Opened 12 years ago

Last modified 12 years ago

#524 testing defect (fixed)

Spam, scam, and phishing signatures for ClamAV are incorrectly treated as viruses

Reported by: rjl@… Owned by: rjl@…
Priority: normal Milestone: 1.0.3
Component: amavisd-maia Version: 1.0.2
Severity: normal Keywords: virus clamav sanesecurity msrbl


Newer versions of ClamAV use signatures to detect phishing scams, and third-party signatures from Sanesecurity and MSRBL use this mechanism to detect image spam and other scams. These are not "viruses", and not even "malware", but because they're detected by a virus scanner they end up in the virus quarantine rather than the spam quarantine. A mechanism is needed to tell amavisd-maia that such signature detections should be treated as if they were spam rule hits, so that they can be scored accordingly and handled by SpamAssassin for quarantining and Bayes-training purposes.

Change History (2)

comment:1 Changed 12 years ago by rjl@…

  • Owner changed from rjl to rjl@…
  • Status changed from new to accepted

Implemented in [1380] as an amavisd.conf setting called @non_malware_viruses_maps, which is an administrator-configurable list of regular expressions that identify the names of "viruses" that should be treated as spam hits instead. The names of these viruses are sent to SpamAssassin in the form of a special header (X-Maia-AV-Status), which can then be used to assign scores to those rules in a *.cf file. Sample files for ClamAV, Sanesecurity, and MSRBL are provided.

comment:2 Changed 12 years ago by rjl@…

  • Resolution set to fixed
  • Status changed from accepted to testing
Note: See TracTickets for help on using tickets.