[SOLVED] SaneSecurity ClamAV or FuzzyOCR SpamAssassin Plugins

**bhickey** · 12-01-2008, 09:48 AM

Has anyone implemented the FuzzyOCR plugin for SpamAssassin on a ZCS box? For the most part, spam is under control. However, a fair amount of image spam is still getting through unmarked.

**uxbod** · 12-02-2008, 12:19 AM

I have not implemented under ZCS but have used it. Are you stuck with setting it up or is it a general question ?

**bhickey** · 12-02-2008, 07:10 AM

Just a general question...At some point I'm going to install an edge MTA in front of my Zimbra box to handle virus and spam scanning. Until then I'd like to cut down on all the image spam I'm continuing to receive. I thought FuzzyOCR might provide some relief.

**uxbod** · 12-02-2008, 07:16 AM

Yes it will, but to be honest I have seen a real drop in image spam. The best method of combating these, IMHO, is to use the SaneSecurity signatures for ClamAV.

**bhickey** · 12-02-2008, 09:20 AM

I've been using SaneSecurity for a while now, but after reading your post I checked my zimbra.log file and I see no entries from "Sanes". Something must not be working correctly now.

**uxbod** · 12-02-2008, 10:11 AM

Yes, you have to modify both amavis and spamassassin as I have found. When I get back to my hotel will post some instructions

**bhickey** · 12-02-2008, 11:26 AM

That would be excellent. I had it working at some point (version 4.5.x).

**uxbod** · 12-02-2008, 12:56 PM

Okay here we go!

Update /opt/zimbra/conf/amavisd.conf.in with

Code:

@virus_name_to_spam_score_maps =
  (new_RE(  # the order matters!
    [ qr'^Sanesecurity\.(Malware|Rogue|Trojan)\.' => undef ],# keep as infected
    [ qr'^Sanesecurity(\.[^., ]*)*\.'                             => 0.1 ],
    [ qr'^Sanesecurity_PhishBar_'                                 => 0   ],
    [ qr'^Email\.Spam\.Bounce(\.[^., ]*)*\.Sanesecurity\.'        => 0   ],
    [ qr'^(MSRBL-Images/|MSRBL-SPAM\.)'                           => 0.1 ],
    [ qr'^MBL_'                                 => undef ],  # keep as infected
    [ qr'^VX\.Honeypot-SecuriteInfo\.com\.Joke'                   => 0.1 ],
    [ qr'^VX\.not-virus_(Hoax|Joke)\..*-SecuriteInfo\.com(\.|\z)' => 0.1 ],
    [ qr'^Email\.Spam.*-SecuriteInfo\.com(\.|\z)'                 => 0.1 ],
    [ qr'-SecuriteInfo\.com(\.|\z)'             => undef ],  # keep as infected
  ));

ensure this is before 1; # insure a defined return
at the end of the file. Then ...

And then to update SA you need to edit /opt/zimbra/conf/salocal.cf.in with

Code:

################################################################################
# SaneSecurity & MSRBL Signatures
################################################################################
header L_AV_Phish       X-Amavis-AV-Status =~ m{\bAV:(Email|HTML)\.Phishing\.}i
header L_AV_SS_PhishBar X-Amavis-AV-Status =~ m{\bAV:Sanesecurity_PhishBar_}
header L_AV_SS_Phish    X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.Phishing\.}
header L_AV_SS_Malware  X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.(Malware|Rogue|Trojan)\.}
header L_AV_SS_Scam     X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.(Scam[A-Za-z0-9]?)}
header L_AV_SS_Spam     X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.(Bou|Cred|Dipl|Job|Loan|****|Spam[A-Za-z0-9]?|Stk|Junk)\.}
header L_AV_SS_Hdr      X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.Hdr\.}
header L_AV_SS_Img      X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.(Img|ImgO)\.}
header L_AV_SS_Bounce   X-Amavis-AV-Status =~ m{\.Spam\.Bounce(\.[^., ]*)*\.Sanesecurity\b}
header __L_AV_SS        X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.}
meta   L_AV_SS_other    __L_AV_SS && !(L_AV_SS_Phish || L_AV_SS_Scam || L_AV_SS_Spam || L_AV_SS_Malware || L_AV_SS_Hdr || L_AV_SS_Img || L_AV_SS_Bounce)
header L_AV_MSRBL_Img   X-Amavis-AV-Status =~ m{\bAV:MSRBL-Images\b}
header L_AV_MSRBL_Spam  X-Amavis-AV-Status =~ m{\bAV:MSRBL-SPAM\.}
header L_AV_MBL         X-Amavis-AV-Status =~ m{\bAV:MBL_}
header L_AV_SecInf      X-Amavis-AV-Status =~ m{-SecuriteInfo\.com\b}

score  L_AV_Phish       14
score  L_AV_SS_Phish    5
score  L_AV_SS_PhishBar 0.5
score  L_AV_SS_Scam     8
score  L_AV_SS_Spam     8
score  L_AV_SS_Hdr      6
score  L_AV_SS_Img      3.5
score  L_AV_SS_Bounce   0.1
score  L_AV_SS_other    1
score  L_AV_SS_Malware  14
score  L_AV_MBL         14
score  L_AV_MSRBL_Img   3.5
score  L_AV_MSRBL_Spam  6
score  L_AV_SecInf      8

at the end of the file. You will then need to restart ZCS. Obviously you can tune the scores to your own requirements as 0.1 is very low, but there have been some FPs in the past. Any question please ask

enjoy.

**mmorse** · 12-02-2008, 01:42 PM

Definitely worth adding that to the improving anti-spam wiki!

**uxbod** · 12-02-2008, 01:48 PM

Will do that tomorrow as I snaffled it from the Internet ... also now using Justin Masons SA rules and a few others ... Just KAM ones to add now. It should be easier to include some of these things.