Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: ClamAV: users

Inegrating with spamassassin

 

 

ClamAV users RSS feed   Index | Next | Previous | View Threaded


mysqlstudent at gmail

Oct 19, 2011, 11:41 AM

Post #1 of 5 (581 views)
Permalink
Inegrating with spamassassin

Hi,

I have a fedora15 system with spamassassin-3.3.2 and clamav-0.97.2,
and also using the clamav-unofficial-sigs. and I've just realized the
score for catching one of the listed domains is only 0.2.

X-Spam-Status: No, score=3.444 tagged_above=-100 required=5
tests=[AV:INetMsg.SpamDomain-2w.t67f_com.UNOFFICIAL=0.1, BAYES_50=0.8,
HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.377, MIME_HTML_ONLY=0.723,
RCVD_IN_BRBL_LASTEXT=1.449, RELAYCOUNTRY_LOW=0.5,
RP_MATCHES_RCVD=-0.504, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001]
autolearn=no

Is that typical? Can you recommend a more suitable score?

Where is the score defined? From within amavisd?

Thanks,
Alex
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


mkathuria at tuxtechnologies

Oct 19, 2011, 5:36 PM

Post #2 of 5 (563 views)
Permalink
Re: Inegrating with spamassassin [In reply to]

On Thu, Oct 20, 2011 at 12:11 AM, Alex <mysqlstudent [at] gmail> wrote:
> Hi,
>
> I have a fedora15 system with spamassassin-3.3.2 and clamav-0.97.2,
> and also using the clamav-unofficial-sigs. and I've just realized the
> score for catching one of the listed domains is only 0.2.
>
> X-Spam-Status: No, score=3.444 tagged_above=-100 required=5
>        tests=[.AV:INetMsg.SpamDomain-2w.t67f_com.UNOFFICIAL=0.1, BAYES_50=0.8,
>        HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.377, MIME_HTML_ONLY=0.723,
>        RCVD_IN_BRBL_LASTEXT=1.449, RELAYCOUNTRY_LOW=0.5,
>        RP_MATCHES_RCVD=-0.504, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001]
>        autolearn=no
>
> Is that typical? Can you recommend a more suitable score?

Spamassassin scores are quie optimized. But you can fine tune the
scores based on your own requirements after observing the trend for a
few days

>
> Where is the score defined? From within amavisd?

You can define your own spamassassin scores in the
.spamassassin/user_prefs file in your home directory. However, if you
want to modify the scores system wide (for all the users), the right
place is the /etc/mail/spamassassin/local.cf file.

Also have a look at:

http://spamassassin.apache.org/tests_3_0_x.html

Thanks,

Manish
--
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


mysqlstudent at gmail

Oct 19, 2011, 8:00 PM

Post #3 of 5 (564 views)
Permalink
Re: Inegrating with spamassassin [In reply to]

Hi,

>> I have a fedora15 system with spamassassin-3.3.2 and clamav-0.97.2,
>> and also using the clamav-unofficial-sigs. and I've just realized the
>> score for catching one of the listed domains is only 0.2.
>>
>> X-Spam-Status: No, score=3.444 tagged_above=-100 required=5
>>        tests=[.AV:INetMsg.SpamDomain-2w.t67f_com.UNOFFICIAL=0.1, BAYES_50=0.8,
>>        HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.377, MIME_HTML_ONLY=0.723,
>>        RCVD_IN_BRBL_LASTEXT=1.449, RELAYCOUNTRY_LOW=0.5,
>>        RP_MATCHES_RCVD=-0.504, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001]
>>        autolearn=no
>>
>> Is that typical? Can you recommend a more suitable score?
>
> Spamassassin scores are quie optimized. But you can fine tune the
> scores based on your own requirements after observing the trend for a
> few days

I think I assumed that you knew too much about my level of
understanding. I'm familiar with local.cf and building my own SA
rules.

However, I don't know where the original definition of the clamav
rules are listed. Where is that 0.1 actually defined?

How often do people use that rule as a poison pill? In other words, if
it's detected t67f.com in the body of the email, I'd like it to
immediately mark it as spam and quarantine it, instead of just adding
such an insignificant score.

Thanks so much.
Best,
Alex
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


njones at megan

Oct 19, 2011, 9:27 PM

Post #4 of 5 (568 views)
Permalink
Re: Inegrating with spamassassin [In reply to]

On 10/19/2011 10:00 PM, Alex wrote:
> Hi,
>
>>> I have a fedora15 system with spamassassin-3.3.2 and clamav-0.97.2,
>>> and also using the clamav-unofficial-sigs. and I've just realized the
>>> score for catching one of the listed domains is only 0.2.
>>>
>>> X-Spam-Status: No, score=3.444 tagged_above=-100 required=5
>>> tests=[.AV:INetMsg.SpamDomain-2w.t67f_com.UNOFFICIAL=0.1, BAYES_50=0.8,
>>> HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.377, MIME_HTML_ONLY=0.723,
>>> RCVD_IN_BRBL_LASTEXT=1.449, RELAYCOUNTRY_LOW=0.5,
>>> RP_MATCHES_RCVD=-0.504, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001]
>>> autolearn=no
>>>
>>> Is that typical? Can you recommend a more suitable score?
>>
>> Spamassassin scores are quie optimized. But you can fine tune the
>> scores based on your own requirements after observing the trend for a
>> few days
>
> I think I assumed that you knew too much about my level of
> understanding. I'm familiar with local.cf and building my own SA
> rules.
>
> However, I don't know where the original definition of the clamav
> rules are listed. Where is that 0.1 actually defined?

Those look like scores from amavisd-new, which has special code to
turn a clamav spam detection into a SpamAssassin score. (Normally,
clamav is separate from SA; any detection results in a reject.)

In amavisd-new, the score added (or whether to just go straight to
quarantine) is controlled in the amavisd.conf file. See the
amavisd-users list or docs for details.

There are likely other filters or milters that do similar things.


-- Noel Jones
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


mkathuria at tuxtechnologies

Oct 20, 2011, 8:16 AM

Post #5 of 5 (563 views)
Permalink
Re: Inegrating with spamassassin [In reply to]

On Thu, Oct 20, 2011 at 9:57 AM, Noel Jones <njones [at] megan> wrote:
> On 10/19/2011 10:00 PM, Alex wrote:
>> Hi,
>>
>>>> I have a fedora15 system with spamassassin-3.3.2 and clamav-0.97.2,
>>>> and also using the clamav-unofficial-sigs. and I've just realized the
>>>> score for catching one of the listed domains is only 0.2.
>>>>
>>>> X-Spam-Status: No, score=3.444 tagged_above=-100 required=5
>>>>        tests=[.AV:INetMsg.SpamDomain-2w.t67f_com.UNOFFICIAL=0.1, BAYES_50=0.8,
>>>>        HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.377, MIME_HTML_ONLY=0.723,
>>>>        RCVD_IN_BRBL_LASTEXT=1.449, RELAYCOUNTRY_LOW=0.5,
>>>>        RP_MATCHES_RCVD=-0.504, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001]
>>>>        autolearn=no
>>>>
>>>> Is that typical? Can you recommend a more suitable score?
>>>
>>> Spamassassin scores are quie optimized. But you can fine tune the
>>> scores based on your own requirements after observing the trend for a
>>> few days
>>
>> I think I assumed that you knew too much about my level of
>> understanding. I'm familiar with local.cf and building my own SA
>> rules.
>>
>> However, I don't know where the original definition of the clamav
>> rules are listed. Where is that 0.1 actually defined?
>
> Those look like scores from amavisd-new, which has special code to
> turn a clamav spam detection into a SpamAssassin score.  (Normally,
> clamav is separate from SA; any detection results in a reject.)
>

You can search for @virus_name_to_spam_score_maps in the amavisd-new
configuration file and look for something like the following below
that:

[ qr'^INetMsg\.SpamDomain-2w\.' => 0.1 ]

I guess this is exactly what you have been looking for and you can
modify this value as per your requirement.

--
Manish Kathuria
Tux Technologies
http://www.tuxtechnologies.co.in/
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

ClamAV users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.