[SOLVED] SaneSecurity ClamAV or FuzzyOCR SpamAssassin Plugins

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
bhickey
Advanced member
Advanced member
Posts: 177
Joined: Fri Sep 12, 2014 10:05 pm

[SOLVED] SaneSecurity ClamAV or FuzzyOCR SpamAssassin Plugins

Postby bhickey » Mon Dec 01, 2008 11:48 am

Has anyone implemented the FuzzyOCR plugin for SpamAssassin on a ZCS box? For the most part, spam is under control. However, a fair amount of image spam is still getting through unmarked.


uxbod
Ambassador
Ambassador
Posts: 7811
Joined: Fri Sep 12, 2014 10:21 pm

[SOLVED] SaneSecurity ClamAV or FuzzyOCR SpamAssassin Plugins

Postby uxbod » Tue Dec 02, 2008 2:19 am

I have not implemented under ZCS but have used it. Are you stuck with setting it up or is it a general question ?
bhickey
Advanced member
Advanced member
Posts: 177
Joined: Fri Sep 12, 2014 10:05 pm

[SOLVED] SaneSecurity ClamAV or FuzzyOCR SpamAssassin Plugins

Postby bhickey » Tue Dec 02, 2008 9:10 am

Just a general question...At some point I'm going to install an edge MTA in front of my Zimbra box to handle virus and spam scanning. Until then I'd like to cut down on all the image spam I'm continuing to receive. I thought FuzzyOCR might provide some relief.
uxbod
Ambassador
Ambassador
Posts: 7811
Joined: Fri Sep 12, 2014 10:21 pm

[SOLVED] SaneSecurity ClamAV or FuzzyOCR SpamAssassin Plugins

Postby uxbod » Tue Dec 02, 2008 9:16 am

Yes it will, but to be honest I have seen a real drop in image spam. The best method of combating these, IMHO, is to use the SaneSecurity signatures for ClamAV.
bhickey
Advanced member
Advanced member
Posts: 177
Joined: Fri Sep 12, 2014 10:05 pm

[SOLVED] SaneSecurity ClamAV or FuzzyOCR SpamAssassin Plugins

Postby bhickey » Tue Dec 02, 2008 11:20 am

I've been using SaneSecurity for a while now, but after reading your post I checked my zimbra.log file and I see no entries from "Sanes". Something must not be working correctly now.
uxbod
Ambassador
Ambassador
Posts: 7811
Joined: Fri Sep 12, 2014 10:21 pm

[SOLVED] SaneSecurity ClamAV or FuzzyOCR SpamAssassin Plugins

Postby uxbod » Tue Dec 02, 2008 12:11 pm

Yes, you have to modify both amavis and spamassassin as I have found. When I get back to my hotel will post some instructions ;)
bhickey
Advanced member
Advanced member
Posts: 177
Joined: Fri Sep 12, 2014 10:05 pm

[SOLVED] SaneSecurity ClamAV or FuzzyOCR SpamAssassin Plugins

Postby bhickey » Tue Dec 02, 2008 1:26 pm

That would be excellent. I had it working at some point (version 4.5.x).
uxbod
Ambassador
Ambassador
Posts: 7811
Joined: Fri Sep 12, 2014 10:21 pm

[SOLVED] SaneSecurity ClamAV or FuzzyOCR SpamAssassin Plugins

Postby uxbod » Tue Dec 02, 2008 2:56 pm

Okay here we go!
Update /opt/zimbra/conf/amavisd.conf.in with
@virus_name_to_spam_score_maps =

(new_RE( # the order matters!

[ qr'^Sanesecurity.(Malware|Rogue|Trojan).' => undef ],# keep as infected

[ qr'^Sanesecurity(.[^., ]*)*.' => 0.1 ],

[ qr'^Sanesecurity_PhishBar_' => 0 ],

[ qr'^Email.Spam.Bounce(.[^., ]*)*.Sanesecurity.' => 0 ],

[ qr'^(MSRBL-Images/|MSRBL-SPAM.)' => 0.1 ],

[ qr'^MBL_' => undef ], # keep as infected

[ qr'^VX.Honeypot-SecuriteInfo.com.Joke' => 0.1 ],

[ qr'^VX.not-virus_(Hoax|Joke)..*-SecuriteInfo.com(.|z)' => 0.1 ],

[ qr'^Email.Spam.*-SecuriteInfo.com(.|z)' => 0.1 ],

[ qr'-SecuriteInfo.com(.|z)' => undef ], # keep as infected

));
ensure this is before 1; # insure a defined return

at the end of the file. Then ...
And then to update SA you need to edit /opt/zimbra/conf/salocal.cf.in with
################################################################################

# SaneSecurity & MSRBL Signatures

################################################################################

header L_AV_Phish X-Amavis-AV-Status =~ m{AV:(Email|HTML).Phishing.}i

header L_AV_SS_PhishBar X-Amavis-AV-Status =~ m{AV:Sanesecurity_PhishBar_}

header L_AV_SS_Phish X-Amavis-AV-Status =~ m{AV:Sanesecurity.Phishing.}

header L_AV_SS_Malware X-Amavis-AV-Status =~ m{AV:Sanesecurity.(Malware|Rogue|Trojan).}

header L_AV_SS_Scam X-Amavis-AV-Status =~ m{AV:Sanesecurity.(Scam[A-Za-z0-9]?)}

header L_AV_SS_Spam X-Amavis-AV-Status =~ m{AV:Sanesecurity.(Bou|Cred|Dipl|Job|Loan|Porn|Spam[A-Za-z0-9]?|Stk|Junk).}

header L_AV_SS_Hdr X-Amavis-AV-Status =~ m{AV:Sanesecurity.Hdr.}

header L_AV_SS_Img X-Amavis-AV-Status =~ m{AV:Sanesecurity.(Img|ImgO).}

header L_AV_SS_Bounce X-Amavis-AV-Status =~ m{.Spam.Bounce(.[^., ]*)*.Sanesecurity}

header __L_AV_SS X-Amavis-AV-Status =~ m{AV:Sanesecurity.}

meta L_AV_SS_other __L_AV_SS && !(L_AV_SS_Phish || L_AV_SS_Scam || L_AV_SS_Spam || L_AV_SS_Malware || L_AV_SS_Hdr || L_AV_SS_Img || L_AV_SS_Bounce)

header L_AV_MSRBL_Img X-Amavis-AV-Status =~ m{AV:MSRBL-Images}

header L_AV_MSRBL_Spam X-Amavis-AV-Status =~ m{AV:MSRBL-SPAM.}

header L_AV_MBL X-Amavis-AV-Status =~ m{AV:MBL_}

header L_AV_SecInf X-Amavis-AV-Status =~ m{-SecuriteInfo.com}
score L_AV_Phish 14

score L_AV_SS_Phish 5

score L_AV_SS_PhishBar 0.5

score L_AV_SS_Scam 8

score L_AV_SS_Spam 8

score L_AV_SS_Hdr 6

score L_AV_SS_Img 3.5

score L_AV_SS_Bounce 0.1

score L_AV_SS_other 1

score L_AV_SS_Malware 14

score L_AV_MBL 14

score L_AV_MSRBL_Img 3.5

score L_AV_MSRBL_Spam 6

score L_AV_SecInf 8
at the end of the file. You will then need to restart ZCS. Obviously you can tune the scores to your own requirements as 0.1 is very low, but there have been some FPs in the past. Any question please ask :) enjoy.
mmorse
Ambassador
Ambassador
Posts: 6036
Joined: Fri Sep 12, 2014 10:24 pm

[SOLVED] SaneSecurity ClamAV or FuzzyOCR SpamAssassin Plugins

Postby mmorse » Tue Dec 02, 2008 3:42 pm

Definitely worth adding that to the improving anti-spam wiki!
uxbod
Ambassador
Ambassador
Posts: 7811
Joined: Fri Sep 12, 2014 10:21 pm

[SOLVED] SaneSecurity ClamAV or FuzzyOCR SpamAssassin Plugins

Postby uxbod » Tue Dec 02, 2008 3:48 pm

Will do that tomorrow as I snaffled it from the Internet ... also now using Justin Masons SA rules and a few others ... Just KAM ones to add now. It should be easier to include some of these things.

Return to “Administrators”

Who is online

Users browsing this forum: MSN [Bot] and 10 guests