Block Postive Phishing Frauds

Thu Aug 24 11:41:26 IST 2006

Whoa ... a zimbo?

Newbie question Jim ... where does ClamAV keep all the rules?

Thanks

Colin

> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf
> Of Jim Holland
> Sent: 24 August 2006 11:23
> To: MailScanner discussion
> Subject: Re: Block Postive Phishing Frauds
>
> On Thu, 24 Aug 2006, Peter Peters wrote:
>
> > Jim Holland wrote on 24-8-2006 8:26:
> > > On Thu, 24 Aug 2006, Peter Russell wrote:
> > >
> > >> Yeah i would be happy to stop those 3 entirely. I guess
> i need to
> > >> write an SA rule? But one that only catch positive
> phishing frauds
> > >> on these topics?
> > >
> > > Don't forget that ClamAV identifies well-known phishing
> frauds and
> > > those are blocked as if they were viruses. Overnight I see it has
> > > caught the following on our server:
> > >
> > > 4   ClamAV:  HTML.Phishing.Bank-491
> > > 2   ClamAV:  HTML.Phishing.Pay-178
> > > 2   ClamAV:  HTML.Phishing.Bank-503
> > > 1   ClamAV:  HTML.Phishing.Pay-94
> > > 1   ClamAV:  HTML.Phishing.Pay-201
> > > 1   ClamAV:  HTML.Phishing.Card-32
> > > 1   ClamAV:  HTML.Phishing.Bank-496
> > > 1   ClamAV:  HTML.Phishing.Bank-471
> > > 1   ClamAV:  HTML.Phishing.Bank-213
> >
> > I had to put "Phishing" in "Non-Forging Viruses" (Don't ask
> me why).
> > It turns out the phishing spam is forwarded like they
> should (silent
> > viruses are deleted) but I have ha d a few situation where I get a
> > message stating the "entire message" was quarantined. But it wasn't.
> >
> > I am currently running MS version 4.52.2 and plan to update
> sometime
> > next week. I'll have a look whether this quarantine problem
> is still
> > present in that version.
>
> I haven't had a problem with this AFAIK in the past.
> Certainly the current versions of both MS and ClamAV work
> fine with the quarantining of such mail (I prefer
> quarantining to deleting as it lets me see what is actually
> being identified as malware).  I don't put "Phishing" in
> "Non-Forging Viruses", and haven't done anything unusual with
> the ClamAV configuration except to include the line:
>
> 	ScanOptions="--detect-broken"
>
> in the wrapper.
>
> Regards
>
> Jim Holland
> System Administrator
> MANGO - Zimbabwe's non-profit e-mail service
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>

----------------------disclaimer ---------------------------------

1. This e-mail and any attachments are confidential & access by anyone 
other than the addressee(s) is unauthorised.
2. The security of e-mail communication cannot be guaranteed and neither 
Mainline IT nor Mainline Internet will accept claims arising as a result 
of using this medium.
3. Any opinions expressed herein are the opinions of the author and are 
not those of either Mainline IT or Mainline Internet.
4. Although all email is scanned for viruses, it is the responsibility of 
the recipient to ensure they have adequate anti-virus defences.

------------------------------------------------------------------------