Page 1 of 8 123 ... LastLast
Results 1 to 10 of 75

Thread: [SOLVED] SaneSecurity ClamAV or FuzzyOCR SpamAssassin Plugins

  1. #1
    Join Date
    Feb 2006
    Posts
    177
    Rep Power
    9

    Default [SOLVED] SaneSecurity ClamAV or FuzzyOCR SpamAssassin Plugins

    Has anyone implemented the FuzzyOCR plugin for SpamAssassin on a ZCS box? For the most part, spam is under control. However, a fair amount of image spam is still getting through unmarked.

  2. #2
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    I have not implemented under ZCS but have used it. Are you stuck with setting it up or is it a general question ?

  3. #3
    Join Date
    Feb 2006
    Posts
    177
    Rep Power
    9

    Default

    Just a general question...At some point I'm going to install an edge MTA in front of my Zimbra box to handle virus and spam scanning. Until then I'd like to cut down on all the image spam I'm continuing to receive. I thought FuzzyOCR might provide some relief.

  4. #4
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    Yes it will, but to be honest I have seen a real drop in image spam. The best method of combating these, IMHO, is to use the SaneSecurity signatures for ClamAV.

  5. #5
    Join Date
    Feb 2006
    Posts
    177
    Rep Power
    9

    Default

    I've been using SaneSecurity for a while now, but after reading your post I checked my zimbra.log file and I see no entries from "Sanes". Something must not be working correctly now.

  6. #6
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    Yes, you have to modify both amavis and spamassassin as I have found. When I get back to my hotel will post some instructions

  7. #7
    Join Date
    Feb 2006
    Posts
    177
    Rep Power
    9

    Default

    That would be excellent. I had it working at some point (version 4.5.x).

  8. #8
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    Okay here we go!

    Update /opt/zimbra/conf/amavisd.conf.in with
    Code:
    @virus_name_to_spam_score_maps =
      (new_RE(  # the order matters!
        [ qr'^Sanesecurity\.(Malware|Rogue|Trojan)\.' => undef ],# keep as infected
        [ qr'^Sanesecurity(\.[^., ]*)*\.'                             => 0.1 ],
        [ qr'^Sanesecurity_PhishBar_'                                 => 0   ],
        [ qr'^Email\.Spam\.Bounce(\.[^., ]*)*\.Sanesecurity\.'        => 0   ],
        [ qr'^(MSRBL-Images/|MSRBL-SPAM\.)'                           => 0.1 ],
        [ qr'^MBL_'                                 => undef ],  # keep as infected
        [ qr'^VX\.Honeypot-SecuriteInfo\.com\.Joke'                   => 0.1 ],
        [ qr'^VX\.not-virus_(Hoax|Joke)\..*-SecuriteInfo\.com(\.|\z)' => 0.1 ],
        [ qr'^Email\.Spam.*-SecuriteInfo\.com(\.|\z)'                 => 0.1 ],
        [ qr'-SecuriteInfo\.com(\.|\z)'             => undef ],  # keep as infected
      ));
    ensure this is before 1; # insure a defined return
    at the end of the file. Then ...

    And then to update SA you need to edit /opt/zimbra/conf/salocal.cf.in with
    Code:
    ################################################################################
    # SaneSecurity & MSRBL Signatures
    ################################################################################
    header L_AV_Phish       X-Amavis-AV-Status =~ m{\bAV:(Email|HTML)\.Phishing\.}i
    header L_AV_SS_PhishBar X-Amavis-AV-Status =~ m{\bAV:Sanesecurity_PhishBar_}
    header L_AV_SS_Phish    X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.Phishing\.}
    header L_AV_SS_Malware  X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.(Malware|Rogue|Trojan)\.}
    header L_AV_SS_Scam     X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.(Scam[A-Za-z0-9]?)}
    header L_AV_SS_Spam     X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.(Bou|Cred|Dipl|Job|Loan|****|Spam[A-Za-z0-9]?|Stk|Junk)\.}
    header L_AV_SS_Hdr      X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.Hdr\.}
    header L_AV_SS_Img      X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.(Img|ImgO)\.}
    header L_AV_SS_Bounce   X-Amavis-AV-Status =~ m{\.Spam\.Bounce(\.[^., ]*)*\.Sanesecurity\b}
    header __L_AV_SS        X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.}
    meta   L_AV_SS_other    __L_AV_SS && !(L_AV_SS_Phish || L_AV_SS_Scam || L_AV_SS_Spam || L_AV_SS_Malware || L_AV_SS_Hdr || L_AV_SS_Img || L_AV_SS_Bounce)
    header L_AV_MSRBL_Img   X-Amavis-AV-Status =~ m{\bAV:MSRBL-Images\b}
    header L_AV_MSRBL_Spam  X-Amavis-AV-Status =~ m{\bAV:MSRBL-SPAM\.}
    header L_AV_MBL         X-Amavis-AV-Status =~ m{\bAV:MBL_}
    header L_AV_SecInf      X-Amavis-AV-Status =~ m{-SecuriteInfo\.com\b}
    
    score  L_AV_Phish       14
    score  L_AV_SS_Phish    5
    score  L_AV_SS_PhishBar 0.5
    score  L_AV_SS_Scam     8
    score  L_AV_SS_Spam     8
    score  L_AV_SS_Hdr      6
    score  L_AV_SS_Img      3.5
    score  L_AV_SS_Bounce   0.1
    score  L_AV_SS_other    1
    score  L_AV_SS_Malware  14
    score  L_AV_MBL         14
    score  L_AV_MSRBL_Img   3.5
    score  L_AV_MSRBL_Spam  6
    score  L_AV_SecInf      8
    at the end of the file. You will then need to restart ZCS. Obviously you can tune the scores to your own requirements as 0.1 is very low, but there have been some FPs in the past. Any question please ask enjoy.

  9. #9
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    Definitely worth adding that to the improving anti-spam wiki!

  10. #10
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    Will do that tomorrow as I snaffled it from the Internet ... also now using Justin Masons SA rules and a few others ... Just KAM ones to add now. It should be easier to include some of these things.

Similar Threads

  1. [SOLVED] Help with custom spamassassin rule
    By mdeneen in forum Administrators
    Replies: 1
    Last Post: 03-07-2008, 03:04 PM
  2. [SOLVED] Howto: Update ClamAV
    By unilogic in forum Administrators
    Replies: 9
    Last Post: 12-12-2007, 05:28 AM
  3. [SOLVED] Clamav expiration notification
    By artimus in forum Administrators
    Replies: 8
    Last Post: 11-19-2007, 10:34 AM
  4. ClamAV and SpamAssassin
    By EnglishDude in forum Installation
    Replies: 7
    Last Post: 11-25-2006, 06:55 AM
  5. SpamAssassin and Clamav
    By acamargo in forum Administrators
    Replies: 3
    Last Post: 04-17-2006, 06:15 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •