ClamAVMultipleScores

Use this forum for discussions about SpamAssassin and anti-spam in general.
Post Reply
User avatar
RvdH
Senior user
Senior user
Posts: 798
Joined: 2008-06-27 14:42
Location: Netherlands

ClamAVMultipleScores

Post by RvdH » 2019-07-09 13:32

Derived from the original document on: https://wiki.apache.org/spamassassin/Cl ... ipleScores (link is down atm)
https://sanesecurity.com/support/documentation/

This way you control what scores higher, or lower (negative scoring) for some test

Code: Select all

loadplugin ClamAV ClamAV.pm

ifplugin ClamAV

	full CLAMAV eval:check_clamav()
	describe CLAMAV Clam AntiVirus detected something...	
	score CLAMAV 0.001
	add_header all Virus _CLAMAVRESULT_

	# Look for specific types of ClamAV detections
	header __CLAMAV_PHISH X-Spam-Virus =~ /Yes.{1,8}Phishing/i
	header __CLAMAV_HEUR_PHISH X-Spam-Virus =~ /Yes.{1,30}Heuristics\.Phishing\.Email/i
	
	header __CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,30}Sanesecurity/i
	header __CLAMAV_SANE_FOXHOLE X-Spam-Virus =~ /Yes.{1,30}Sanesecurity.FoxHole/i
	header __CLAMAV_SANE_JUNK X-Spam-Virus =~ /Yes.{1,30}Sanesecurity.Junk/i
	header __CLAMAV_SANE_BLURL X-Spam-Virus =~ /Yes.{1,30}Sanesecurity.Blurl/i
	header __CLAMAV_SANE_PHISHING X-Spam-Virus =~ /Yes.{1,30}Sanesecurity.Phishing/i
	header __CLAMAV_SANE_JURLBL X-Spam-Virus =~ /Yes.{1,30}Sanesecurity.Jurlbl/i

	# Give the above rules a very late priority so that they can see the output
	# of previous rules - otherwise they don't work! Not sure what the correct
	# priority should be but this seems to work...
	priority __CLAMAV_PHISH 500
	priority __CLAMAV_HEUR_PHISH 500
	
	priority __CLAMAV_SANE 500
	priority __CLAMAV_SANE_FOXHOLE 500
	priority __CLAMAV_SANE_JUNK 500
	priority __CLAMAV_SANE_BLURL 500
	priority __CLAMAV_SANE_PHISHING 500
	priority __CLAMAV_SANE_JURLBL 500

	# Work out what ClamAV detected and score accordingly

	# ClamAV general signatures
	meta CLAMAV_VIRUS (CLAMAV && !__CLAMAV_PHISH && !__CLAMAV_HEUR_PHISH && !__CLAMAV_SANE)
	describe CLAMAV_VIRUS Virus found by ClamAV default signatures
	score CLAMAV_VIRUS 20.0

	# ClamAV phishing signatures
	meta CLAMAV_PHISH (CLAMAV && __CLAMAV_PHISH && !__CLAMAV_SANE && !__CLAMAV_HEUR_PHISH)
	describe CLAMAV_PHISH Phishing email found by ClamAV default signatures
	score CLAMAV_PHISH 10.0

	# ClamAV phishing with heuristic engine (not signatures based, may lead to false positives)
	# Available since ClamAV 0.91
	meta CLAMAV_PHISH_HEUR (CLAMAV && __CLAMAV_HEUR_PHISH && !__CLAMAV_SANE)
	describe CLAMAV_PHISH_HEUR Phishing email found by ClamAV heuristic engine
	score CLAMAV_PHISH_HEUR 5.0

	# ClamAV SaneSecurity signatures from http://www.sanesecurity.com/clamav/
	meta CLAMAV_SANE (CLAMAV && __CLAMAV_SANE)
	describe CLAMAV_SANE SPAM found by ClamAV SaneSecurity signatures
	score CLAMAV_SANE 7.5
	
	# ClamAV SaneSecurity signatures from http://www.sanesecurity.com/clamav/
	meta CLAMAV_SANE_FOXHOLE (CLAMAV && __CLAMAV_SANE && __CLAMAV_SANE_FOXHOLE)
	describe CLAMAV_SANE_FOXHOLE SPAM found by ClamAV SaneSecurity Foxhole signatures
	score CLAMAV_SANE_FOXHOLE 7.5
	
	# ClamAV SaneSecurity signatures from http://www.sanesecurity.com/clamav/
	meta CLAMAV_SANE_JUNK (CLAMAV && __CLAMAV_SANE && __CLAMAV_SANE_JUNK)
	describe CLAMAV_SANE_JUNK SPAM found by ClamAV SaneSecurity Junk signatures
	score CLAMAV_SANE_JUNK 2.5
	
	# ClamAV SaneSecurity signatures from http://www.sanesecurity.com/clamav/
	meta CLAMAV_SANE_BLURL (CLAMAV && __CLAMAV_SANE && __CLAMAV_SANE_BLURL)
	describe CLAMAV_SANE_BLURL SPAM found by ClamAV SaneSecurity Blurl signatures
	score CLAMAV_SANE_BLURL 2.5
	
	# ClamAV SaneSecurity signatures from http://www.sanesecurity.com/clamav/
	meta CLAMAV_SANE_PHISHING (CLAMAV && __CLAMAV_SANE && __CLAMAV_SANE_PHISHING)
	describe CLAMAV_SANE_PHISHING SPAM found by ClamAV SaneSecurity Phishing signatures
	score CLAMAV_SANE_PHISHING 5.0
	
	# ClamAV SaneSecurity signatures from http://www.sanesecurity.com/clamav/
	meta CLAMAV_SANE_JURLBL (CLAMAV && __CLAMAV_SANE && __CLAMAV_SANE_JURLBL)
	describe CLAMAV_SANE_JURLBL SPAM found by ClamAV SaneSecurity Jurlbl signatures
	score CLAMAV_SANE_JURLBL 2.5

endif
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

Post Reply