ],
   # [ qr'^INetMsg\.SpamDomain' => 0.1 ],
   # [ qr'^Doppelstern\.(Scam4|Phishing|Junk)' => 0.1 ],
   # [ qr'^ScamNailer\.' => 0.1 ],
   # [ qr'^HTML/Bankish' => 0.1 ], # F-Prot
   # [ qr'-SecuriteInfo\.com(\.|\z)' => undef ], # keep as infected
   # [ qr'^MBL_NA\.UNOFFICIAL' => 0.1 ], # false positives
   # [ qr'^MBL_' => undef ], # keep as infected
   #
   # [ qr'^Porcupine\.Junk\.' => 3 ],
   # [ qr'^Porcupine\.Malware\.' => 5 ],
   # [ qr'^Porcupine\.Phishing\.' => 5 ],
   # [ qr'^URLhaus\.' => 5 ],
   # [ qr'^Sanesecurity\.Foxhole\.Mail_gz\.UNOFFICIAL' => 0.1 ],
   [ qr'^Sanesecurity\.Foxhole\.Mail_iso\.UNOFFICIAL' => 1000 ],
   [ qr'^Sanesecurity\.Foxhole\.Mail_exe\.UNOFFICIAL' => 1000 ],
   [ qr'^Sanesecurity\.Foxhole\.Iso_exe\.UNOFFICIAL' => 1000 ],
   [ qr'\.UNOFFICIAL' => 0.1 ],
  )
);


add more map to it so it will be rejected by score

More information about the amavis-users mailing list