phishing fraud spam in 2.5.0-pre3

Hi,

from the release notes...

 > - phishing fraud as returned by ClamAV is now treated
as spam, no
 >   longer as a virus;

great, this was my biggest annoyance with clam's phishing
detection, 
does the email make it to bayes though?

Regards,

Rob

------------------------------------------------------------
-------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the
chance to share your
opinions on IT & business topics through brief
surveys-and earn cash
http://www.techsay.com/default.
php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

Robert,

>  > - phishing fraud as returned by ClamAV is now
treated as spam, no
>  >   longer as a virus;
>
> great, this was my biggest annoyance with clam's
phishing detection,
> does the email make it to bayes though?

Yes it does. SA checks are invoked normally, and virus flag
is turned off.

  Mark

------------------------------------------------------------
-------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the
chance to share your
opinions on IT & business topics through brief
surveys-and earn cash
http://www.techsay.com/default.
php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

>>great, this was my biggest annoyance with clam's
phishing detection,
>>does the email make it to bayes though?
> 
> 
> Yes it does. SA checks are invoked normally, and virus
flag is turned off.

ah, does SA get any indication that clamav thinks the email
is a phish? 
Otherwise I guess turning off phishing signatures (as I
currently have) 
is pretty similar in affect.

Regards,

Rob

------------------------------------------------------------
-------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the
chance to share your
opinions on IT & business topics through brief
surveys-and earn cash
http://www.techsay.com/default.
php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

Bob,

> ah, does SA get any indication that clamav thinks the
email is a phish?

No, currectly not. An artificial header field could be
inserted I guess,
but for the moment I don't think it is really needed, these
phishing
scams collect enough spam points by themselves.

> Otherwise I guess turning off phishing signatures (as I
currently have)
> is pretty similar in affect.

...except for the absence of additional 14 score points,
contributed by virus_name_to_spam_score_maps.

  Mark

------------------------------------------------------------
-------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the
chance to share your
opinions on IT & business topics through brief
surveys-and earn cash
http://www.techsay.com/default.
php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

Bill,

> I like the artificial header idea.  If you could at
least make it an
> optional flag that would be great.  Would be nice to be
able to add a
> few SA points if ClamAV detects phish, image, scam,
etc., messages,
> otherwise it doesn't make much sense to use the
additional ClamAV
> signature files provided by SaneSucurity and MSRBL.

You already have the ability (with 2.5.0-pre3) to add score
points
based on phish, image, scam, etc., the only reason why one
would
like to have an artificial header field passed to SA is to
be
able to have all the rules in one place (local.cf), and
perhaps
for Bayes to see this information.

Nevertheless, it can't hurt to provide this ability. One has
then
a choice to adjust scores either in the virus_name_to_spam_score_maps
in amavisd.conf, or by providing rules to match on the
artificial
X-Amavis-AV-Status header field, which will be seen by SA
only
(not in passed or quarantined mail).

The following patch to 2.5.0-pre3 provides it:

--- amavisd.orig	Mon Mar 12 21:51:24 2007
+++ amavisd	Wed Mar 21 20:33:05 2007
 -1353,5
+1353,9 
 
 virus_name_to_spam_score_maps =
-  (new_RE( [qr'^(?:Email|HTML).Phishing.'i => 14] ));
+  (new_RE( [
qr'^(Email|HTML).(Phishing|Spam|Scam[a-z0-9]?).'i =>
0.1 ],
+           [
qr'^(Email|Html).(Hdr|Img|ImgO|Bou|Stk|Loan|Cred|Job|Dipl|D
oc)
+                 (.[^.]*)* .Sanesecurity.'x => 0.1
],
+           [ qr'^(MSRBL-Images/|MSRBL-SPAM.)' => 0.1
],
+  ));
 
 # prepend a lookup table label object for logging purposes
 -16973,4
+16977,6 
   push(lines, sprintf("X-Amavis-OS-Fingerprint:
%sn",
                        sanitize_str($os_fp)))  if $os_fp ne
'';
+  push(lines, sprintf("X-Amavis-AV-Status: %sn",
+         sanitize_str($msginfo->spam_status)))  if
$msginfo->spam_status ne '';
   my($pbpath) = c('policy_bank_path');
   push(lines, sprintf("X-Amavis-PolicyBank:
%sn",$pbpath))  if $pbpath ne '';


The above just adds 0.1 score point for each match, but
turns off infection flag
regardless of the actual value on the RHS. The idea is to
provide additional
score points by SA rules below.

The following rules may be placed in local.cf:

header L_AV_Phish      X-Amavis-AV-Status =~
m{b(Email|HTML).Phishing.}i
header L_AV_SS_Phish   X-Amavis-AV-Status =~
m{b(Email|Html).Phishing(.[^.]*)*.Sanesecurity.}
header L_AV_SS_Scam    X-Amavis-AV-Status =~
m{b(Email|Html).(Scam[A-Za-z0-9]?)(.[^.]*)*.Sanesecurity
.}
header L_AV_SS_Spam    X-Amavis-AV-Status =~
m{b(Email|Html).(Spam|Hdr|Bou|Stk|Loan|Cred|Job|Dipl|Doc)(
.[^.]*)*.Sanesecurity.}
header L_AV_SS_Hdr     X-Amavis-AV-Status =~
m{b(Email|Html).Hdr(.[^.]*)*.Sanesecurity.}
header L_AV_SS_Img     X-Amavis-AV-Status =~
m{b(Email|Html).(Img|ImgO)(.[^.]*)*.Sanesecurity.}
header L_AV_MSRBL_Img  X-Amavis-AV-Status =~
m{bMSRBL-Images/}
header L_AV_MSRBL_Spam X-Amavis-AV-Status =~
m{bMSRBL-SPAM.}

score  L_AV_Phish      14
score  L_AV_SS_Phish   -3
score  L_AV_SS_Scam    6
score  L_AV_SS_Spam    6
score  L_AV_SS_Hdr     3
score  L_AV_SS_Img     3
score  L_AV_MSRBL_Img  3
score  L_AV_MSRBL_Spam 6




  Mark

------------------------------------------------------------
-------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the
chance to share your
opinions on IT & business topics through brief
surveys-and earn cash
http://www.techsay.com/default.
php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/