New service - the Team Cymru Malware Hash Registry!

Alex Broens ms-list at
Tue Oct 28 09:58:34 GMT 2008

On 10/28/2008 10:20 AM, --[ UxBoD ]-- wrote:
> Just had a read and it looks really good. I presume the best bet
> would be to use the DNS lookup method as most firewalls will have DNS
> open ?

It has a couple of disadvantages compared to the ClamAV

- The ClamAV signatures include a size field to avoid possible MD5 

- The ClamAV sigs don't delay processing and have a small memory 

- The lookups to the Cymru site will slow down processing.
(do they have enough iron to hold up to global traffic?)

- "The Malware Hash Registry (MHR) is free for non-commercial use ONLY"
so it should hardly become part of default MS.

The one big plus is the close to real time detection though its hard to 
imagine that the stuff it detects doesn't get marked as spam by already 
existing methods.

If Jules decides to add this to MailScanner I hope he does it as a 
custom function plugin
imo, this does't belong in the main "glue" aka MailScanner.

I see lots more potential for a SA plugin.


More information about the MailScanner mailing list