Re: [exim] Blocking Stock Spam ACL

Góra strony
Delete this message
Reply to this message
Autor: Michael Sprague
Data:  
Dla: exim-users
Temat: Re: [exim] Blocking Stock Spam ACL
Stephen Gran wrote:
> On Fri, Dec 08, 2006 at 06:32:29PM +0100, Steffen Heil said:
>> Hi
>>
>>> It should be noted that that's in the 'old news' section of
>>> the page, but you're right. It's only helpful for some
>>> messages. I also use
>>> http://download.mirror.msrbl.com/MSRBL-SPAM.ndb
>>> http://download.mirror.msrbl.com/MSRBL-Images.hdb
>> Sorry, another question to those:
>> Do you get false positives?
>>
>> Until now I am tagging SPAM, but rejecting VIRUSes.
>> However using those sigatures, I will end up detecing SPAM as VIRUS an
>> reject those....
>>
>> Can I use exiscan to differ detected viruses froms spam?
>
> Instead of malware = *, I suppose you could try a match against the
> virus name returned. All of the vendors so far are putting some special
> string in the virus definition, so it should be possible to just add a
> header for the sane signatures, for instance.


That looks interesting, have to give that a whirl.

I setup a condition. For example:

deny
   condition   = ${if <{$message_size}{1m}{true}{false}}
   malware     = */defer_ok
   condition   = ${if match {$malware_name}{\N^Email\.\N}{true}{false}}
   message     = scam detected
   log_message = SCAM ($malware_name) RCPT=$ACL_RECIPS \
                 SUB=${quote:$h_subject:} MSGID=$h_message-id


discard
   condition   = ${if <{$message_size}{1m}{true}{false}}
   malware     = */defer_ok
   log_message = VIRUS ($malware_name) RCPT=$ACL_RECIPS \
                 SUB=${quote:$h_subject:} MSGID=$h_message-id


So I deny if a scam is matched but discard if it's a 'real' virus. The
extra match condition in the deny acl currently just matches the
'Email...' sigs.

BTW, I only added the new sigs this morning and so far it looks quite
promising.

thanks,
mikeS


-- 
Michael F. Sprague     | mfs@???
http://www.saneinc.net | Provider of SpamOnion anti-spam service
System and Network Engineering (SaNE), Inc