Phishing RBL?
Denis Beauchemin
Denis.Beauchemin at USHERBROOKE.CA
Fri Oct 14 18:59:09 IST 2005
[ The following text is in the "ISO-8859-1" character set. ]
[ Your display is set for the "US-ASCII" character set. ]
[ Some characters may be displayed incorrectly. ]
Glenn Steen wrote:
>On 14/10/05, Denis Beauchemin <Denis.Beauchemin at usherbrooke.ca> wrote:
>(snip)
>
>
>>I don't run Clamav mainly because at one point it detected malware where
>>I didn't see any (but it was a long time ago and I don't remember what
>>it was about). But even if I did it wouldn't give me a pure phishing
>>detection that could be used to make some phishing attempts get deleted.
>>
>>
>
>Define "pure" in this context. Sure it missed the recent "nordea"
>phish (swedish bank... c:a 4 million e-banking customers), but so
>would most any solution (well, perhaps not Jules phishing net)... But
>then, we're all still trying to get up off the floor from all the
>rolling and laughing ... The silly buggers used a translation
>program... Need one say more? ISTR we had a fun "autotranslation
>thread" a while back, detailing most of all the woes one would have
>with that approach.
>Not that I'm complaining about their infinite stupidity:-).
>
>Anyway, to my mind clamav is pretty darned close to getting most of
>all known phishing _and_ is a very good virus detector... So why not
>use it? Every AV has its flaws, so that it missed some few can't be a
>reason to forego it.
>
>
Just enabled ClamAV on my servers. About 5 minutes later I saw this
message:
ClamAVModule::INFECTED:: Exploit.HTML.IFrame::
./j9EFjc3L008255/msg-4991-81.html
Then I remembered why I disabled Clam... I cannot block all emails with
IFrames...
There seems to be the --no-html flag. I enabled it in clamav-wrapper.
We'll see if it does what I hope (couldn't find much info about this).
Had to switch from clamavmodule to clamav, though...
Denis
--
_
°v° Denis Beauchemin, analyste
/(_)\ Université de Sherbrooke, S.T.I.
^ ^ T: 819.821.8000x2252 F: 819.821.8045
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list