Email.Phishing.RB-3083 tripping FPs
Rose, Bobby
brose at med.wayne.edu
Fri Mar 21 19:23:00 GMT 2008
egrep -r -e"Email.Phishing.RB-3083" /usr/local/share/clamav/*
-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of
dnsadmin 1bigthink.com
Sent: Friday, March 21, 2008 3:01 PM
To: MailScanner discussion
Subject: RE: Email.Phishing.RB-3083 tripping FPs
Answering my own questions.. My databases are where they are supposed to
be, in /usr/local/share/clamav. I've done some reading since my last
post and feel a little better grasp on this.
..But, how do I go about verifying that my freshclam update has purged
this phishing rule (RB-3083). Any example on sigtool to read the
database now that I know how to find it?
Thanks,
Glenn
At 02:17 PM 3/21/2008, you wrote:
>Hello Bobby,
>
>Okay, since I've run into this problem, I decided to upgrade, but I can
>only do that to one server at a time and verify each one. I've upgraded
>one to install-Clam-0.92.1-SA-3.2.4.tar.gz. My other two have
>install-Clam-0.91.1-SA-3.2.1.tar.gz installed All MailScanner
>4.65.3 by rpm install. Using clamavmodule on all.
>
>Now I've decided I really need to understand better what is happening.
>
>Where are my virus definitions? I ran freshclam. It said it updated,
>but I go to look for main.cvd and daily.cvd and they aren't there;
>anywhere! What am I missing? I thought I understood this setup, but
>apparently not?
>
>Thanks,
>Glenn Parsons
>
>
>Thanks,
>Glenn Parsons
>
>At 01:02 PM 3/21/2008, you wrote:
>
>>You shouldn't need to update ClamAV, just the virus definitions. If
>>you manually run freshclam, then you'll get the latest defs at that
>>point in time.
>>
>>-----Original Message-----
>>From: mailscanner-bounces at lists.mailscanner.info
>>[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of
>>dnsadmin 1bigthink.com
>>Sent: Friday, March 21, 2008 12:35 PM
>>To: MailScanner discussion
>>Subject: RE: Email.Phishing.RB-3083 tripping FPs
>>
>>Hello All,
>>
>>Thanks Bobby! Yep. Must have been deprecated. I'm running version
>>0.91.2 and freshclam recommends 0.92.1.
>>
>>Looks like I'll be installing Julian's updated RPM today.
>>
>>Thanks,
>>Glenn
>>
>>At 12:03 PM 3/21/2008, you wrote:
>>
>> >Run freshclam because they must have pulled it because I don't have
it.
>> >I have Email.Phishing.RB-3082 and Email.Phishing.RB-3084 but not
>> >Email.Phishing.RB-3083 and freshclam says I'm current.
>> >
>> >-----Original Message-----
>> >From: mailscanner-bounces at lists.mailscanner.info
>> >[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of
>> >Rose, Bobby
>> >Sent: Friday, March 21, 2008 11:36 AM
>> >To: MailScanner discussion
>> >Subject: RE: Email.Phishing.RB-3083 tripping FPs
>> >
>> >What clamav signature file is that from? I don't see it in any of
>> >mine
>>
>> >including the sanesecurity ones.
>> >
>> >-----Original Message-----
>> >From: mailscanner-bounces at lists.mailscanner.info
>> >[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of
>> >dnsadmin 1bigthink.com
>> >Sent: Friday, March 21, 2008 11:15 AM
>> >To: MailScanner mailing list
>> >Subject: Email.Phishing.RB-3083 tripping FPs
>> >
>> >Hello All,
>> >
>> >Having problems with this one particular Phishing rule deleting off
>> >email. I thought that this mail would be quarantined, but it is not.
>> >I've not revisited my rules to figure why it is being deleted..
>> >doing that now.
>> >
>> >However, this phishing rule is tagging way too many emails from
>> >valid users (most of which are from and to domain users, but not
all).
>> >
>> > >The following e-mails were found to have: Virus Detected
>> > >
>> > > Sender: someone at mydomain.com
>> > >IP Address: 69.250.4.68
>> > > Recipient: someoneelse at mydomian.com
>> > > Subject: FW: {Disarmed} RE: {Disarmed} RE: Thank you. We
>> > >received your Compete-At inqu...
>> > > MessageID: m2KN5TCt032450
>> > >Quarantine: /var/spool/mqueue.arc
>> > > Report: ClamAVModule: message was infected:
>> > >Email.Phishing.RB-3083
>> > >
>> > >Full headers are:
>> >
>> >Any suggestions on how to deal with this one phishing rule? None of
>> >the
>>
>> >others trigger FPs.
>> >
>> >Thanks,
>> >Glenn
>> >
>> >
>> >--
>> >No virus found in this outgoing message.
>> >Checked by AVG.
>> >Version: 7.5.519 / Virus Database: 269.21.8/1337 - Release Date:
>> >3/20/2008 8:10 PM
>> >
>> >
>> >
>> >--
>> >This message has been scanned for viruses and dangerous content by
>> >MailScanner, and is believed to be clean.
>> >
>> >--
>> >MailScanner mailing list
>> >mailscanner at lists.mailscanner.info
>> >http://lists.mailscanner.info/mailman/listinfo/mailscanner
>> >
>> >Before posting, read http://wiki.mailscanner.info/posting
>> >
>> >Support MailScanner development - buy the book off the website!
>> >
>> >--
>> >MailScanner mailing list
>> >mailscanner at lists.mailscanner.info
>> >http://lists.mailscanner.info/mailman/listinfo/mailscanner
>> >
>> >Before posting, read http://wiki.mailscanner.info/posting
>> >
>> >Support MailScanner development - buy the book off the website!
>> >
>> >--
>> >MailScanner mailing list
>> >mailscanner at lists.mailscanner.info
>> >http://lists.mailscanner.info/mailman/listinfo/mailscanner
>> >
>> >Before posting, read http://wiki.mailscanner.info/posting
>> >
>> >Support MailScanner development - buy the book off the website!
>> >
>> >--
>> >This message has been scanned for viruses and dangerous content by
>> >MailScanner, and is believed to be clean.
>> >
>> >
>> >
>> >--
>> >No virus found in this incoming message.
>> >Checked by AVG.
>> >Version: 7.5.519 / Virus Database: 269.21.8/1337 - Release Date:
>> >3/20/2008 8:10 PM
>> >
>> >
>> >
>> >
>> >--
>> >No virus found in this incoming message.
>> >Checked by AVG.
>> >Version: 7.5.519 / Virus Database: 269.21.8/1337 - Release Date:
>> >3/20/2008 8:10 PM
>>
>>
>>--
>>No virus found in this outgoing message.
>>Checked by AVG.
>>Version: 7.5.519 / Virus Database: 269.21.8/1337 - Release Date:
>>3/20/2008 8:10 PM
>>
>>
>>
>>--
>>This message has been scanned for viruses and dangerous content by
>>MailScanner, and is believed to be clean.
>>
>>--
>>MailScanner mailing list
>>mailscanner at lists.mailscanner.info
>>http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>>Before posting, read http://wiki.mailscanner.info/posting
>>
>>Support MailScanner development - buy the book off the website!
>>
>>--
>>MailScanner mailing list
>>mailscanner at lists.mailscanner.info
>>http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>>Before posting, read http://wiki.mailscanner.info/posting
>>
>>Support MailScanner development - buy the book off the website!
>>
>>--
>>This message has been scanned for viruses and dangerous content by
>>MailScanner, and is believed to be clean.
>>
>>
>>
>>--
>>No virus found in this incoming message.
>>Checked by AVG.
>>Version: 7.5.519 / Virus Database: 269.21.8/1337 - Release Date:
>>3/20/2008 8:10 PM
>>
>>
>>
>>
>>--
>>No virus found in this incoming message.
>>Checked by AVG.
>>Version: 7.5.519 / Virus Database: 269.21.8/1337 - Release Date:
>>3/20/2008 8:10 PM
>
>
>--
>No virus found in this outgoing message.
>Checked by AVG. Version: 7.5.519 / Virus Database: 269.21.8/1337 -
>Release Date: 3/20/2008 8:10 PM
>
>
>
>--
>This message has been scanned for viruses and dangerous content by
>MailScanner, and is believed to be clean.
>
>--
>MailScanner mailing list
>mailscanner at lists.mailscanner.info
>http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>Before posting, read http://wiki.mailscanner.info/posting
>
>Support MailScanner development - buy the book off the website!
>
>--
>No virus found in this incoming message.
>Checked by AVG. Version: 7.5.519 / Virus Database: 269.21.8/1337 -
>Release Date: 3/20/2008 8:10 PM
--
No virus found in this outgoing message.
Checked by AVG.
Version: 7.5.519 / Virus Database: 269.21.8/1337 - Release Date:
3/20/2008 8:10 PM
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list