[SOLVED] Failing to get Spam Viruses to work in Mailscanner + SA

General eFa discussion
Post Reply
ovizii
Posts: 437
Joined: 11 May 2016 08:08

[SOLVED] Failing to get Spam Viruses to work in Mailscanner + SA

Post by ovizii » 20 May 2016 18:36

I am using unofficial signatures in clamav and I would like some of them to not be treated as viruses but rather like another SPAM indicator.

i.e. spam_marketing.ndb from SecuriteInfo

btw. this is the signature that matched:

Code: Select all

sigtool --find-sigs SecuriteInfo.com.Spam-3927
[spam_marketing.ndb] SecuriteInfo.com.Spam-3927:4:*:2e6d6b746f6d61696c2e636f6d
[root@jacob spamassassin]# sigtool --find-sigs SecuriteInfo.com.Spam-3927 | sigtool --decode-sigs
VIRUS NAME: SecuriteInfo.com.Spam-3927
TARGET TYPE: MAIL
OFFSET: *
DECODED SIGNATURE:
.mktomail.com
so inside /etc/MailScanner/MailScanner.conf I have:

Code: Select all

%org-name% = myORG
Spam-Virus Header = X-%org-name%-MailScanner-EFA-SpamVirus-Report:
Virus Names Which Are Spam = Sane*UNOFFICIAL HTML/* *Phish* SecuriteInfo.com.Spam-*.UNOFFICIAL winnow.spam.*.UNOFFICIAL
which means the resulting header will be: X-myORG-MailScanner-EFA-SpamVirus-Report

I then create a spam-virus.cf inside /etc/mail/spamassassin/

Code: Select all

header         MS_FOUND_SPAMVIRUS      exists:X-myORG-MailScanner-EFA-SpamVirus-Report
describe        MS_FOUND_SPAMVIRUS      ClamAV found a Spam Virus via MailScanner
score           MS_FOUND_SPAMVIRUS      5.899
Which I expected to score an email which got tagged with a spam virus with an additional 5.899

Next thing I see this email coming through:

Code: Select all

cat /var/log/maillog | grep 75F0010020C
May 20 18:34:34 jacob postfix/smtpd[16866]: 75F0010020C: client=narwhal.mktdns.com[199.15.215.68]
May 20 18:34:34 jacob postfix/cleanup[17818]: 75F0010020C: hold: header Received: from narwhal.mktdns.com (narwhal.mktdns.com [199.15.215.68])??(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))??(No client certificate requested)??by jacob.myorg. from narwhal.mktdns.com[199.15.215.68]; from=<038-AZF-323.0.1605.0.0.1707.7.6530537@em-sj-77.mktomail.com> to=<recipient@exclusive-jumping.co.za> proto=ESMTP helo=<narwhal.mktdns.com>
May 20 18:34:34 jacob postfix/cleanup[17818]: 75F0010020C: message-id=<1306184537.-68632190.1463762070678.JavaMail.root@sjmas03.marketo.org>
May 20 18:34:39 jacob MailScanner[2724]: Clamd::INFECTED::SecuriteInfo.com.Spam-3927.UNOFFICIAL :: ./75F0010020C.A4E69/
May 20 18:34:39 jacob MailScanner[2724]: Found spam-virus SecuriteInfo.com.Spam-3927.UNOFFICIAL in 75F0010020C.A4E69
May 20 18:34:39 jacob MailScanner[2724]: Found spam-virus SecuriteInfo.com.Spam-3927.UNOFFICIAL in 75F0010020C.A4E69
May 20 18:34:43 jacob MailScanner[2724]: <A> tag found in message 75F0010020C.A4E69 from 038-azf-323.0.1605.0.0.1707.7.6530537@em-sj-77.mktomail.com
May 20 18:34:43 jacob MailScanner[2724]: HTML Img tag found in message 75F0010020C.A4E69 from 038-azf-323.0.1605.0.0.1707.7.6530537@em-sj-77.mktomail.com
May 20 18:34:47 jacob MailScanner[2724]: Content Checks: Detected and have disarmed web bug tags in HTML message in 75F0010020C.A4E69 from 038-azf-323.0.1605.0.0.1707.7.6530537@em-sj-77.mktomail.com
May 20 18:34:47 jacob MailScanner[2724]: Requeue: 75F0010020C.A4E69 to 1209710022B
May 20 18:34:47 jacob MailScanner[2724]: Logging message 75F0010020C.A4E69 to SQL
May 20 18:34:47 jacob MailScanner[2727]: 75F0010020C.A4E69: Logged to MailWatch SQL
So it looks like Mailscanner correctly recognized it as a spam virus.

I now visit my EFA and look at that email's headers and see it slipped through with a score of -0.25

Code: Select all

Score	Matching Rule	Description
0.15	C_RBL_DRMX	Listed in bl.drmx.org
0.30	C_RBL_SCIENTIFICSPAM	Listed in bl.scientificspam.net
0.15	C_RBL_SPAMCANNIBAL	Listed in bl.spamcannibal.org
0.30	C_RFC_POSTMASTER	Domain without postmaster account
0.30	C_URIBL_SC_SWINOG	URIs listed in uribl.swinog.ch.
-0.10	DKIM_SIGNED	Message has a DKIM or DK signature, not necessarily valid
-0.20	DKIM_VALID	Message has at least one valid DKIM or DK signature
-0.25	DKIM_VALID_AU	Message has a valid DKIM or DK signature from author's domain
0.25	HEADER_FROM_DIFFERENT_DOMAINS	From and EnvelopeFrom 2nd level mail domains are different
0.05	HTML_MESSAGE	HTML included in message
0.05	RCVD_IN_DNSWL_NONE	Sender listed at http://www.dnswl.org/, no trust
-1.50	RCVD_IN_MSPIKE_H4	Very Good reputation (+4)
-1.00	RCVD_IN_MSPIKE_WL	Mailspike good senders
0.05	RCVD_NOT_IN_IPREPDNS	 
1.59	REMOVE_BEFORE_LINK	Removal phrase right before a link
-1.23	SENDERSCORE_097	SenderScore Reputation 97% (score.senderscore.com)
-0.50	SENDERSCORE_WHITE	SenderScore Reputation White (score.senderscore.com)
0.50	SO_PUB_URIBL_NS_40	Urls ns address is listed in reputation-ns-40.rbl.scrolloutf1.com
-0.10	SPF_HELO_PASS	SPF: HELO matches SPF record
-0.15	SPF_PASS	SPF: sender matches SPF record
0.01	T_KAM_HTML_FONT_INVALID	Test for Invalidly Named or Formatted Colors in HTML
1.08	URIBL_GREY	Contains an URL listed in the URIBL greylist
Any ideas what went wrong here and how to get this right?

Here are some other threads talking about, one which also fails to get it right:
http://lists.mailscanner.info/pipermail ... 96624.html

and one which seems to get it working by changing the spam-virus.cf to this but I'm unsure if this is better?
http://tech-jot.blogspot.de/2015/11/tag ... am-in.html

Code: Select all

header          MS_FOUND_SPAMVIRUS      ALL =~ /X-myORG-MailScanner-EFA-SpamVirus-Report/
describe        MS_FOUND_SPAMVIRUS      ClamAV found a Spam Virus via MailScanner
score           MS_FOUND_SPAMVIRUS      5.899
Last edited by ovizii on 22 May 2016 10:16, edited 1 time in total.

ovizii
Posts: 437
Joined: 11 May 2016 08:08

Re: Failing to get Spam Viruses to work in Mailscanner + SA

Post by ovizii » 21 May 2016 07:04

Embarassingly enough, I realized this was already partially on by default within the mailscanner.cf file and yet its not working but it shows I am on hte right track:

Code: Select all

#
# The header name in the next line must have your %org-name% added into it,
# so that it matches what is set in "Spam-Virus Header" in your
# MailScanner.conf file.
#
header MS_FOUND_SPAMVIRUS exists:X-MailScanner-SpamVirus-Report
score  MS_FOUND_SPAMVIRUS 3.0

ovizii
Posts: 437
Joined: 11 May 2016 08:08

Re: Failing to get Spam Viruses to work in Mailscanner + SA

Post by ovizii » 22 May 2016 10:16

This worked:

Code: Select all

header          MS_FOUND_SPAMVIRUS      ALL =~ /X-myORG-MailScanner-EFA-SpamVirus-Report/
describe        MS_FOUND_SPAMVIRUS      ClamAV found a Spam Virus via MailScanner
score           MS_FOUND_SPAMVIRUS      5.899
SA is now seeing and evaluating those headers :-)

nicola.piazzi
Posts: 233
Joined: 23 Apr 2015 09:45

Re: [SOLVED] Failing to get Spam Viruses to work in Mailscanner + SA

Post by nicola.piazzi » 02 Jan 2019 14:28

Hi
As you can see in this page there is a complete description of extra signatures and how to use (virus or score 4 spam)

https://sanesecurity.com/usage/signatures/

But problem is to have description of output of each signature to use in "Virus Names Which Are Spam" directive

Have an idea ?

Post Reply