clamav-users September 2010 archive
Main Archive Page > Month Archives  > clamav-users archives
clamav-users: Re: [Clamav-users] Tracking false positives

Re: [Clamav-users] Tracking false positives

From: Daniel McDonald <dan.mcdonald_at_nospam>
Date: Tue Sep 14 2010 - 12:16:00 GMT
To: ClamAV users <clamav-users@lists.clamav.net>

On 9/14/10 6:00 AM, "Alex" <mysqlstudent@gmail.com> wrote:

> Turns out that it matches underconstruction.networksolutions.com. Is
> it possible to make these signatures score a few points instead of
> being a poison pill, and killing the email entirely?

It depends on how you have glued in clamav and spamassassin. I use the
following in amavisd as a way to score. Your mileage may vary:

@virus_name_to_spam_score_maps =
  (new_RE( # the order matters!
    [ qr'^Phishing\.' => 6.1 ],
    [ qr'^Email.Spam\d{1,4}-SecuriteInfo' => 4.1 ],
    [ qr'^(?:Email|HTML|Sanesecurity)\.(?:Phishing|SpearL?)\.'i => 6.1 ],
    [ qr'^(?:Email|HTML|Sanesecurity)\.(?:Spam|Scam)[a-z0-9]?\.'i => 4.6 ],
    [ qr'^Sanesecurity\.(?:Malware|Trojan)\.' => undef ],
    [ qr'^Sanesecurity\.(?:Test|Rogue)' => undef ],
    [ qr'^Sanesecurity\.(?:Hdr|Img|ImgO|Junk|Doc|Casino)\.'x => 6.1 ],
    [ qr'^Sanesecurity\.(?:Lott|Fake|SpamImg|Job|Stk)\.'x => 6.1 ],
    [ qr'^Sanesecurity\.(?:Loan|Porn|Bou|Dipl|Cred)\.'x => 6.1 ],
    [ qr'^Sanesecurity\.Jurlbl\.Auto\.'x => 1.6 ],
    [ qr'^Sanesecurity\.Jurlbl\.'x => 2.6 ],
    [ qr'^Sanesecurity\.SpamAttach_'x => 4.1 ],
    [ qr'^ScamNailer\.Phish\.'x => 2.6 ],
    [ qr'^Doppelstern\.Attachment\.'x => 4.1 ],
    [ qr'^Doppelstern\.(?:Job|Junk|Loan|Lott|Phishing|Scam4)\.'x =>2.6],
    [ qr'^winnow\.(?:botnets?|phish|complex|mailer)\.'x => 6.1 ],
    [ qr'^winnow\.image\.'x => 4.1 ],
    [ qr'^winnow\.spam(?:domain)?\.'x => 2.6 ],
    [ qr'^winnow\.(?:malware|trojan|compromised)\.'x => undef ],
    [ qr'^winnow\.'x => 2.6 ],
    [ qr'^INetMsg\.SpamDomain-2w\.' => 3.0 ],
    [ qr'^INetMsg\.' => 2.0 ],
    [ qr'^MSRBL-Images\.' => 2.1 ],
    [ qr'^MSRBL-SPAM\.' => 5.1 ],
    [ qr'^MBL_' => undef ], # keep as infected
  ));

-- Daniel J McDonald, CCIE # 2495, CISSP # 78281 _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml