Block Postive Phishing Frauds

Jim Holland mailscanner at mango.zw
Thu Aug 24 12:38:56 IST 2006 

Hi Colin

On Thu, 24 Aug 2006, Colin Jack wrote:

> Whoa ... a zimbo?

Not really - just an Aussie who has been living in Zimbabwe for rather too 
long!

> Newbie question Jim ... where does ClamAV keep all the rules?
> 
> Thanks
> 
> Colin

The two configuration files are:

	/usr/local/etc/clamd.conf
	/usr/local/etc/freshclam.conf

The first is only if you are running the ClamAV daemon, which is not 
recommended.  The second is for the updates - it is esssential to 
configure here the correct DatabaseMirror (eg db.zw.clamav.net).

For use with MailScanner you need a wrapper which sets up the
parameters that are passed to clamscan.  This is the file:

	/usr/lib/MailScanner/clamav-wrapper

The only change I make is to add ScanOptions="--detect-broken".

The virus definitions are downloaded by freshclam (which is itself called
by /usr/lib/MailScanner/clamav-autoupdate which is called by
/etc/cron.hourly/update_virus_scanners) to /usr/local/share/clamav.

Hope that helps!

Regards

Jim Holland
System Administrator
MANGO - Zimbabwe's non-profit e-mail service
 
> > -----Original Message-----
> > From: mailscanner-bounces at lists.mailscanner.info
> > [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf
> > Of Jim Holland
> > Sent: 24 August 2006 11:23
> > To: MailScanner discussion
> > Subject: Re: Block Postive Phishing Frauds
> >
> > On Thu, 24 Aug 2006, Peter Peters wrote:
> >
> > > Jim Holland wrote on 24-8-2006 8:26:
> > > > On Thu, 24 Aug 2006, Peter Russell wrote:
> > > >
> > > >> Yeah i would be happy to stop those 3 entirely. I guess
> > i need to
> > > >> write an SA rule? But one that only catch positive
> > phishing frauds
> > > >> on these topics?
> > > >
> > > > Don't forget that ClamAV identifies well-known phishing
> > frauds and
> > > > those are blocked as if they were viruses. Overnight I see it has
> > > > caught the following on our server:
> > > >
> > > > 4   ClamAV:  HTML.Phishing.Bank-491
> > > > 2   ClamAV:  HTML.Phishing.Pay-178
> > > > 2   ClamAV:  HTML.Phishing.Bank-503
> > > > 1   ClamAV:  HTML.Phishing.Pay-94
> > > > 1   ClamAV:  HTML.Phishing.Pay-201
> > > > 1   ClamAV:  HTML.Phishing.Card-32
> > > > 1   ClamAV:  HTML.Phishing.Bank-496
> > > > 1   ClamAV:  HTML.Phishing.Bank-471
> > > > 1   ClamAV:  HTML.Phishing.Bank-213
> > >
> > > I had to put "Phishing" in "Non-Forging Viruses" (Don't ask
> > me why).
> > > It turns out the phishing spam is forwarded like they
> > should (silent
> > > viruses are deleted) but I have ha d a few situation where I get a
> > > message stating the "entire message" was quarantined. But it wasn't.
> > >
> > > I am currently running MS version 4.52.2 and plan to update
> > sometime
> > > next week. I'll have a look whether this quarantine problem
> > is still
> > > present in that version.
> >
> > I haven't had a problem with this AFAIK in the past.
> > Certainly the current versions of both MS and ClamAV work
> > fine with the quarantining of such mail (I prefer
> > quarantining to deleting as it lets me see what is actually
> > being identified as malware).  I don't put "Phishing" in
> > "Non-Forging Viruses", and haven't done anything unusual with
> > the ClamAV configuration except to include the line:
> >
> > 	ScanOptions="--detect-broken"
> >
> > in the wrapper.
> >
> > Regards
> >
> > Jim Holland
> > System Administrator
> > MANGO - Zimbabwe's non-profit e-mail service
> >
> > --
> > MailScanner mailing list
> > mailscanner at lists.mailscanner.info
> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >
> > Before posting, read http://wiki.mailscanner.info/posting
> >
> > Support MailScanner development - buy the book off the website!
> >
> 
> ----------------------disclaimer ---------------------------------
> 
> 1. This e-mail and any attachments are confidential & access by anyone 
> other than the addressee(s) is unauthorised.
> 2. The security of e-mail communication cannot be guaranteed and neither 
> Mainline IT nor Mainline Internet will accept claims arising as a result 
> of using this medium.
> 3. Any opinions expressed herein are the opinions of the author and are 
> not those of either Mainline IT or Mainline Internet.
> 4. Although all email is scanned for viruses, it is the responsibility of 
> the recipient to ensure they have adequate anti-virus defences.
> 
> ------------------------------------------------------------------------

More information about the MailScanner mailing list