Phishing RBL?

Glenn Steen glenn.steen at GMAIL.COM
Sun Oct 16 12:22:36 IST 2005


    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

On 16/10/05, Denis Beauchemin <Denis.Beauchemin at usherbrooke.ca> wrote:
> Ugo Bellavance wrote:
> > Glenn Steen wrote:
> >> On 14/10/05, Denis Beauchemin <Denis.Beauchemin at usherbrooke.ca> wrote:
> >> (snip)
> >>> Just enabled ClamAV on my servers.  About 5 minutes later I saw this
> >>> message:
> >>> ClamAVModule::INFECTED:: Exploit.HTML.IFrame::
> >>> ./j9EFjc3L008255/msg-4991-81.html
> >>>
> >>> Then I remembered why I disabled Clam...  I cannot block all emails
> >>> with
> >>> IFrames...
> >>>
> >>> There seems to be the --no-html flag.  I enabled it in clamav-wrapper.
> >>> We'll see if it does what I hope (couldn't find much info about this).
> >>>
> >>> Had to switch from clamavmodule to clamav, though...
> >>
> >> I might be completely wrong, but.... I *don't* use that flag, and it
> >> only catches really bad iframes... Not like the MS thing that catch
> >> *all* ...So far at least.
> >> Did you check that the IFrame in question wasn't malicious?
> >
> > I agree, I don't think it catches all IFRAMEs...
> >
> OK, then can someone point me to some documentation about that feature?
>
> Thanks!
>
> Denis
> PS: I think it was malicious (it was part of an infected email)

Ah yes, and those it really should pick up, now shouldn't it;).

Haven't looked for docs, but have had it running for a while (a year
more or less), and unlike you I don't allow IFrames at all (well, some
financial newsletter senders have been WL'd for IFrames). It is the
very few really dangerous ones that Clamav picks up, never the more or
less harmless ones picked up by MailScanner.

I'd imagine asking at a relevant clamav mailing-list would give the
fastest/best info.

--
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!



More information about the MailScanner mailing list