How to quarantine only Phishing stuff from Clam?

Martin Hepworth martinh at SOLID-STATE-LOGIC.COM
Thu Mar 10 16:17:51 GMT 2005 

Jeff

there was something on this last week (I think) and I'm pretty sure your
solution was more of less identical.

Both Jiscmail and gmane searching are being dog slow for me at the
moment, but searching on the silent viruses string during this month
should give you the answer.

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


Jeff A. Earickson wrote:
> Martin,
>
> I looked at that example.  I already have:
>
> Quarantine Infections = yes
> Quarantine Silent Viruses = no
> Silent Viruses = HTML-IFrame All-Viruses
>
> All of these options can take a ruleset.  So I want to redefine what
> a silent virus is via a ruleset, ie "leave Julian's default alone,
> but remove Phishing from the silent virus set".  Will what I've proposed
> do that?  When everything can be defined with rulesets, sometimes the
> question is, "which option do I use the ruleset on?", as well as
> "Is this ruleset correct?".
>
> Jeff
>
> On Thu, 10 Mar 2005, Martin Hepworth wrote:
>
>> Date: Thu, 10 Mar 2005 15:31:19 +0000
>> From: Martin Hepworth <martinh at SOLID-STATE-LOGIC.COM>
>> Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
>> To: MAILSCANNER at JISCMAIL.AC.UK
>> Subject: Re: How to quarantine only Phishing stuff from Clam?
>>
>> Jeff
>>
>> from the EXAMPLE file in the rules dir..
>> ###################################
>> 7. Only quarantine some viruses
>>
>>   Set "Quarantine Infections = /etc/MailScanner/rules/quarantine.rules".
>>   Virus:       sobig                   no
>>   Virus:       default                 yes
>> ###################################
>>
>> Also I'd change the
>>
>> Virus:  Phishing.Bank   no
>>
>> to
>>
>> Virus:  Phishing   no
>>
>> so it covers paypal/ebay phishing attempts etc (or phishing frauds if
>> you can get your mouth around tongue twisters :-)
>>
>> --
>> Martin Hepworth
>> Snr Systems Administrator
>> Solid State Logic
>> Tel: +44 (0)1865 842300
>>
>>
>> Jeff A. Earickson wrote:
>>
>>> Julian,
>>>
>>> My daily report of who is sending viruses from our own domain has
>>> been showing Phishing stuff caught by ClamAV, coming from my own
>>> webmail server.
>>>
>>> A sample of what gets emailed to me via "Notices to", and then boiled
>>> down by a perl script:
>>>
>>> j29LMw3X004268: 137.146.210.58 (username)
>>> ClamAV Module: msg-21083-102.txt was infected: HTML.Phishing.Bank-111
>>>
>>> I want to investigate, ie quarantine the offending messages.  But I
>>> don't want to quarantine tons of crap.  I have
>>>
>>> Quarantine Infections = yes
>>> Quarantine Silent Viruses = no
>>>
>>> and I want to set up a ruleset specifying silent viruses.  Would this
>>> be right?
>>>
>>> %localrules-dir% = /etc/MailScanner/rules
>>> Silent Viruses = %localrules-dir%/silent-viruses.rules
>>>
>>> where the silent-viruses.rules looks like:
>>>
>>> Virus:  All-Viruses             yes
>>> Virus:  HTML-IFrame             yes
>>> Virus:  Phishing.Bank   no
>>>
>>> Do I need to specify a default here?
>>>
>>> Jeff Earickson
>>> Colby College
>>>
>>> ------------------------ MailScanner list ------------------------
>>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>> 'leave mailscanner' in the body of the email.
>>> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>>
>>> Support MailScanner development - buy the book off the website!
>>
>>
>> **********************************************************************
>>
>> This email and any files transmitted with it are confidential and
>> intended solely for the use of the individual or entity to whom they
>> are addressed. If you have received this email in error please notify
>> the system manager.
>>
>> This footnote confirms that this email message has been swept
>> for the presence of computer viruses and is believed to be clean.
>>
>> **********************************************************************
>>
>> ------------------------ MailScanner list ------------------------
>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>> 'leave mailscanner' in the body of the email.
>> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>> Support MailScanner development - buy the book off the website!
>>
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!

**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list