You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Robert Menschel <Ro...@Menschel.net> on 2005/12/01 08:32:14 UTC
Re[2]: What Optional Rules do I really need?
Wednesday, November 30, 2005, 11:59:23 AM, Matt wrote:
MK> I'm not well versed in picking the "minimalist" set for a low-resource site, but
MK> I can at least tell you what I know you should avoid.
MK> In general, the bigger the .cf file, the more resource intensive it will likely
MK> be. Admittedly this is a wildly inaccurate measure because of non-rule content,
MK> but it's better than nothing. I tend to be wary of .cf files over 128k, and I'd
MK> keep the total under 256k.
MK> FWIW, I personally like these SARE rulesets:
MK> 70_sare_adult.cf (SARE_ADULT)
MK> 70_sare_evilnum0.cf (SARE_EVILNUMBERS0)
MK> 70_sare_evilnum1.cf (SARE_EVILNUMBERS1)
MK> 70_sare_genlsubj0.cf (SARE_GENLSUBJ0)
MK> 70_sare_obfu0.cf (SARE_OBFU0)
MK> 70_sare_random.cf (SARE_RANDOM)
MK> 70_sare_specific.cf (SARE_SPECIFIC)
MK> 70_sare_uri0.cf (SARE_URI0)
MK> 99_sare_fraud_post25x.cf (SARE_FRAUD)
In addition, I suggest 70_sare_html0.cf -- all the 70_sare_*0.cf rules
files that I maintain are the ones which during SARE mass-checks hit
no ham, and hit significant (by our classification) spam.
Read the documentation in those *0.cf files, and you'll be able to
determine for yourself whether to also use the *1.cf files. If you're
tight on resources, stay away from 70_sare_obfu1.cf, though it is a
very powerful file and useful to many systems.
Bob Menschel
Re: What Optional Rules do I really need?
Posted by Nix <ni...@esperi.org.uk>.
On Fri, 2 Dec 2005, Rob Skedgell announced authoritatively:
> At the moment I have to use a condition in an Exim ACL to exclude
> HTML.Phishing.* "malware" from being discarded so that it can be
> filtered an reported.
Indeed.
You can do the same sort of thing if running sendmail and the
clamav-milter, but it's trickier. I use clamav-milter with the patch
below to put the name of the malware into the X-Virus-Infection-Name:
header, turn on --noreject, and then discard with procmail all mails
with that header present without the word `Phishing' in it.
diff -durN 0.87-orig/clamav-milter/clamav-milter.c 0.87/clamav-milter/clamav-milter.c
--- 0.87-orig/clamav-milter/clamav-milter.c 2005-09-15 23:24:41.000000000 +0100
+++ 0.87/clamav-milter/clamav-milter.c 2005-09-17 00:07:28.000000000 +0100
@@ -261,7 +261,7 @@
static int sendtemplate(SMFICTX *ctx, const char *filename, FILE *sendmail, const char *virusname);
static int qfile(struct privdata *privdata, const char *sendmailId, const char *virusname);
static int move(const char *oldfile, const char *newfile);
-static void setsubject(SMFICTX *ctx, const char *virusname);
+static void setinfected(SMFICTX *ctx, const char *virusname);
static int clamfi_gethostbyname(const char *hostname, struct hostent *hp, char *buf, size_t len);
static int isLocalAddr(in_addr_t addr);
static void clamdIsDown(void);
@@ -747,7 +747,7 @@
break;
case 'n': /* don't add X-Virus-Scanned */
nflag++;
- smfilter.xxfi_flags &= ~(SMFIF_ADDHDRS|SMFIF_CHGHDRS);
+ smfilter.xxfi_flags &= ~(SMFIF_CHGHDRS);
break;
case 'N': /* Do we reject mail or silently drop it */
rejectmail = 0;
@@ -830,26 +830,6 @@
}
port = argv[optind];
- if(verifyIncomingSocketName(port) < 0) {
- fprintf(stderr, _("%s: socket-addr (%s) doesn't agree with sendmail.cf\n"), argv[0], port);
- return EX_CONFIG;
- }
- if(strncasecmp(port, "inet:", 5) == 0)
- if(!lflag) {
- /*
- * Barmy but true. It seems that clamfi_connect will,
- * in this case, get the IP address of the machine
- * running sendmail, not of the machine sending the
- * mail, so the remote end will be a local address so
- * we must scan by enabling --local
- *
- * TODO: this is probably not needed if the remote
- * machine is localhost, need to check though
- */
- fprintf(stderr, _("%s: when using inet: connection to sendmail you must enable --local\n"), argv[0]);
- return EX_USAGE;
- }
-
/*
* Sanity checks on the clamav configuration file
*/
@@ -3050,10 +3030,10 @@
if(use_syslog)
syslog(LOG_DEBUG, "Redirected virus to %s", quarantine);
cli_dbgmsg("Redirected virus to %s\n", quarantine);
- setsubject(ctx, virusname);
+ setinfected(ctx, virusname);
}
} else if(advisory)
- setsubject(ctx, virusname);
+ setinfected(ctx, virusname);
else if(rejectmail) {
if(privdata->discard)
rc = SMFIS_DISCARD;
@@ -4240,22 +4220,12 @@
}
/*
- * Store the name of the virus in the subject of the e-mail
+ * Store the name of the virus in the X-Virus-Infection-Name header
*/
static void
-setsubject(SMFICTX *ctx, const char *virusname)
+setinfected(SMFICTX *ctx, const char *virusname)
{
- struct privdata *privdata = (struct privdata *)smfi_getpriv(ctx);
- char subject[128];
-
- if(privdata->subject)
- smfi_addheader(ctx, "X-Original-Subject", privdata->subject);
-
- snprintf(subject, sizeof(subject) - 1, _("[Virus] %s"), virusname);
- if(privdata->subject)
- smfi_chgheader(ctx, "Subject", 1, subject);
- else
- smfi_addheader(ctx, "Subject", subject);
+ smfi_addheader(ctx, "X-Virus-Infection-Name", virusname);
}
/*
--
`Y'know, London's nice at this time of year. If you like your cities
freezing cold and full of surly gits.' --- David Damerell
Re: What Optional Rules do I really need?
Posted by Rob Skedgell <ro...@nephelococcygia.demon.co.uk>.
On Friday 02 Dec 2005 07:44, Robert Menschel wrote:
> Hello User,
>
> Thursday, December 1, 2005, 4:26:43 PM, you wrote:
>
> UfSML> SARE_FRAUD was suggested but would this be a duplication when
> UfSML> we are running clamd virus scanner on all the mail?
>
> I don't think so. The fraud rules file is aimed at phishing emails.
> If clamd catches your phishing emails, then yes, it'd be a
> duplication. If clamd doesn't do too good a job on phish, then the
> fraud rules would be worth having.
When ClamAV 0.90 finally comes out it will be possible to disable the
detection of phishes as malware, so some people may consider SA rule
sets like SARE_FRAUD a more appropriate detection mechanism than AV
software.
See <http://www.clamav.net/faq.html#pagestart> (item 13).
At the moment I have to use a condition in an Exim ACL to exclude
HTML.Phishing.* "malware" from being discarded so that it can be
filtered an reported.
--
Rob Skedgell <ro...@nephelococcygia.demon.co.uk>
Re[3]: What Optional Rules do I really need?
Posted by User for SpamAssassin Mail List <sp...@pcez.com>.
Yes, clamd does a good job on phishing emails.
Thanks,
Ken Rea
On Thu, 1 Dec 2005, Robert Menschel wrote:
> Hello User,
>
> Thursday, December 1, 2005, 4:26:43 PM, you wrote:
>
> UfSML> SARE_FRAUD was suggested but would this be a duplication when
> UfSML> we are running clamd virus scanner on all the mail?
>
> I don't think so. The fraud rules file is aimed at phishing emails.
> If clamd catches your phishing emails, then yes, it'd be a
> duplication. If clamd doesn't do too good a job on phish, then the
> fraud rules would be worth having.
>
> Bob Menschel
>
>
>
Re[3]: What Optional Rules do I really need?
Posted by Robert Menschel <Ro...@Menschel.net>.
Hello User,
Thursday, December 1, 2005, 4:26:43 PM, you wrote:
UfSML> SARE_FRAUD was suggested but would this be a duplication when
UfSML> we are running clamd virus scanner on all the mail?
I don't think so. The fraud rules file is aimed at phishing emails.
If clamd catches your phishing emails, then yes, it'd be a
duplication. If clamd doesn't do too good a job on phish, then the
fraud rules would be worth having.
Bob Menschel
Re: What Optional Rules do I really need?
Posted by Kelson <ke...@speed.net>.
User for SpamAssassin Mail List wrote:
> SARE_FRAUD was suggested but would this be a duplication when we are
> running clamd virus scanner on all the mail?
No, it wouldn't. They're aimed at different targets.
SARE_FRAUD is aimed mainly at advance fee fraud solicitations --
variations on the Nigerian or 419 scam, the International Lottery scams,
etc.
ClamAV's phishing rules are aimed more at, well, phishing. There may
still be some overlap with SARE_SPOOF, but as Matthew said, the more
filters aimed at it, the better.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
Re[2]: What Optional Rules do I really need?
Posted by User for SpamAssassin Mail List <sp...@pcez.com>.
Thanks Bob,
SARE_FRAUD was suggested but would this be a duplication when we are
running clamd virus scanner on all the mail?
Thanks,
Ken Rea
On Wed, 30 Nov 2005, Robert Menschel wrote:
> Wednesday, November 30, 2005, 11:59:23 AM, Matt wrote:
>
> MK> I'm not well versed in picking the "minimalist" set for a low-resource site, but
> MK> I can at least tell you what I know you should avoid.
>
> MK> In general, the bigger the .cf file, the more resource intensive it will likely
> MK> be. Admittedly this is a wildly inaccurate measure because of non-rule content,
> MK> but it's better than nothing. I tend to be wary of .cf files over 128k, and I'd
> MK> keep the total under 256k.
>
> MK> FWIW, I personally like these SARE rulesets:
>
> MK> 70_sare_adult.cf (SARE_ADULT)
> MK> 70_sare_evilnum0.cf (SARE_EVILNUMBERS0)
> MK> 70_sare_evilnum1.cf (SARE_EVILNUMBERS1)
> MK> 70_sare_genlsubj0.cf (SARE_GENLSUBJ0)
> MK> 70_sare_obfu0.cf (SARE_OBFU0)
> MK> 70_sare_random.cf (SARE_RANDOM)
> MK> 70_sare_specific.cf (SARE_SPECIFIC)
> MK> 70_sare_uri0.cf (SARE_URI0)
> MK> 99_sare_fraud_post25x.cf (SARE_FRAUD)
>
> In addition, I suggest 70_sare_html0.cf -- all the 70_sare_*0.cf rules
> files that I maintain are the ones which during SARE mass-checks hit
> no ham, and hit significant (by our classification) spam.
>
> Read the documentation in those *0.cf files, and you'll be able to
> determine for yourself whether to also use the *1.cf files. If you're
> tight on resources, stay away from 70_sare_obfu1.cf, though it is a
> very powerful file and useful to many systems.
>
> Bob Menschel
>
>
>