Email.Phishing.RB-3083 tripping FPs

dnsadmin 1bigthink.com dnsadmin at 1bigthink.com
Fri Mar 21 19:01:19 GMT 2008


Answering my own questions.. My databases are where they are supposed 
to be, in /usr/local/share/clamav. I've done some reading since my 
last post and feel a little better grasp on this.

..But, how do I go about verifying that my freshclam update has 
purged this phishing rule (RB-3083). Any example on sigtool to read 
the database now that I know how to find it?

Thanks,
Glenn

At 02:17 PM 3/21/2008, you wrote:
>Hello Bobby,
>
>Okay, since I've run into this problem, I decided to upgrade, but I 
>can only do that to one server at a time and verify each one. I've 
>upgraded one to install-Clam-0.92.1-SA-3.2.4.tar.gz. My other two 
>have install-Clam-0.91.1-SA-3.2.1.tar.gz installed All MailScanner 
>4.65.3 by rpm install. Using clamavmodule on all.
>
>Now I've decided I really need to understand better what is happening.
>
>Where are my virus definitions? I ran freshclam. It said it updated, 
>but I go to look for main.cvd and daily.cvd and they aren't there; 
>anywhere! What am I missing? I thought I understood this setup, but 
>apparently not?
>
>Thanks,
>Glenn Parsons
>
>
>Thanks,
>Glenn Parsons
>
>At 01:02 PM 3/21/2008, you wrote:
>
>>You shouldn't need to update ClamAV, just the virus definitions.  If you
>>manually run freshclam, then you'll get the latest defs at that point in
>>time.
>>
>>-----Original Message-----
>>From: mailscanner-bounces at lists.mailscanner.info
>>[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of
>>dnsadmin 1bigthink.com
>>Sent: Friday, March 21, 2008 12:35 PM
>>To: MailScanner discussion
>>Subject: RE: Email.Phishing.RB-3083 tripping FPs
>>
>>Hello All,
>>
>>Thanks Bobby! Yep. Must have been deprecated. I'm running version
>>0.91.2 and freshclam recommends 0.92.1.
>>
>>Looks like I'll be installing Julian's updated RPM today.
>>
>>Thanks,
>>Glenn
>>
>>At 12:03 PM 3/21/2008, you wrote:
>>
>> >Run freshclam because they must have pulled it because I don't have it.
>> >I have Email.Phishing.RB-3082 and Email.Phishing.RB-3084 but not
>> >Email.Phishing.RB-3083 and freshclam says I'm current.
>> >
>> >-----Original Message-----
>> >From: mailscanner-bounces at lists.mailscanner.info
>> >[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Rose,
>> >Bobby
>> >Sent: Friday, March 21, 2008 11:36 AM
>> >To: MailScanner discussion
>> >Subject: RE: Email.Phishing.RB-3083 tripping FPs
>> >
>> >What clamav signature file is that from?  I don't see it in any of mine
>>
>> >including the sanesecurity ones.
>> >
>> >-----Original Message-----
>> >From: mailscanner-bounces at lists.mailscanner.info
>> >[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of
>> >dnsadmin 1bigthink.com
>> >Sent: Friday, March 21, 2008 11:15 AM
>> >To: MailScanner mailing list
>> >Subject: Email.Phishing.RB-3083 tripping FPs
>> >
>> >Hello All,
>> >
>> >Having problems with this one particular Phishing rule deleting off
>> >email. I thought that this mail would be quarantined, but it is not.
>> >I've not revisited my rules to figure why it is being deleted.. doing
>> >that now.
>> >
>> >However, this phishing rule is tagging way too many emails from valid
>> >users (most of which are from and to domain users, but not all).
>> >
>> > >The following e-mails were found to have: Virus Detected
>> > >
>> > >     Sender: someone at mydomain.com
>> > >IP Address: 69.250.4.68
>> > >  Recipient: someoneelse at mydomian.com
>> > >    Subject: FW: {Disarmed} RE: {Disarmed} RE: Thank you. We
>> > >received your Compete-At inqu...
>> > >  MessageID: m2KN5TCt032450
>> > >Quarantine: /var/spool/mqueue.arc
>> > >     Report: ClamAVModule:  message was infected:
>> > >Email.Phishing.RB-3083
>> > >
>> > >Full headers are:
>> >
>> >Any suggestions on how to deal with this one phishing rule? None of the
>>
>> >others trigger FPs.
>> >
>> >Thanks,
>> >Glenn
>> >
>> >
>> >--
>> >No virus found in this outgoing message.
>> >Checked by AVG.
>> >Version: 7.5.519 / Virus Database: 269.21.8/1337 - Release Date:
>> >3/20/2008 8:10 PM
>> >
>> >
>> >
>> >--
>> >This message has been scanned for viruses and dangerous content by
>> >MailScanner, and is believed to be clean.
>> >
>> >--
>> >MailScanner mailing list
>> >mailscanner at lists.mailscanner.info
>> >http://lists.mailscanner.info/mailman/listinfo/mailscanner
>> >
>> >Before posting, read http://wiki.mailscanner.info/posting
>> >
>> >Support MailScanner development - buy the book off the website!
>> >
>> >--
>> >MailScanner mailing list
>> >mailscanner at lists.mailscanner.info
>> >http://lists.mailscanner.info/mailman/listinfo/mailscanner
>> >
>> >Before posting, read http://wiki.mailscanner.info/posting
>> >
>> >Support MailScanner development - buy the book off the website!
>> >
>> >--
>> >MailScanner mailing list
>> >mailscanner at lists.mailscanner.info
>> >http://lists.mailscanner.info/mailman/listinfo/mailscanner
>> >
>> >Before posting, read http://wiki.mailscanner.info/posting
>> >
>> >Support MailScanner development - buy the book off the website!
>> >
>> >--
>> >This message has been scanned for viruses and dangerous content by
>> >MailScanner, and is believed to be clean.
>> >
>> >
>> >
>> >--
>> >No virus found in this incoming message.
>> >Checked by AVG.
>> >Version: 7.5.519 / Virus Database: 269.21.8/1337 - Release Date:
>> >3/20/2008 8:10 PM
>> >
>> >
>> >
>> >
>> >--
>> >No virus found in this incoming message.
>> >Checked by AVG.
>> >Version: 7.5.519 / Virus Database: 269.21.8/1337 - Release Date:
>> >3/20/2008 8:10 PM
>>
>>
>>--
>>No virus found in this outgoing message.
>>Checked by AVG.
>>Version: 7.5.519 / Virus Database: 269.21.8/1337 - Release Date:
>>3/20/2008 8:10 PM
>>
>>
>>
>>--
>>This message has been scanned for viruses and
>>dangerous content by MailScanner, and is
>>believed to be clean.
>>
>>--
>>MailScanner mailing list
>>mailscanner at lists.mailscanner.info
>>http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>>Before posting, read http://wiki.mailscanner.info/posting
>>
>>Support MailScanner development - buy the book off the website!
>>
>>--
>>MailScanner mailing list
>>mailscanner at lists.mailscanner.info
>>http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>>Before posting, read http://wiki.mailscanner.info/posting
>>
>>Support MailScanner development - buy the book off the website!
>>
>>--
>>This message has been scanned for viruses and
>>dangerous content by MailScanner, and is
>>believed to be clean.
>>
>>
>>
>>--
>>No virus found in this incoming message.
>>Checked by AVG.
>>Version: 7.5.519 / Virus Database: 269.21.8/1337 - Release Date: 
>>3/20/2008 8:10 PM
>>
>>
>>
>>
>>--
>>No virus found in this incoming message.
>>Checked by AVG.
>>Version: 7.5.519 / Virus Database: 269.21.8/1337 - Release Date: 
>>3/20/2008 8:10 PM
>
>
>--
>No virus found in this outgoing message.
>Checked by AVG. Version: 7.5.519 / Virus Database: 269.21.8/1337 - 
>Release Date: 3/20/2008 8:10 PM
>
>
>
>--
>This message has been scanned for viruses and
>dangerous content by MailScanner, and is
>believed to be clean.
>
>--
>MailScanner mailing list
>mailscanner at lists.mailscanner.info
>http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>Before posting, read http://wiki.mailscanner.info/posting
>
>Support MailScanner development - buy the book off the website!
>
>--
>No virus found in this incoming message.
>Checked by AVG. Version: 7.5.519 / Virus Database: 269.21.8/1337 - 
>Release Date: 3/20/2008 8:10 PM


-- 
No virus found in this outgoing message.
Checked by AVG. 
Version: 7.5.519 / Virus Database: 269.21.8/1337 - Release Date: 3/20/2008 8:10 PM



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the MailScanner mailing list