You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Munroe Sollog <so...@digiraticonsulting.com> on 2011/05/09 00:55:34 UTC

SaneSecurity custom rules

I am working on adding some rules to SA so that SA adds more points when
detecting a signature.  Here is a pastebin of the headers and the rules:

http://pastebin.com/qnwbSq5d

It should be adding 4 points as per my rule, but as it is it is only
adding 0.1 points.
-- 
Munroe Sollog
Digirati Consulting
www.digiraticonsulting.com
610-332-7234 x805

Re: SaneSecurity custom rules

Posted by Mark Martinec <Ma...@ijs.si>.

> header L_AV_Unofficial  X-Amavis-AV-Status =~
>   m{\bAV:Sanesecurity.TestSig_Type4_Hdr.2.UNOFFICIAL\b}
> Which seems to be scoring 4 just fine:
> X-Spam-Status: ... tests=[.. L_AV_Unofficial=4

Indeed.
 
> The weird part is this:
> 
> X-Spam-Status: ...
> tests=[AV:Sanesecurity.TestSig_Type4_Hdr.2.UNOFFICIAL=0.1
> 
> You seem to have a very strangely named test
> "AV:Sanesecurity.TestSig_Type4_Hdr.2.UNOFFICIAL" with a score of 0.1, which
> isn't defined anywhere in the example you gave.

The AV:Snesecurity... hit is inserted directly by amavisd,
based on your @virus_name_to_spam_score_map setting.

It is common to have such amavisd rules to score low and then
have a SpamAssassin rule on the same or similar AV pattern for a
higher score, the way you have it. This way other SpamAssassin
mechanisms like Bayes, AWL, autolearning can take benefit of it.

  Mark

Re: SaneSecurity custom rules

Posted by da...@chaosreigns.com.

On 05/08, Munroe Sollog wrote:
> I am working on adding some rules to SA so that SA adds more points when
> detecting a signature.  Here is a pastebin of the headers and the rules:
> 
> http://pastebin.com/qnwbSq5d
> 
> It should be adding 4 points as per my rule, but as it is it is only
> adding 0.1 points.

It looks like you're talking about one specific rule, and then gave us an
example with a pile of custom rules without telling us which one you were
talking about.  Which is annoying.

But I think it's this one:

header L_AV_Unofficial  X-Amavis-AV-Status =~ m{\bAV:Sanesecurity.TestSig_Type4_Hdr.2.UNOFFICIAL\b}

Which seems to be scoring 4 just fine:

X-Spam-Status: ... tests=[.. L_AV_Unofficial=4

The weird part is this:

X-Spam-Status: ... tests=[AV:Sanesecurity.TestSig_Type4_Hdr.2.UNOFFICIAL=0.1

You seem to have a very strangely named test
"AV:Sanesecurity.TestSig_Type4_Hdr.2.UNOFFICIAL" with a score of 0.1, which
isn't defined anywhere in the example you gave.

-- 
"Forget not that the earth delights to feel your bare feet and the winds
long to play with your hair." - Kahlil Gibran
http://www.ChaosReigns.com