You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Robert Menschel <Ro...@Menschel.net> on 2005/12/02 08:44:08 UTC
Re[3]: What Optional Rules do I really need?
Hello User,
Thursday, December 1, 2005, 4:26:43 PM, you wrote:
UfSML> SARE_FRAUD was suggested but would this be a duplication when
UfSML> we are running clamd virus scanner on all the mail?
I don't think so. The fraud rules file is aimed at phishing emails.
If clamd catches your phishing emails, then yes, it'd be a
duplication. If clamd doesn't do too good a job on phish, then the
fraud rules would be worth having.
Bob Menschel
Re: What Optional Rules do I really need?
Posted by Nix <ni...@esperi.org.uk>.
On Fri, 2 Dec 2005, Rob Skedgell announced authoritatively:
> At the moment I have to use a condition in an Exim ACL to exclude
> HTML.Phishing.* "malware" from being discarded so that it can be
> filtered an reported.
Indeed.
You can do the same sort of thing if running sendmail and the
clamav-milter, but it's trickier. I use clamav-milter with the patch
below to put the name of the malware into the X-Virus-Infection-Name:
header, turn on --noreject, and then discard with procmail all mails
with that header present without the word `Phishing' in it.
diff -durN 0.87-orig/clamav-milter/clamav-milter.c 0.87/clamav-milter/clamav-milter.c
--- 0.87-orig/clamav-milter/clamav-milter.c 2005-09-15 23:24:41.000000000 +0100
+++ 0.87/clamav-milter/clamav-milter.c 2005-09-17 00:07:28.000000000 +0100
@@ -261,7 +261,7 @@
static int sendtemplate(SMFICTX *ctx, const char *filename, FILE *sendmail, const char *virusname);
static int qfile(struct privdata *privdata, const char *sendmailId, const char *virusname);
static int move(const char *oldfile, const char *newfile);
-static void setsubject(SMFICTX *ctx, const char *virusname);
+static void setinfected(SMFICTX *ctx, const char *virusname);
static int clamfi_gethostbyname(const char *hostname, struct hostent *hp, char *buf, size_t len);
static int isLocalAddr(in_addr_t addr);
static void clamdIsDown(void);
@@ -747,7 +747,7 @@
break;
case 'n': /* don't add X-Virus-Scanned */
nflag++;
- smfilter.xxfi_flags &= ~(SMFIF_ADDHDRS|SMFIF_CHGHDRS);
+ smfilter.xxfi_flags &= ~(SMFIF_CHGHDRS);
break;
case 'N': /* Do we reject mail or silently drop it */
rejectmail = 0;
@@ -830,26 +830,6 @@
}
port = argv[optind];
- if(verifyIncomingSocketName(port) < 0) {
- fprintf(stderr, _("%s: socket-addr (%s) doesn't agree with sendmail.cf\n"), argv[0], port);
- return EX_CONFIG;
- }
- if(strncasecmp(port, "inet:", 5) == 0)
- if(!lflag) {
- /*
- * Barmy but true. It seems that clamfi_connect will,
- * in this case, get the IP address of the machine
- * running sendmail, not of the machine sending the
- * mail, so the remote end will be a local address so
- * we must scan by enabling --local
- *
- * TODO: this is probably not needed if the remote
- * machine is localhost, need to check though
- */
- fprintf(stderr, _("%s: when using inet: connection to sendmail you must enable --local\n"), argv[0]);
- return EX_USAGE;
- }
-
/*
* Sanity checks on the clamav configuration file
*/
@@ -3050,10 +3030,10 @@
if(use_syslog)
syslog(LOG_DEBUG, "Redirected virus to %s", quarantine);
cli_dbgmsg("Redirected virus to %s\n", quarantine);
- setsubject(ctx, virusname);
+ setinfected(ctx, virusname);
}
} else if(advisory)
- setsubject(ctx, virusname);
+ setinfected(ctx, virusname);
else if(rejectmail) {
if(privdata->discard)
rc = SMFIS_DISCARD;
@@ -4240,22 +4220,12 @@
}
/*
- * Store the name of the virus in the subject of the e-mail
+ * Store the name of the virus in the X-Virus-Infection-Name header
*/
static void
-setsubject(SMFICTX *ctx, const char *virusname)
+setinfected(SMFICTX *ctx, const char *virusname)
{
- struct privdata *privdata = (struct privdata *)smfi_getpriv(ctx);
- char subject[128];
-
- if(privdata->subject)
- smfi_addheader(ctx, "X-Original-Subject", privdata->subject);
-
- snprintf(subject, sizeof(subject) - 1, _("[Virus] %s"), virusname);
- if(privdata->subject)
- smfi_chgheader(ctx, "Subject", 1, subject);
- else
- smfi_addheader(ctx, "Subject", subject);
+ smfi_addheader(ctx, "X-Virus-Infection-Name", virusname);
}
/*
--
`Y'know, London's nice at this time of year. If you like your cities
freezing cold and full of surly gits.' --- David Damerell
Re: What Optional Rules do I really need?
Posted by Rob Skedgell <ro...@nephelococcygia.demon.co.uk>.
On Friday 02 Dec 2005 07:44, Robert Menschel wrote:
> Hello User,
>
> Thursday, December 1, 2005, 4:26:43 PM, you wrote:
>
> UfSML> SARE_FRAUD was suggested but would this be a duplication when
> UfSML> we are running clamd virus scanner on all the mail?
>
> I don't think so. The fraud rules file is aimed at phishing emails.
> If clamd catches your phishing emails, then yes, it'd be a
> duplication. If clamd doesn't do too good a job on phish, then the
> fraud rules would be worth having.
When ClamAV 0.90 finally comes out it will be possible to disable the
detection of phishes as malware, so some people may consider SA rule
sets like SARE_FRAUD a more appropriate detection mechanism than AV
software.
See <http://www.clamav.net/faq.html#pagestart> (item 13).
At the moment I have to use a condition in an Exim ACL to exclude
HTML.Phishing.* "malware" from being discarded so that it can be
filtered an reported.
--
Rob Skedgell <ro...@nephelococcygia.demon.co.uk>
Re[3]: What Optional Rules do I really need?
Posted by User for SpamAssassin Mail List <sp...@pcez.com>.
Yes, clamd does a good job on phishing emails.
Thanks,
Ken Rea
On Thu, 1 Dec 2005, Robert Menschel wrote:
> Hello User,
>
> Thursday, December 1, 2005, 4:26:43 PM, you wrote:
>
> UfSML> SARE_FRAUD was suggested but would this be a duplication when
> UfSML> we are running clamd virus scanner on all the mail?
>
> I don't think so. The fraud rules file is aimed at phishing emails.
> If clamd catches your phishing emails, then yes, it'd be a
> duplication. If clamd doesn't do too good a job on phish, then the
> fraud rules would be worth having.
>
> Bob Menschel
>
>
>