i.e. spam_marketing.ndb from SecuriteInfo
btw. this is the signature that matched:
Code: Select all
sigtool --find-sigs SecuriteInfo.com.Spam-3927
[spam_marketing.ndb] SecuriteInfo.com.Spam-3927:4:*:2e6d6b746f6d61696c2e636f6d
[root@jacob spamassassin]# sigtool --find-sigs SecuriteInfo.com.Spam-3927 | sigtool --decode-sigs
VIRUS NAME: SecuriteInfo.com.Spam-3927
TARGET TYPE: MAIL
OFFSET: *
DECODED SIGNATURE:
.mktomail.com
Code: Select all
%org-name% = myORG
Spam-Virus Header = X-%org-name%-MailScanner-EFA-SpamVirus-Report:
Virus Names Which Are Spam = Sane*UNOFFICIAL HTML/* *Phish* SecuriteInfo.com.Spam-*.UNOFFICIAL winnow.spam.*.UNOFFICIAL
I then create a spam-virus.cf inside /etc/mail/spamassassin/
Code: Select all
header MS_FOUND_SPAMVIRUS exists:X-myORG-MailScanner-EFA-SpamVirus-Report
describe MS_FOUND_SPAMVIRUS ClamAV found a Spam Virus via MailScanner
score MS_FOUND_SPAMVIRUS 5.899
Next thing I see this email coming through:
Code: Select all
cat /var/log/maillog | grep 75F0010020C
May 20 18:34:34 jacob postfix/smtpd[16866]: 75F0010020C: client=narwhal.mktdns.com[199.15.215.68]
May 20 18:34:34 jacob postfix/cleanup[17818]: 75F0010020C: hold: header Received: from narwhal.mktdns.com (narwhal.mktdns.com [199.15.215.68])??(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))??(No client certificate requested)??by jacob.myorg. from narwhal.mktdns.com[199.15.215.68]; from=<038-AZF-323.0.1605.0.0.1707.7.6530537@em-sj-77.mktomail.com> to=<recipient@exclusive-jumping.co.za> proto=ESMTP helo=<narwhal.mktdns.com>
May 20 18:34:34 jacob postfix/cleanup[17818]: 75F0010020C: message-id=<1306184537.-68632190.1463762070678.JavaMail.root@sjmas03.marketo.org>
May 20 18:34:39 jacob MailScanner[2724]: Clamd::INFECTED::SecuriteInfo.com.Spam-3927.UNOFFICIAL :: ./75F0010020C.A4E69/
May 20 18:34:39 jacob MailScanner[2724]: Found spam-virus SecuriteInfo.com.Spam-3927.UNOFFICIAL in 75F0010020C.A4E69
May 20 18:34:39 jacob MailScanner[2724]: Found spam-virus SecuriteInfo.com.Spam-3927.UNOFFICIAL in 75F0010020C.A4E69
May 20 18:34:43 jacob MailScanner[2724]: <A> tag found in message 75F0010020C.A4E69 from 038-azf-323.0.1605.0.0.1707.7.6530537@em-sj-77.mktomail.com
May 20 18:34:43 jacob MailScanner[2724]: HTML Img tag found in message 75F0010020C.A4E69 from 038-azf-323.0.1605.0.0.1707.7.6530537@em-sj-77.mktomail.com
May 20 18:34:47 jacob MailScanner[2724]: Content Checks: Detected and have disarmed web bug tags in HTML message in 75F0010020C.A4E69 from 038-azf-323.0.1605.0.0.1707.7.6530537@em-sj-77.mktomail.com
May 20 18:34:47 jacob MailScanner[2724]: Requeue: 75F0010020C.A4E69 to 1209710022B
May 20 18:34:47 jacob MailScanner[2724]: Logging message 75F0010020C.A4E69 to SQL
May 20 18:34:47 jacob MailScanner[2727]: 75F0010020C.A4E69: Logged to MailWatch SQL
I now visit my EFA and look at that email's headers and see it slipped through with a score of -0.25
Code: Select all
Score Matching Rule Description
0.15 C_RBL_DRMX Listed in bl.drmx.org
0.30 C_RBL_SCIENTIFICSPAM Listed in bl.scientificspam.net
0.15 C_RBL_SPAMCANNIBAL Listed in bl.spamcannibal.org
0.30 C_RFC_POSTMASTER Domain without postmaster account
0.30 C_URIBL_SC_SWINOG URIs listed in uribl.swinog.ch.
-0.10 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
-0.20 DKIM_VALID Message has at least one valid DKIM or DK signature
-0.25 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain
0.25 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different
0.05 HTML_MESSAGE HTML included in message
0.05 RCVD_IN_DNSWL_NONE Sender listed at http://www.dnswl.org/, no trust
-1.50 RCVD_IN_MSPIKE_H4 Very Good reputation (+4)
-1.00 RCVD_IN_MSPIKE_WL Mailspike good senders
0.05 RCVD_NOT_IN_IPREPDNS
1.59 REMOVE_BEFORE_LINK Removal phrase right before a link
-1.23 SENDERSCORE_097 SenderScore Reputation 97% (score.senderscore.com)
-0.50 SENDERSCORE_WHITE SenderScore Reputation White (score.senderscore.com)
0.50 SO_PUB_URIBL_NS_40 Urls ns address is listed in reputation-ns-40.rbl.scrolloutf1.com
-0.10 SPF_HELO_PASS SPF: HELO matches SPF record
-0.15 SPF_PASS SPF: sender matches SPF record
0.01 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML
1.08 URIBL_GREY Contains an URL listed in the URIBL greylist
Here are some other threads talking about, one which also fails to get it right:
http://lists.mailscanner.info/pipermail ... 96624.html
and one which seems to get it working by changing the spam-virus.cf to this but I'm unsure if this is better?
http://tech-jot.blogspot.de/2015/11/tag ... am-in.html
Code: Select all
header MS_FOUND_SPAMVIRUS ALL =~ /X-myORG-MailScanner-EFA-SpamVirus-Report/
describe MS_FOUND_SPAMVIRUS ClamAV found a Spam Virus via MailScanner
score MS_FOUND_SPAMVIRUS 5.899