Block Postive Phishing Frauds
Colin Jack
colin at mainline.co.uk
Thu Aug 24 13:20:20 IST 2006
Thanks Jim - I will have a poke about.
Hope its not too bad out there ...
Regards
Colin
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf
> Of Jim Holland
> Sent: 24 August 2006 12:39
> To: MailScanner discussion
> Subject: RE: Block Postive Phishing Frauds
>
> Hi Colin
>
> On Thu, 24 Aug 2006, Colin Jack wrote:
>
> > Whoa ... a zimbo?
>
> Not really - just an Aussie who has been living in Zimbabwe
> for rather too long!
>
> > Newbie question Jim ... where does ClamAV keep all the rules?
> >
> > Thanks
> >
> > Colin
>
> The two configuration files are:
>
> /usr/local/etc/clamd.conf
> /usr/local/etc/freshclam.conf
>
> The first is only if you are running the ClamAV daemon, which
> is not recommended. The second is for the updates - it is
> esssential to configure here the correct DatabaseMirror (eg
> db.zw.clamav.net).
>
> For use with MailScanner you need a wrapper which sets up the
> parameters that are passed to clamscan. This is the file:
>
> /usr/lib/MailScanner/clamav-wrapper
>
> The only change I make is to add ScanOptions="--detect-broken".
>
> The virus definitions are downloaded by freshclam (which is
> itself called by /usr/lib/MailScanner/clamav-autoupdate which
> is called by
> /etc/cron.hourly/update_virus_scanners) to /usr/local/share/clamav.
>
> Hope that helps!
>
> Regards
>
> Jim Holland
> System Administrator
> MANGO - Zimbabwe's non-profit e-mail service
>
> > > -----Original Message-----
> > > From: mailscanner-bounces at lists.mailscanner.info
> > > [mailto:mailscanner-bounces at lists.mailscanner.info] On
> Behalf Of Jim
> > > Holland
> > > Sent: 24 August 2006 11:23
> > > To: MailScanner discussion
> > > Subject: Re: Block Postive Phishing Frauds
> > >
> > > On Thu, 24 Aug 2006, Peter Peters wrote:
> > >
> > > > Jim Holland wrote on 24-8-2006 8:26:
> > > > > On Thu, 24 Aug 2006, Peter Russell wrote:
> > > > >
> > > > >> Yeah i would be happy to stop those 3 entirely. I guess
> > > i need to
> > > > >> write an SA rule? But one that only catch positive
> > > phishing frauds
> > > > >> on these topics?
> > > > >
> > > > > Don't forget that ClamAV identifies well-known phishing
> > > frauds and
> > > > > those are blocked as if they were viruses. Overnight I see it
> > > > > has caught the following on our server:
> > > > >
> > > > > 4 ClamAV: HTML.Phishing.Bank-491
> > > > > 2 ClamAV: HTML.Phishing.Pay-178
> > > > > 2 ClamAV: HTML.Phishing.Bank-503
> > > > > 1 ClamAV: HTML.Phishing.Pay-94
> > > > > 1 ClamAV: HTML.Phishing.Pay-201
> > > > > 1 ClamAV: HTML.Phishing.Card-32
> > > > > 1 ClamAV: HTML.Phishing.Bank-496
> > > > > 1 ClamAV: HTML.Phishing.Bank-471
> > > > > 1 ClamAV: HTML.Phishing.Bank-213
> > > >
> > > > I had to put "Phishing" in "Non-Forging Viruses" (Don't ask
> > > me why).
> > > > It turns out the phishing spam is forwarded like they
> > > should (silent
> > > > viruses are deleted) but I have ha d a few situation
> where I get a
> > > > message stating the "entire message" was quarantined.
> But it wasn't.
> > > >
> > > > I am currently running MS version 4.52.2 and plan to update
> > > sometime
> > > > next week. I'll have a look whether this quarantine problem
> > > is still
> > > > present in that version.
> > >
> > > I haven't had a problem with this AFAIK in the past.
> > > Certainly the current versions of both MS and ClamAV work
> fine with
> > > the quarantining of such mail (I prefer quarantining to
> deleting as
> > > it lets me see what is actually being identified as malware). I
> > > don't put "Phishing" in "Non-Forging Viruses", and haven't done
> > > anything unusual with the ClamAV configuration except to
> include the
> > > line:
> > >
> > > ScanOptions="--detect-broken"
> > >
> > > in the wrapper.
> > >
> > > Regards
> > >
> > > Jim Holland
> > > System Administrator
> > > MANGO - Zimbabwe's non-profit e-mail service
> > >
> > > --
> > > MailScanner mailing list
> > > mailscanner at lists.mailscanner.info
> > > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> > >
> > > Before posting, read http://wiki.mailscanner.info/posting
> > >
> > > Support MailScanner development - buy the book off the website!
> > >
> >
> > ----------------------disclaimer ---------------------------------
> >
> > 1. This e-mail and any attachments are confidential &
> access by anyone
> > other than the addressee(s) is unauthorised.
> > 2. The security of e-mail communication cannot be guaranteed and
> > neither Mainline IT nor Mainline Internet will accept
> claims arising
> > as a result of using this medium.
> > 3. Any opinions expressed herein are the opinions of the author and
> > are not those of either Mainline IT or Mainline Internet.
> > 4. Although all email is scanned for viruses, it is the
> responsibility
> > of the recipient to ensure they have adequate anti-virus defences.
> >
> >
> ----------------------------------------------------------------------
> > --
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
----------------------disclaimer ---------------------------------
1. This e-mail and any attachments are confidential & access by anyone
other than the addressee(s) is unauthorised.
2. The security of e-mail communication cannot be guaranteed and neither
Mainline IT nor Mainline Internet will accept claims arising as a result
of using this medium.
3. Any opinions expressed herein are the opinions of the author and are
not those of either Mainline IT or Mainline Internet.
4. Although all email is scanned for viruses, it is the responsibility of
the recipient to ensure they have adequate anti-virus defences.
------------------------------------------------------------------------
More information about the MailScanner
mailing list