Re: Writing a rule to access SA ClamAV Plugin Header

Tue, 24 Jul 2007 07:32:41 -0700 


On 07/24/07 15:00, Wolfgang Zeikat wrote:
> In SA 3.1.8, I am trying to use the clamav plugin from
> http://wiki.apache.org/spamassassin/ClamAVPlugin
>
> spamassassin -t -D output includes dbg: ClamAV: Detected virus:
> Email.Stk.Gen596.Sanesecurity.07071900.pdf
>
> It adds a  header X-Spam-Virus: Yes
> (Email.Stk.Gen596.Sanesecurity.07071900.pdf) allright, but additional
> rules to check for sanesecurity  "virus" names are not matched.
>
> Rules:
>
> header __MY_CLAMAV X-Spam-Virus =~ /Yes/i
> header __MY_CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,50}Sanesecurity/i
> meta MY_CLAMAV_SANE (__MY_CLAMAV && __MY_CLAMAV_SANE)
> score MY_CLAMAV_SANE 5
>
> Any suggestions what is going wrong?
>

On 07/24/07 15:43, OliverScott wrote:

> # Give the above rules a very late priority so that they can see the
> output
> # of previous rules - otherwise they don't work! Not sure what the
> correct # priority should be but this seems to work...

> In your case you could fix what you have done (which looks to be
> taken from
> one of my previous messages while trying to get this to work myself?)
> by making it:
>
> header __MY_CLAMAV X-Spam-Virus =~ /Yes/i
> priority __MY_CLAMAV 9999
> header __MY_CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,50}Sanesecurity/i
> priority __MY_CLAMAV_SANE 9999
> meta MY_CLAMAV_SANE (__MY_CLAMAV && __MY_CLAMAV_SANE)
> score MY_CLAMAV_SANE 5

(typo fixed)

>
>
> Hope this helps!

Yes it does, thanks again.

> full CLAMAV eval:check_clamav()
> describe CLAMAV Clam AntiVirus detected something...
> score CLAMAV 0.001


If you don't want CLAMAV to score (high), apparently you can rename it 
to __CLAMAV, works fine here.



To make the meta rule work too, I had to give it a higher priority 
number than the header rules, so that my working clamav.cf is now:


loadplugin ClamAV /etc/mail/spamassassin/clamav.pm
full __CLAMAV eval:check_clamav()
describe __CLAMAV Clam AntiVirus detected a virus

header __MY_CLAMAV X-Spam-Virus =~ /Yes/i
priority __MY_CLAMAV 9998

header __MY_CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,50}Sanesecurity/i
priority __MY_CLAMAV_SANE 9998

meta MY_CLAMAV_SANE (__CLAMAV && __MY_CLAMAV_SANE)
priority MY_CLAMAV_SANE 9999
score MY_CLAMAV_SANE 5

I hereby add this important information (IMHO) to
this thread that is linked on
http://wiki.apache.org/spamassassin/ClamAVPlugin


Regards,

wolfgang

























					Reply via email to