Sanesecurity signatures are no longer being updated or distributed

andrew colin andrew.colin at gmail.com
Mon Jan 5 11:00:43 GMT 2009


196.35.158.184 is the internet solutions caching server in SA, so your
records are for multiple users sitting behind a transparent proxy.


On Tue, Dec 16, 2008 at 11:05 PM, Steve Basford
<steveb_clamav at sanesecurity.com> wrote:
>
>
> Greg Matthews wrote:
>>
>> Anyone know if Sane Security are submitting signatures direct to ClamAV? I
>> understand that many of their signatures would make their way into the
>> official Clam updates.
>
> Sanesecurity signatures aren't being added into the ClamAV official
> signatures... they are totally third-party sigs.
>
>> Sounds like a P2P distribution mech may have helped here.
>>
> Well, I've just managed to find a little time to do a little log checking,
> now that the round-robin php script was turned off..  Checking the log for
> today:
>
> Position:  IP: number of hits for today
>
> 1      196.35.158.184  2,538
> 2     86.96.229.88     1,504
> 3     196.25.255.218     1,080
> 4     66.159.122.2     1,066
> 5     198.54.202.218     1,028
> 6     198.54.202.70     656
> 7     62.12.131.147     642
> 8     198.144.196.51     620
> 9     202.60.56.252     528
> 10     198.54.202.146     504
> 11     64.119.33.98     467
> 12     70.167.192.42     461
> 13     196.25.255.210     389
> 14     82.190.241.234     360
> 15     121.52.89.35     359
> 16     85.44.247.211     354
> 17     89.186.90.219     354
> 18     88.38.193.116     352
> 19     82.54.83.49     350
> 20     83.216.177.35     350
> 21     85.43.92.188     348
> 22     216.201.128.42     346
> 23     83.216.181.170     344
> 24     198.54.202.210     314
> 25     64.132.142.170     308
> 26     198.144.196.52     308
> 27     63.123.82.75     308
> 28     142.32.208.231     266
> 29     85.18.239.12     264
> 30     217.76.134.221     244
> 31     196.2.124.253     244
> 32     193.225.225.18     240
> 33     193.225.225.16     240
> 34     217.166.60.146     240
> 35     217.7.104.28     240
> 36     217.7.104.26     240
> 37     217.7.104.27     240
> 38     82.165.187.176     224
> 39     62.77.162.9     224
> 40     72.36.139.242     191
> 41     207.195.79.250     176
> 42     217.98.12.118     176
> 43     198.54.202.182     176
> 44     88.40.197.18     175
> 45     64.78.22.100     168
> 46     217.188.47.4     154
> 47     68.179.9.105     151
> 48     195.229.237.38     150
> 49     213.132.250.2     136
> 50     208.21.38.66    136
>
> In other words, if people downloaded the sigs every hour, each ip should
> only have 24 hits....as you can see, the above ips are WAY over that.
> Checking the log in detail... it's seems people are setting the download
> scripts to download every second.... all adding up to: 45,554 hits an hour,
> add the fact that 45,554 hits would run a php script... guess that's why the
> cpu usage was so high on a shared server and then got suspended.
>
> Signature Note:
>
> People have decided to mirror the last version of the public signatures:
>
> 1. The signatures were removed and a placeholder signature added, so that
> hopefully people would quickly notice that their scripts needed to be
> changed... as the server is still getting hammered by wget/curl requests
> (approx 45,554 hits per hour)
>
> 2. NO SUPPORT will be given on these unofficially mirrored signatures, in
> fact these mirrored signatures are already out of date, some false positives
> have already been corrected and new signatures have already been added to my
> private version of the signatures.
>
> Hope that helps,
>
> Steve
> Sanesecurity
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>



-- 
"Dru"
To follow the path, look to the master, follow the master, walk with
the master, see through the master, become the master. (zen)
http://www.topdog.za.net/


More information about the MailScanner mailing list