I'd noticed that messages with certain attachments were being passed as CLEAN, even though clamav was detecting something bad in them via the sanesecurity rules (e.g. a document with an evil macro).
It turns out that by default, certain types of badness is not blocked outright by amavisd-new, and is instead passed on to be dealt with as spam by spamassassin.
This behaviour is controlled by the amavisd @virus_name_to_spam_score_maps setting. (there is also a policy_bank version of this)
I'm not sure of the default setting because it appears to be hard-coded rather than being set in amavisd.conf, and the default has been updated every now and then.
But the default includes pretty much anything detected by the sanesecurity rules that are included in the Atomic clamav rules and of course the normal sanesecurity clamav rules themselves.
The end result is that with the default installation of amavisd-new, spamassassin and clamav, attachments containing booby-trapped documents and what have you get passed as clean and end up in people's mailboxes.
This is not what I want, and may not be what you want either. I'm not sure I've ever seen a sanesecurity false positive, so I want to block outright.
The way you are supposed to deal with it is, I presume, to set the resulting SA score to something significant, or to do something more sophisticated in terms of SA rules maybe.
But you can also use a very unsophisticated approach, which is to just add the following to amavisd.conf
Code: Select all
@virus_name_to_spam_score_maps = ();
I dare say there's more to this than meets the eye, and this complete override may be undesirable in some way, presumably relating to potential false positives.