Thread: [SOLVED] SaneSecurity ClamAV or FuzzyOCR SpamAssassin Plugins
View Single Post
  #8 (permalink)  
Old 12-02-2008, 12:56 PM
uxbod uxbod is offline
Moderator
  
Posts: 7,919
Default
Okay here we go!

Update /opt/zimbra/conf/amavisd.conf.in with
Code:
@virus_name_to_spam_score_maps =
  (new_RE(  # the order matters!
    [ qr'^Sanesecurity\.(Malware|Rogue|Trojan)\.' => undef ],# keep as infected
    [ qr'^Sanesecurity(\.[^., ]*)*\.'                             => 0.1 ],
    [ qr'^Sanesecurity_PhishBar_'                                 => 0   ],
    [ qr'^Email\.Spam\.Bounce(\.[^., ]*)*\.Sanesecurity\.'        => 0   ],
    [ qr'^(MSRBL-Images/|MSRBL-SPAM\.)'                           => 0.1 ],
    [ qr'^MBL_'                                 => undef ],  # keep as infected
    [ qr'^VX\.Honeypot-SecuriteInfo\.com\.Joke'                   => 0.1 ],
    [ qr'^VX\.not-virus_(Hoax|Joke)\..*-SecuriteInfo\.com(\.|\z)' => 0.1 ],
    [ qr'^Email\.Spam.*-SecuriteInfo\.com(\.|\z)'                 => 0.1 ],
    [ qr'-SecuriteInfo\.com(\.|\z)'             => undef ],  # keep as infected
  ));
ensure this is before 1; # insure a defined return
at the end of the file. Then ...

And then to update SA you need to edit /opt/zimbra/conf/salocal.cf.in with
Code:
################################################################################
# SaneSecurity & MSRBL Signatures
################################################################################
header L_AV_Phish       X-Amavis-AV-Status =~ m{\bAV:(Email|HTML)\.Phishing\.}i
header L_AV_SS_PhishBar X-Amavis-AV-Status =~ m{\bAV:Sanesecurity_PhishBar_}
header L_AV_SS_Phish    X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.Phishing\.}
header L_AV_SS_Malware  X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.(Malware|Rogue|Trojan)\.}
header L_AV_SS_Scam     X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.(Scam[A-Za-z0-9]?)}
header L_AV_SS_Spam     X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.(Bou|Cred|Dipl|Job|Loan|****|Spam[A-Za-z0-9]?|Stk|Junk)\.}
header L_AV_SS_Hdr      X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.Hdr\.}
header L_AV_SS_Img      X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.(Img|ImgO)\.}
header L_AV_SS_Bounce   X-Amavis-AV-Status =~ m{\.Spam\.Bounce(\.[^., ]*)*\.Sanesecurity\b}
header __L_AV_SS        X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.}
meta   L_AV_SS_other    __L_AV_SS && !(L_AV_SS_Phish || L_AV_SS_Scam || L_AV_SS_Spam || L_AV_SS_Malware || L_AV_SS_Hdr || L_AV_SS_Img || L_AV_SS_Bounce)
header L_AV_MSRBL_Img   X-Amavis-AV-Status =~ m{\bAV:MSRBL-Images\b}
header L_AV_MSRBL_Spam  X-Amavis-AV-Status =~ m{\bAV:MSRBL-SPAM\.}
header L_AV_MBL         X-Amavis-AV-Status =~ m{\bAV:MBL_}
header L_AV_SecInf      X-Amavis-AV-Status =~ m{-SecuriteInfo\.com\b}

score  L_AV_Phish       14
score  L_AV_SS_Phish    5
score  L_AV_SS_PhishBar 0.5
score  L_AV_SS_Scam     8
score  L_AV_SS_Spam     8
score  L_AV_SS_Hdr      6
score  L_AV_SS_Img      3.5
score  L_AV_SS_Bounce   0.1
score  L_AV_SS_other    1
score  L_AV_SS_Malware  14
score  L_AV_MBL         14
score  L_AV_MSRBL_Img   3.5
score  L_AV_MSRBL_Spam  6
score  L_AV_SecInf      8
at the end of the file. You will then need to restart ZCS. Obviously you can tune the scores to your own requirements as 0.1 is very low, but there have been some FPs in the past. Any question please ask enjoy.
__________________
Reply With Quote