You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Justin Mason <jm...@jmason.org> on 2007/07/03 13:47:55 UTC
Re: Writing a rule to access SA ClamAV Plugin Header
Jonas Eckerman writes:
> > There is a SpamAssassin plugin which checks messages with
> > ClamAV, which adds the following header to emails
>
> > What I would like to do would be to score the ClamAV
> > detection differently depending on whether it was
>
> Your problem is that the ClamAV plugin doesn't add a header as
> metadata to the message, so there is no header to check in rules.
>
> Fortunately, you only have to add one single line to the plugin
> in order to add the header. This is the line I've added here:
>
> $permsgstatus->{msg}->put_metadata('ClamAV-Result',$header);
>
> It's added directly before the line
> and makes it possible to use the header "ClamAV-Result" in rules
> (and to get it from the mail object, wich is what I do).
>
> For your rules to work as is you'd want to add it as:
>
> $permsgstatus->{msg}->put_metadata('X-Spam-Virus',$header);
>
> Add the line directly above the line:
>
> return $isspam;
This is a good idea. I've modified the plugin code on the wiki to
include this. thanks Jonas!
--j.
> Regards
> /Jonas
>
> OliverScott wrote:
> > There is a SpamAssassin plugin which checks messages with ClamAV, which adds
> > the following header to emails it processes:
> >
> > X-Spam-Virus: Yes ($VirusName)
> >
> > http://wiki.apache.org/spamassassin/ClamAVPlugin
> >
> > By default you can set a score in its clamav.cf file:
> >
> > score CLAMAV 10
> >
> > I am currently testing a 3rd party set of ClamAV definitions from a website
> > called www.sanesecurity.co.uk which look to be very effective against some
> > phishing and image spam emails. When it fires on an email the headers the
> > ClamAV plugin adds are as follows:
> >
> > X-Spam-Virus: Yes ($Name.Sanesecurity)
> >
> > What I would like to do would be to score the ClamAV detection differently
> > depending on whether it was detected by the ClamAV default signatures
> > (virus) or the Sanesecurity signatures (spam). I have tried adding the
> > following to local.cf but it doesn't seem to be working:
> >
> > header __MY_CLAMAV X-Spam-Virus =~ /Yes/i
> > header __MY_CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,50}Sanesecurity/i
> > meta MY_CLAMAV (__MY_CLAMAV && !__MY_CLAMAV_SANE)
> > meta MY_CLAMAV_SANE (__MY_CLAMAV && __MY_CLAMAV_SANE)
> > score MY_CLAMAV 10
> > score MY_CLAMAV_SANE 5
> >
> > Any suggestions?
>
> --
> Jonas Eckerman, FSDB & Frukttr�det
> http://whatever.frukt.org/
> http://www.fsdb.org/
> http://www.frukt.org/
Re: Writing a rule to access SA ClamAV Plugin Header
Posted by Wolfgang Zeikat <wo...@desy.de>.
On 07/24/07 15:00, Wolfgang Zeikat wrote:
> In SA 3.1.8, I am trying to use the clamav plugin from
> http://wiki.apache.org/spamassassin/ClamAVPlugin
>
> spamassassin -t -D output includes dbg: ClamAV: Detected virus:
> Email.Stk.Gen596.Sanesecurity.07071900.pdf
>
> It adds a header X-Spam-Virus: Yes
> (Email.Stk.Gen596.Sanesecurity.07071900.pdf) allright, but additional
> rules to check for sanesecurity "virus" names are not matched.
>
> Rules:
>
> header __MY_CLAMAV X-Spam-Virus =~ /Yes/i
> header __MY_CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,50}Sanesecurity/i
> meta MY_CLAMAV_SANE (__MY_CLAMAV && __MY_CLAMAV_SANE)
> score MY_CLAMAV_SANE 5
>
> Any suggestions what is going wrong?
>
On 07/24/07 15:43, OliverScott wrote:
> # Give the above rules a very late priority so that they can see the
> output
> # of previous rules - otherwise they don't work! Not sure what the
> correct # priority should be but this seems to work...
> In your case you could fix what you have done (which looks to be
> taken from
> one of my previous messages while trying to get this to work myself?)
> by making it:
>
> header __MY_CLAMAV X-Spam-Virus =~ /Yes/i
> priority __MY_CLAMAV 9999
> header __MY_CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,50}Sanesecurity/i
> priority __MY_CLAMAV_SANE 9999
> meta MY_CLAMAV_SANE (__MY_CLAMAV && __MY_CLAMAV_SANE)
> score MY_CLAMAV_SANE 5
(typo fixed)
>
>
> Hope this helps!
Yes it does, thanks again.
> full CLAMAV eval:check_clamav()
> describe CLAMAV Clam AntiVirus detected something...
> score CLAMAV 0.001
If you don't want CLAMAV to score (high), apparently you can rename it
to __CLAMAV, works fine here.
To make the meta rule work too, I had to give it a higher priority
number than the header rules, so that my working clamav.cf is now:
loadplugin ClamAV /etc/mail/spamassassin/clamav.pm
full __CLAMAV eval:check_clamav()
describe __CLAMAV Clam AntiVirus detected a virus
header __MY_CLAMAV X-Spam-Virus =~ /Yes/i
priority __MY_CLAMAV 9998
header __MY_CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,50}Sanesecurity/i
priority __MY_CLAMAV_SANE 9998
meta MY_CLAMAV_SANE (__CLAMAV && __MY_CLAMAV_SANE)
priority MY_CLAMAV_SANE 9999
score MY_CLAMAV_SANE 5
I hereby add this important information (IMHO) to
this thread that is linked on
http://wiki.apache.org/spamassassin/ClamAVPlugin
Regards,
wolfgang