Amavisd not blocking sanesecurity hits

Forum for getting help with Project Gamera, Spamassassin, Clamav, qmail-scanner and other anti-spam tools.
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Amavisd not blocking sanesecurity hits

Unread post by faris »

My testing to destruction of amavisd continues, and today I found something interesting which I thought I'd share.

I'd noticed that messages with certain attachments were being passed as CLEAN, even though clamav was detecting something bad in them via the sanesecurity rules (e.g. a document with an evil macro).

It turns out that by default, certain types of badness is not blocked outright by amavisd-new, and is instead passed on to be dealt with as spam by spamassassin.

This behaviour is controlled by the amavisd @virus_name_to_spam_score_maps setting. (there is also a policy_bank version of this)

I'm not sure of the default setting because it appears to be hard-coded rather than being set in amavisd.conf, and the default has been updated every now and then.

But the default includes pretty much anything detected by the sanesecurity rules that are included in the Atomic clamav rules and of course the normal sanesecurity clamav rules themselves.

The end result is that with the default installation of amavisd-new, spamassassin and clamav, attachments containing booby-trapped documents and what have you get passed as clean and end up in people's mailboxes.

This is not what I want, and may not be what you want either. I'm not sure I've ever seen a sanesecurity false positive, so I want to block outright.

The way you are supposed to deal with it is, I presume, to set the resulting SA score to something significant, or to do something more sophisticated in terms of SA rules maybe.

But you can also use a very unsophisticated approach, which is to just add the following to amavisd.conf

Code: Select all

@virus_name_to_spam_score_maps = ();
This overrides the default mapping and causes any message that triggers any clamav rule to be blocked outright.

I dare say there's more to this than meets the eye, and this complete override may be undesirable in some way, presumably relating to potential false positives.
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
Post Reply