Grreting card scams

Alex Broens ms-list at alexb.ch
Fri Jul 27 13:14:04 IST 2007


On 7/27/2007 2:00 PM, UxBoD wrote:
> The plugin looks good, but would also mean the message is scanned twice.  Also would require the new code Jules has written for setting the message as Virus when the SA ruleset is hit.
> 
> Double edged sword really as both incur a time/processing overhead IMHO.

Hoping not to start a philosophy war:

you *could* set MS to *only* use your *Highly respected Commercial AV* 
and the plugin to use the Clam plugin.

*Highly respected Commercial AV* will kill the msg after Clam plugin 
tagged as infected.
(did I get my MS flow right?)

so what's left over in Quarantine is phishes and possibly new viri 
tagged with Clam's generic sigs, tagged as spam, (which comes in handy 
to report to *Highly respected Commercial AV*'s dev team :-)


lots of ways to do stuff...

Alex


> Regards,
> 
> --[ UxBoD ]--
> // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import"
> // Fingerprint: C759 8F52 1D17 B3C5 5854  36BD 1FB1 B02F 5DB5 687B
> // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B
> // Phone: +44 845 869 2749 SIP Phone: uxbod at sip.splatnix.net
> 
> ----- Original Message -----
> From: "Alex Broens" <ms-list at alexb.ch>
> To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
> Sent: Friday, July 27, 2007 12:42:12 PM (GMT) Europe/London
> Subject: Re: Grreting card scams
> 
> On 7/27/2007 1:28 PM, Glenn Steen wrote:
>> On 27/07/07, Alex Broens <ms-list at alexb.ch> wrote:
>>> On 7/27/2007 12:47 PM, Julian Field wrote:
>>>> Glenn Steen wrote:
>>>>> On 27/07/07, UxBoD <uxbod at splatnix.net> wrote:
>>>>>
>>>>>> Okay, have done some testing.  For the signature to trigger it has to
>>>>>> have a source file that contains the message body, and the following
>>>>>> headers :-
>>>>>>
>>>>>> MIME-Version: 1.0
>>>>>> Content-Type: text/plain;
>>>>>>
>>>>>> otherwise it reports the file as being okay.
>>>>>>
>>>>> Kind of what I thought... It doesn't understand that it is a mail it
>>>>> is handling.:-(
>>>>>
>>>>> Jules, how would you like to play this one?
>>>>> I suspect that whatever we do might end up being ... less than
>>>>> elegant... Unless you have some inspiration...:-)
>>>>>
>>>> Yuck.
>>>> I would have to copy the entire message into the scanning directory as
>>>> well and alter every single parser to look out for it. Nasty job.
>>> Wouldn't the ClamAV SA plugin catch these?
>>> for those using clamd its trivial to implement.
>>>
>>> maybe that plugin could be hacked to use the clam module instead.
>>>
>>> Alex
>>>
>> You've got a link to share on that one Alex (yeah, I'm exceptionally
>> lazy today... It's Firday afternoon (here), after all:-)?
> 
> Its Friday afternoon here as well (CH) :-)
> 
> http://wiki.apache.org/spamassassin/ClamAVPlugin
> 
> keep us posted...
> 
> Alex
> 




More information about the MailScanner mailing list