You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Justin Mason <jm...@jmason.org> on 2007/07/03 13:47:55 UTC

Re: Writing a rule to access SA ClamAV Plugin Header

Jonas Eckerman writes:
>  > There is a SpamAssassin plugin which checks messages with
>  > ClamAV, which adds the following header to emails
> 
>  > What I would like to do would be to score the ClamAV
>  > detection differently depending on whether it was
> 
> Your problem is that the ClamAV plugin doesn't add a header as 
> metadata to the message, so there is no header to check in rules.
> 
> Fortunately, you only have to add one single line to the plugin 
> in order to add the header. This is the line I've added here:
> 
> $permsgstatus->{msg}->put_metadata('ClamAV-Result',$header);
> 
> It's added directly before the line
> and makes it possible to use the header "ClamAV-Result" in rules 
> (and to get it from the mail object, wich is what I do).
> 
> For your rules to work as is you'd want to add it as:
> 
> $permsgstatus->{msg}->put_metadata('X-Spam-Virus',$header);
> 
> Add the line directly above the line:
> 
> return $isspam;

This is a good idea.  I've modified the plugin code on the wiki to
include this.  thanks Jonas!

--j.

> Regards
> /Jonas
> 
> OliverScott wrote:
> > There is a SpamAssassin plugin which checks messages with ClamAV, which adds
> > the following header to emails it processes:
> > 
> > X-Spam-Virus: Yes ($VirusName)
> > 
> > http://wiki.apache.org/spamassassin/ClamAVPlugin
> > 
> > By default you can set a score in its clamav.cf file:
> > 
> > score CLAMAV 10
> > 
> > I am currently testing a 3rd party set of ClamAV definitions from a website
> > called www.sanesecurity.co.uk which look to be very effective against some
> > phishing and image spam emails. When it fires on an email the headers the
> > ClamAV plugin adds are as follows:
> > 
> > X-Spam-Virus: Yes ($Name.Sanesecurity)
> > 
> > What I would like to do would be to score the ClamAV detection differently
> > depending on whether it was detected by the ClamAV default signatures
> > (virus) or the Sanesecurity signatures (spam). I have tried adding the
> > following to local.cf but it doesn't seem to be working:
> > 
> > header __MY_CLAMAV X-Spam-Virus =~ /Yes/i
> > header __MY_CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,50}Sanesecurity/i
> > meta MY_CLAMAV (__MY_CLAMAV && !__MY_CLAMAV_SANE)
> > meta MY_CLAMAV_SANE (__MY_CLAMAV && __MY_CLAMAV_SANE)
> > score MY_CLAMAV 10
> > score MY_CLAMAV_SANE 5
> > 
> > Any suggestions?
> 
> -- 
> Jonas Eckerman, FSDB & Frukttr�det
> http://whatever.frukt.org/
> http://www.fsdb.org/
> http://www.frukt.org/

Re: Writing a rule to access SA ClamAV Plugin Header

Posted by Wolfgang Zeikat <wo...@desy.de>.


On 07/24/07 15:00, Wolfgang Zeikat wrote:
 > In SA 3.1.8, I am trying to use the clamav plugin from
 > http://wiki.apache.org/spamassassin/ClamAVPlugin
 >
 > spamassassin -t -D output includes dbg: ClamAV: Detected virus:
 > Email.Stk.Gen596.Sanesecurity.07071900.pdf
 >
 > It adds a  header X-Spam-Virus: Yes
 > (Email.Stk.Gen596.Sanesecurity.07071900.pdf) allright, but additional
 > rules to check for sanesecurity  "virus" names are not matched.
 >
 > Rules:
 >
 > header __MY_CLAMAV X-Spam-Virus =~ /Yes/i
 > header __MY_CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,50}Sanesecurity/i
 > meta MY_CLAMAV_SANE (__MY_CLAMAV && __MY_CLAMAV_SANE)
 > score MY_CLAMAV_SANE 5
 >
 > Any suggestions what is going wrong?
 >

On 07/24/07 15:43, OliverScott wrote:

 > # Give the above rules a very late priority so that they can see the
 > output
 > # of previous rules - otherwise they don't work! Not sure what the
 > correct # priority should be but this seems to work...

 > In your case you could fix what you have done (which looks to be
 > taken from
 > one of my previous messages while trying to get this to work myself?)
 > by making it:
 >
 > header __MY_CLAMAV X-Spam-Virus =~ /Yes/i
 > priority __MY_CLAMAV 9999
 > header __MY_CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,50}Sanesecurity/i
 > priority __MY_CLAMAV_SANE 9999
 > meta MY_CLAMAV_SANE (__MY_CLAMAV && __MY_CLAMAV_SANE)
 > score MY_CLAMAV_SANE 5

(typo fixed)

 >
 >
 > Hope this helps!

Yes it does, thanks again.

 > full CLAMAV eval:check_clamav()
 > describe CLAMAV Clam AntiVirus detected something...
 > score CLAMAV 0.001

If you don't want CLAMAV to score (high), apparently you can rename it 
to __CLAMAV, works fine here.

To make the meta rule work too, I had to give it a higher priority 
number than the header rules, so that my working clamav.cf is now:

loadplugin ClamAV /etc/mail/spamassassin/clamav.pm
full __CLAMAV eval:check_clamav()
describe __CLAMAV Clam AntiVirus detected a virus

header __MY_CLAMAV X-Spam-Virus =~ /Yes/i
priority __MY_CLAMAV 9998

header __MY_CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,50}Sanesecurity/i
priority __MY_CLAMAV_SANE 9998

meta MY_CLAMAV_SANE (__CLAMAV && __MY_CLAMAV_SANE)
priority MY_CLAMAV_SANE 9999
score MY_CLAMAV_SANE 5

I hereby add this important information (IMHO) to
this thread that is linked on
http://wiki.apache.org/spamassassin/ClamAVPlugin


Regards,

wolfgang