Signature Updates¶

Managing virus signatures, spam rules, and GeoIP database updates.

Automatic Updates¶

Update Schedule¶

Configured by mb-cron:

Virus signatures: Hourly (freshclam)
Spam rules: Hourly (Rspamd, SpamAssassin)
GeoIP database: Weekly (MaxMind)
System patterns: Daily (mb-update)

Check schedule:

systemctl list-timers mb-cron*

Verify Automatic Updates¶

Check last update times:

# ClamAV signatures
sudo sigtool --info /var/lib/clamav/daily.cvd
sudo sigtool --info /var/lib/clamav/main.cvd

# Rspamd rules
ls -lh /var/lib/rspamd/

# GeoIP database
ls -lh /var/lib/mailborder/geoip/

Review update logs:

sudo grep "update" /var/log/mailborder/mb-cron.log | tail -n 50

Manual Updates¶

Update All Signatures¶

Run comprehensive update:

sudo mb-update --all

Output:

Updating virus signatures...
ClamAV signatures updated: 7,500,000 signatures
Updating spam rules...
Rspamd rules updated: 350 rules
SpamAssassin rules updated: 1,200 rules
Updating GeoIP database...
GeoIP database updated: 250 countries
All updates completed successfully.

Update Individual Components¶

Virus signatures only:

sudo freshclam

Verify ClamAV update:

sudo freshclam --debug

Rspamd rules only:

sudo -u _rspamd rspamc fuzzy_add /path/to/spam/sample

SpamAssassin rules only:

sudo sa-update
sudo systemctl restart spamassassin

GeoIP database only:

sudo mb-update --geoip

ClamAV Signature Management¶

Signature Statistics¶

View signature info:

sudo sigtool --info /var/lib/clamav/daily.cvd
sudo sigtool --info /var/lib/clamav/main.cvd

Output:

File: daily.cvd
Build time: 12 Nov 2025 15:23 +0000
Version: 27450
Signatures: 2,100,000
Functionality level: 90
Builder: neo
MD5: a1b2c3d4e5f6...

Custom Signatures¶

Add custom signature:

# Create custom signature file
sudo tee /var/lib/clamav/custom.ndb << 'EOF'
CustomMalware:0:*:68656c6c6f20776f726c64
EOF

# Reload ClamAV
sudo systemctl reload clamd@scan

Test custom signature:

echo "hello world" > /tmp/test.txt
clamscan /tmp/test.txt
rm /tmp/test.txt

Signature Database Verification¶

Check database integrity:

sudo sigtool --check /var/lib/clamav/daily.cvd
sudo sigtool --check /var/lib/clamav/main.cvd

Unpack and inspect:

sudo sigtool --unpack /var/lib/clamav/daily.cvd
ls -la daily.cvd-unpack/

Rspamd Rule Management¶

Update Rspamd Rules¶

Manual rule update:

sudo -u _rspamd rspamadm fuzzy_add /path/to/spam/sample

Sync from remote:

sudo rsync -avz rsync://rspamd.com/rspamd/ /var/lib/rspamd/
sudo systemctl restart rspamd

Custom Rspamd Rules¶

Add custom rule:

sudo tee /etc/rspamd/local.d/custom_rules.conf << 'EOF'
CUSTOM_SPAM_KEYWORD {
  type = "header";
  header = "Subject";
  regexp = "Urgent Action Required";
  score = 5.0;
  description = "Spam keyword in subject";
}
EOF

sudo rspamadm configtest
sudo systemctl restart rspamd

Test rule:

rspamc -h /path/to/test/email

Rspamd Statistics¶

View learning statistics:

curl -s http://localhost:11334/stat | jq

Key metrics: - Total scanned - Spam detected - Ham detected - Learned spam/ham - Fuzzy storage size

SpamAssassin Rule Management¶

Update SpamAssassin Rules¶

Update from CPAN:

sudo sa-update

Update specific channels:

sudo sa-update --channel updates.spamassassin.org

Update with GPG verification:

sudo sa-update --gpgkey 5244EC45 --channel updates.spamassassin.org

Apply updates:

sudo systemctl restart spamassassin

Custom SpamAssassin Rules¶

Add custom rule:

sudo tee /etc/spamassassin/local.cf << 'EOF'
# Custom spam keyword detection
header CUSTOM_SUBJECT_SPAM Subject =~ /Urgent.*Required/i
describe CUSTOM_SUBJECT_SPAM Spam keyword in subject
score CUSTOM_SUBJECT_SPAM 3.0
EOF

sudo systemctl restart spamassassin

Test rule:

spamassassin -t < /path/to/test/email

SpamAssassin Statistics¶

Test configuration:

sudo spamassassin --lint

View rule hits:

sudo grep "hits=" /var/log/mail.log | tail -n 50

GeoIP Database Updates¶

Manual GeoIP Update¶

Download latest database:

sudo mb-update --geoip

Manual download (requires MaxMind license key):

cd /tmp
wget "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country&license_key=YOUR_KEY&suffix=tar.gz" -O GeoLite2-Country.tar.gz
sudo tar xzf GeoLite2-Country.tar.gz -C /var/lib/mailborder/geoip/ --strip-components=1
sudo systemctl restart mb-filter

Verify GeoIP Database¶

Check database date:

ls -lh /var/lib/mailborder/geoip/GeoLite2-Country.mmdb

Test GeoIP lookup:

sudo mb-geoip-lookup 8.8.8.8

Output:

IP: 8.8.8.8
Country: US (United States)
ISO Code: US

GeoIP Database Info¶

View database metadata:

sudo mb-geoip-info

Output:

Database: GeoLite2-Country
Build Date: 2025-11-05
Records: 250
IPv4 Ranges: 400,000
IPv6 Ranges: 50,000

Update Configuration¶

Configure Update Frequency¶

Edit mb-cron configuration:

sudo nano /etc/mailborder/mb-cron.conf

Set update intervals:

[updates]
virus_signatures = hourly
spam_rules = hourly
geoip_database = weekly
system_patterns = daily

Apply changes:

sudo systemctl daemon-reload
sudo systemctl restart mb-cron.timer

Configure Update Sources¶

ClamAV mirror:

sudo nano /etc/clamav/freshclam.conf

Set mirror:

DatabaseMirror db.local.clamav.net
DatabaseMirror database.clamav.net

Rspamd mirror:

sudo nano /etc/rspamd/local.d/fuzzy_check.conf

GeoIP license key:

sudo nano /etc/mailborder/geoip.conf

[geoip]
license_key = YOUR_MAXMIND_LICENSE_KEY
account_id = YOUR_ACCOUNT_ID
edition_id = GeoLite2-Country

Update Notifications¶

Enable Update Alerts¶

Configure notifications:

sudo mb-config set updates.notify_on_success false
sudo mb-config set updates.notify_on_failure true
sudo mb-config set updates.notification_email admin@example.com

Test notification:

sudo mb-update --all --notify

Review Update History¶

Check update log:

sudo grep "mb-update" /var/log/mailborder/mb-cron.log | tail -n 100

View update summary:

sudo mb-update --history

Output:

Update History (Last 7 Days):
2025-11-12 03:00 - All updates successful
2025-11-11 03:00 - All updates successful
2025-11-10 03:00 - GeoIP update failed (retry successful)
2025-11-09 03:00 - All updates successful

Troubleshooting Update Issues¶

ClamAV Update Failures¶

Common issues:

Mirror unavailable:

# Test mirror connection
curl -I http://database.clamav.net

# Switch to alternative mirror
sudo nano /etc/clamav/freshclam.conf
# Change: DatabaseMirror db.alternate.clamav.net

Permission errors:

sudo chown -R clamav:clamav /var/lib/clamav
sudo chmod 755 /var/lib/clamav

Disk space:

df -h /var/lib/clamav
# Free up space if needed

Rspamd Update Failures¶

Connection issues:

# Test Rspamd service
sudo systemctl status rspamd

# Check connectivity
curl -s http://localhost:11334/stat

Rule syntax errors:

sudo rspamadm configtest

Fix syntax errors in rule files.

GeoIP Update Failures¶

License key issues:

# Verify license key
sudo cat /etc/mailborder/geoip.conf

# Test download manually
curl -I "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country&license_key=YOUR_KEY&suffix=tar.gz"

Database corruption:

# Remove and re-download
sudo rm /var/lib/mailborder/geoip/GeoLite2-Country.mmdb
sudo mb-update --geoip

Update Best Practices¶

Recommendations¶

Monitor updates:
Review update logs weekly
Set up failure notifications
Verify signature counts
Test before production:
Test updates in staging first
Monitor for false positives
Review detection rates
Backup before major updates:
Backup signature databases
Backup custom rules
Document changes
Schedule updates wisely:
Update during low-traffic periods
Stagger updates across servers
Allow time for testing
Keep custom rules separate:
Store in /etc/mailborder/custom/
Version control custom rules
Document rule purpose

Update Checklist¶

Pre-Update:
□ Check disk space
□ Backup current signatures
□ Review current detection rates
□ Note custom rules

During Update:
□ Run mb-update --all
□ Monitor update progress
□ Check for errors

Post-Update:
□ Verify signature counts
□ Test sample emails
□ Monitor detection rates
□ Review logs for false positives
□ Document any issues

Emergency Signature Rollback¶

If new signatures cause issues:

Restore ClamAV signatures:

# Stop ClamAV
sudo systemctl stop clamd@scan

# Restore from backup
sudo cp /var/backups/clamav/daily.cvd.backup /var/lib/clamav/daily.cvd
sudo cp /var/backups/clamav/main.cvd.backup /var/lib/clamav/main.cvd

# Restart
sudo systemctl start clamd@scan

Revert Rspamd rules:

# Restore configuration
sudo cp /etc/rspamd/local.d/rules.conf.backup /etc/rspamd/local.d/rules.conf
sudo systemctl restart rspamd

Disable problematic rule:

# Comment out in configuration
sudo nano /etc/rspamd/local.d/custom_rules.conf
sudo systemctl restart rspamd

Signature Updates¶

Automatic Updates¶

Update Schedule¶

Verify Automatic Updates¶

Manual Updates¶

Update All Signatures¶

Update Individual Components¶

ClamAV Signature Management¶

Signature Statistics¶

Custom Signatures¶

Signature Database Verification¶

Rspamd Rule Management¶

Update Rspamd Rules¶

Custom Rspamd Rules¶

Rspamd Statistics¶

SpamAssassin Rule Management¶

Update SpamAssassin Rules¶

Custom SpamAssassin Rules¶

SpamAssassin Statistics¶

GeoIP Database Updates¶

Manual GeoIP Update¶

Verify GeoIP Database¶

GeoIP Database Info¶

Update Configuration¶

Configure Update Frequency¶

Configure Update Sources¶

Update Notifications¶

Enable Update Alerts¶

Review Update History¶

Troubleshooting Update Issues¶

ClamAV Update Failures¶

Rspamd Update Failures¶

GeoIP Update Failures¶

Update Best Practices¶

Recommendations¶

Update Checklist¶

Emergency Signature Rollback¶

See Also¶