Block Postive Phishing Frauds

[Jim Holland]

On Thu, 24 Aug 2006, Peter Peters wrote:

> Jim Holland wrote on 24-8-2006 8:26:
> > On Thu, 24 Aug 2006, Peter Russell wrote:
> > 
> >> Yeah i would be happy to stop those 3 entirely. I guess i need to write 
> >> an SA rule? But one that only catch positive phishing frauds on these 
> >> topics?
> > 
> > Don't forget that ClamAV identifies well-known phishing frauds and those 
> > are blocked as if they were viruses. Overnight I see it has caught the 
> > following on our server:
> > 
> > 4   ClamAV:  HTML.Phishing.Bank-491
> > 2   ClamAV:  HTML.Phishing.Pay-178
> > 2   ClamAV:  HTML.Phishing.Bank-503
> > 1   ClamAV:  HTML.Phishing.Pay-94
> > 1   ClamAV:  HTML.Phishing.Pay-201
> > 1   ClamAV:  HTML.Phishing.Card-32
> > 1   ClamAV:  HTML.Phishing.Bank-496
> > 1   ClamAV:  HTML.Phishing.Bank-471
> > 1   ClamAV:  HTML.Phishing.Bank-213
> 
> I had to put "Phishing" in "Non-Forging Viruses" (Don't ask me why). It
> turns out the phishing spam is forwarded like they should (silent
> viruses are deleted) but I have ha d a few situation where I get a
> message stating the "entire message" was quarantined. But it wasn't.
> 
> I am currently running MS version 4.52.2 and plan to update sometime
> next week. I'll have a look whether this quarantine problem is still
> present in that version.

I haven't had a problem with this AFAIK in the past.  Certainly the 
current versions of both MS and ClamAV work fine with the quarantining of 
such mail (I prefer quarantining to deleting as it lets me see what is 
actually being identified as malware).  I don't put "Phishing" in 
"Non-Forging Viruses", and haven't done anything unusual with the ClamAV 
configuration except to include the line:

	ScanOptions="--detect-broken"

in the wrapper. 

Regards

Jim Holland
System Administrator
MANGO - Zimbabwe's non-profit e-mail service