Email.Phishing.RB-3083 tripping FPs -- SOLVED

dnsadmin 1bigthink.com dnsadmin at 1bigthink.com
Fri Mar 21 19:22:39 GMT 2008


Hello All,

Bobby, thanks! I solved it myself.

I still don't know why that sig got stuck in clam.

Problem: using clamavmodule, Email.Phishing.RB-3083 was throwing 
false-positives on quite a bit of email. I was using clam 0.91.2. 
freshclam was set to update daily(cron)
Solution: but until I ran freshclam -v manually, and then verified, 
sigtool -l /usr/local/share/clamav/daily.inc |grep RB-3083 I couldn't 
tell whether the problem was cleared.

Should be okay, now.

Thanks for bearing with me!

Cheers,
Glenn

At 03:01 PM 3/21/2008, you wrote:
>Answering my own questions.. My databases are where they are 
>supposed to be, in /usr/local/share/clamav. I've done some reading 
>since my last post and feel a little better grasp on this.
>
>..But, how do I go about verifying that my freshclam update has 
>purged this phishing rule (RB-3083). Any example on sigtool to read 
>the database now that I know how to find it?
>
>Thanks,
>Glenn
>
>At 02:17 PM 3/21/2008, you wrote:
>>Hello Bobby,
>>
>>Okay, since I've run into this problem, I decided to upgrade, but I 
>>can only do that to one server at a time and verify each one. I've 
>>upgraded one to install-Clam-0.92.1-SA-3.2.4.tar.gz. My other two 
>>have install-Clam-0.91.1-SA-3.2.1.tar.gz installed All MailScanner 
>>4.65.3 by rpm install. Using clamavmodule on all.
>>
>>Now I've decided I really need to understand better what is happening.
>>
>>Where are my virus definitions? I ran freshclam. It said it 
>>updated, but I go to look for main.cvd and daily.cvd and they 
>>aren't there; anywhere! What am I missing? I thought I understood 
>>this setup, but apparently not?
>>
>>Thanks,
>>Glenn Parsons
>>
>>
>>Thanks,
>>Glenn Parsons
>>
>>At 01:02 PM 3/21/2008, you wrote:
>>
>>>You shouldn't need to update ClamAV, just the virus definitions.  If you
>>>manually run freshclam, then you'll get the latest defs at that point in
>>>time.
>>>
>>>-----Original Message-----
>>>From: mailscanner-bounces at lists.mailscanner.info
>>>[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of
>>>dnsadmin 1bigthink.com
>>>Sent: Friday, March 21, 2008 12:35 PM
>>>To: MailScanner discussion
>>>Subject: RE: Email.Phishing.RB-3083 tripping FPs
>>>
>>>Hello All,
>>>
>>>Thanks Bobby! Yep. Must have been deprecated. I'm running version
>>>0.91.2 and freshclam recommends 0.92.1.
>>>
>>>Looks like I'll be installing Julian's updated RPM today.
>>>
>>>Thanks,
>>>Glenn
>>>
>>>At 12:03 PM 3/21/2008, you wrote:
>>>
>>> >Run freshclam because they must have pulled it because I don't have it.
>>> >I have Email.Phishing.RB-3082 and Email.Phishing.RB-3084 but not
>>> >Email.Phishing.RB-3083 and freshclam says I'm current.
>>> >
>>> >-----Original Message-----
>>> >From: mailscanner-bounces at lists.mailscanner.info
>>> >[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Rose,
>>> >Bobby
>>> >Sent: Friday, March 21, 2008 11:36 AM
>>> >To: MailScanner discussion
>>> >Subject: RE: Email.Phishing.RB-3083 tripping FPs
>>> >
>>> >What clamav signature file is that from?  I don't see it in any of mine
>>>
>>> >including the sanesecurity ones.
>>> >
>>> >-----Original Message-----
>>> >From: mailscanner-bounces at lists.mailscanner.info
>>> >[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of
>>> >dnsadmin 1bigthink.com
>>> >Sent: Friday, March 21, 2008 11:15 AM
>>> >To: MailScanner mailing list
>>> >Subject: Email.Phishing.RB-3083 tripping FPs
>>> >
>>> >Hello All,
>>> >
>>> >Having problems with this one particular Phishing rule deleting off
>>> >email. I thought that this mail would be quarantined, but it is not.
>>> >I've not revisited my rules to figure why it is being deleted.. doing
>>> >that now.
>>> >
>>> >However, this phishing rule is tagging way too many emails from valid
>>> >users (most of which are from and to domain users, but not all).
>>> >
>>> > >The following e-mails were found to have: Virus Detected
>>> > >
>>> > >     Sender: someone at mydomain.com
>>> > >IP Address: 69.250.4.68
>>> > >  Recipient: someoneelse at mydomian.com
>>> > >    Subject: FW: {Disarmed} RE: {Disarmed} RE: Thank you. We
>>> > >received your Compete-At inqu...
>>> > >  MessageID: m2KN5TCt032450
>>> > >Quarantine: /var/spool/mqueue.arc
>>> > >     Report: ClamAVModule:  message was infected:
>>> > >Email.Phishing.RB-3083
>>> > >
>>> > >Full headers are:
>>> >
>>> >Any suggestions on how to deal with this one phishing rule? None of the
>>>
>>> >others trigger FPs.
>>> >
>>> >Thanks,
>>> >Glenn
>>> >
>>> >
>>> >--
>>> >No virus found in this outgoing message.
>>> >Checked by AVG.
>>> >Version: 7.5.519 / Virus Database: 269.21.8/1337 - Release Date:
>>> >3/20/2008 8:10 PM
>>> >
>>> >
>>> >
>>> >--
>>> >This message has been scanned for viruses and dangerous content by
>>> >MailScanner, and is believed to be clean.
>>> >
>>> >--
>>> >MailScanner mailing list
>>> >mailscanner at lists.mailscanner.info
>>> >http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>> >
>>> >Before posting, read http://wiki.mailscanner.info/posting
>>> >
>>> >Support MailScanner development - buy the book off the website!
>>> >
>>> >--
>>> >MailScanner mailing list
>>> >mailscanner at lists.mailscanner.info
>>> >http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>> >
>>> >Before posting, read http://wiki.mailscanner.info/posting
>>> >
>>> >Support MailScanner development - buy the book off the website!
>>> >
>>> >--
>>> >MailScanner mailing list
>>> >mailscanner at lists.mailscanner.info
>>> >http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>> >
>>> >Before posting, read http://wiki.mailscanner.info/posting
>>> >
>>> >Support MailScanner development - buy the book off the website!
>>> >
>>> >--
>>> >This message has been scanned for viruses and dangerous content by
>>> >MailScanner, and is believed to be clean.
>>> >
>>> >
>>> >
>>> >--
>>> >No virus found in this incoming message.
>>> >Checked by AVG.
>>> >Version: 7.5.519 / Virus Database: 269.21.8/1337 - Release Date:
>>> >3/20/2008 8:10 PM
>>> >
>>> >
>>> >
>>> >
>>> >--
>>> >No virus found in this incoming message.
>>> >Checked by AVG.
>>> >Version: 7.5.519 / Virus Database: 269.21.8/1337 - Release Date:
>>> >3/20/2008 8:10 PM
>>>
>>>
>>>--
>>>No virus found in this outgoing message.
>>>Checked by AVG.
>>>Version: 7.5.519 / Virus Database: 269.21.8/1337 - Release Date:
>>>3/20/2008 8:10 PM
>>>
>>>
>>>
>>>--
>>>This message has been scanned for viruses and
>>>dangerous content by MailScanner, and is
>>>believed to be clean.
>>>
>>>--
>>>MailScanner mailing list
>>>mailscanner at lists.mailscanner.info
>>>http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>
>>>Before posting, read http://wiki.mailscanner.info/posting
>>>
>>>Support MailScanner development - buy the book off the website!
>>>
>>>--
>>>MailScanner mailing list
>>>mailscanner at lists.mailscanner.info
>>>http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>
>>>Before posting, read http://wiki.mailscanner.info/posting
>>>
>>>Support MailScanner development - buy the book off the website!
>>>
>>>--
>>>This message has been scanned for viruses and
>>>dangerous content by MailScanner, and is
>>>believed to be clean.
>>>
>>>
>>>
>>>--
>>>No virus found in this incoming message.
>>>Checked by AVG.
>>>Version: 7.5.519 / Virus Database: 269.21.8/1337 - Release Date: 
>>>3/20/2008 8:10 PM
>>>
>>>
>>>
>>>
>>>--
>>>No virus found in this incoming message.
>>>Checked by AVG.
>>>Version: 7.5.519 / Virus Database: 269.21.8/1337 - Release Date: 
>>>3/20/2008 8:10 PM
>>
>>
>>--
>>No virus found in this outgoing message.
>>Checked by AVG. Version: 7.5.519 / Virus Database: 269.21.8/1337 - 
>>Release Date: 3/20/2008 8:10 PM
>>
>>
>>
>>--
>>This message has been scanned for viruses and
>>dangerous content by MailScanner, and is
>>believed to be clean.
>>
>>--
>>MailScanner mailing list
>>mailscanner at lists.mailscanner.info
>>http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>>Before posting, read http://wiki.mailscanner.info/posting
>>
>>Support MailScanner development - buy the book off the website!
>>
>>--
>>No virus found in this incoming message.
>>Checked by AVG. Version: 7.5.519 / Virus Database: 269.21.8/1337 - 
>>Release Date: 3/20/2008 8:10 PM
>
>
>--
>No virus found in this outgoing message.
>Checked by AVG. Version: 7.5.519 / Virus Database: 269.21.8/1337 - 
>Release Date: 3/20/2008 8:10 PM
>
>
>
>--
>This message has been scanned for viruses and
>dangerous content by MailScanner, and is
>believed to be clean.
>
>--
>MailScanner mailing list
>mailscanner at lists.mailscanner.info
>http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>Before posting, read http://wiki.mailscanner.info/posting
>
>Support MailScanner development - buy the book off the website!
>
>--
>No virus found in this incoming message.
>Checked by AVG. Version: 7.5.519 / Virus Database: 269.21.8/1337 - 
>Release Date: 3/20/2008 8:10 PM


-- 
No virus found in this outgoing message.
Checked by AVG. 
Version: 7.5.519 / Virus Database: 269.21.8/1337 - Release Date: 3/20/2008 8:10 PM



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the MailScanner mailing list