SPAMVIRUS Feature Question
Richard Mealing
richard at fastnet.co.uk
Wed Oct 21 09:15:21 IST 2009
Hi,
Not sure if this will help anyone, but I already did write a ton of
rules with the help of Jules...
#Sanesecurity Signature (jurlbl.ndb)
header SPAMVIRUSJurlbl.Auto X-FastNet-MailScanner-SpamVirus-Report =~
/SaneSecurity.Jurlbl.Auto/i
score SPAMVIRUSJurlbl.Auto 3.0
#SaneSecurity Signature (phish.ndb)
header SPAMVIRUSDoc X-FastNet-MailScanner-SpamVirus-Report =~
/SaneSecurity.Doc/i
score SPAMVIRUSDoc 3.0
header SPAMVIRUSFake X-FastNet-MailScanner-SpamVirus-Report =~
/SaneSecurity.Fake/i
score SPAMVIRUSFake 3.0
header SPAMVIRUSPhishing.Auction X-FastNet-MailScanner-SpamVirus-Report
=~ /SaneSecurity.Phishing.Auction/i
score SPAMVIRUSPhishing.Auction 3.0
header SPAMVIRUSPhishing.Azon X-FastNet-MailScanner-SpamVirus-Report =~
/SaneSecurity.Phishing.Azon/i
score SPAMVIRUSPhishing.Azon 3.0
header SPAMVIRUSPhishing.Bank X-FastNet-MailScanner-SpamVirus-Report =~
/SaneSecurity.Phishing.Bank/i
score SPAMVIRUSPhishing.Bank 3.0
header SPAMVIRUSPhishing.Card X-FastNet-MailScanner-SpamVirus-Report =~
/SaneSecurity.Phishing.Card/i
score SPAMVIRUSPhishing.Card 3.0
header SPAMVIRUSPhishing.Cur X-FastNet-MailScanner-SpamVirus-Report =~
/SaneSecurity.Phishing.Cur/i
score SPAMVIRUSPhishing.Cur 3.0
header SPAMVIRUSPhishing.Dca X-FastNet-MailScanner-SpamVirus-Report =~
/SaneSecurity.Phishing.Dca/i
score SPAMVIRUSPhishing.Dca 3.0
header SPAMVIRUSPhishing.Fake X-FastNet-MailScanner-SpamVirus-Report =~
/SaneSecurity.Phishing.Fake/i
score SPAMVIRUSPhishing.Fake 3.0
header SPAMVIRUSPhishing.GiftCard X-FastNet-MailScanner-SpamVirus-Report
=~ /SaneSecurity.Phishing.GiftCard/i
score SPAMVIRUSPhishing.GiftCard 3.0
header SPAMVIRUSPhishing.Hex X-FastNet-MailScanner-SpamVirus-Report =~
/SaneSecurity.Phishing.Hex/i
score SPAMVIRUSPhishing.Hex 3.0
header SPAMVIRUSPhishing.Ivt X-FastNet-MailScanner-SpamVirus-Report =~
/SaneSecurity.Phishing.Ivt/i
score SPAMVIRUSPhishing.Ivt 3.0
header SPAMVIRUSPhishing.Jsc X-FastNet-MailScanner-SpamVirus-Report =~
/SaneSecurity.Phishing.Jsc/i
score SPAMVIRUSPhishing.Jsc 3.0
header SPAMVIRUSPhishing.Nam X-FastNet-MailScanner-SpamVirus-Report =~
/SaneSecurity.Phishing.Nam/i
score SPAMVIRUSPhishing.Nam 3.0
header SPAMVIRUSPhishing.Onf X-FastNet-MailScanner-SpamVirus-Report =~
/SaneSecurity.Phishing.Onf/i
score SPAMVIRUSPhishing.Onf 3.0
header SPAMVIRUSPhishing.Pay X-FastNet-MailScanner-SpamVirus-Report =~
/SaneSecurity.Phishing.Pay/i
score SPAMVIRUSPhishing.Pay 3.0
header SPAMVIRUSPhishing.Rdi X-FastNet-MailScanner-SpamVirus-Report =~
/SaneSecurity.Phishing.Rdi/i
score SPAMVIRUSPhishing.Rdi 3.0
header SPAMVIRUSPhishing.Rock X-FastNet-MailScanner-SpamVirus-Report =~
/SaneSecurity.Phishing.Rock/i
score SPAMVIRUSPhishing.Rock 3.0
header SPAMVIRUSPhishing.RockGen X-FastNet-MailScanner-SpamVirus-Report
=~ /SaneSecurity.Phishing.RockGen/i
score SPAMVIRUSPhishing.RockGen 3.0
header SPAMVIRUSPhishing.Shop X-FastNet-MailScanner-SpamVirus-Report =~
/SaneSecurity.Phishing.Shop/i
score SPAMVIRUSPhishing.Shop 3.0
header SPAMVIRUSPhishing.Slw X-FastNet-MailScanner-SpamVirus-Report =~
/SaneSecurity.Phishing.Slw/i
score SPAMVIRUSPhishing.Slw 3.0
header SPAMVIRUSPhishing.Url X-FastNet-MailScanner-SpamVirus-Report =~
/SaneSecurity.Phishing.Url/i
score SPAMVIRUSPhishing.Url 3.0
header SPAMVIRUSPhishing.Wrd X-FastNet-MailScanner-SpamVirus-Report =~
/SaneSecurity.Phishing.Wrd/i
score SPAMVIRUSPhishing.Wrd 3.0
header SPAMVIRUSPhishingTestSig X-FastNet-MailScanner-SpamVirus-Report
=~ /SaneSecurity.PhishingTestSig/i
score SPAMVIRUSPhishingTestSig 3.0
header SPAMVIRUSTestSig_Type3_Bdy X-FastNet-MailScanner-SpamVirus-Report
=~ /TestSig_Type3_Bdy/i
score SPAMVIRUSTestSig_Type3_Bdy 3.0
header SPAMVIRUSTestSig_Type4_Bdy X-FastNet-MailScanner-SpamVirus-Report
=~ /TestSig_Type4_Bdy/i
score SPAMVIRUSTestSig_Type4_Bdy 3.0
header SPAMVIRUSTestSig_Type4_Hdr X-FastNet-MailScanner-SpamVirus-Report
=~ /TestSig_Type4_Hdr/i
score SPAMVIRUSTestSig_Type4_Hdr 3.0
#SaneSecurity Signature (scam.ndb)
header SPAMVIRUSSpam X-FastNet-MailScanner-SpamVirus-Report =~
/Sanesecurity.Spam/i
score SPAMVIRUSSpam 3.0
header SPAMVIRUSCred X-FastNet-MailScanner-SpamVirus-Report =~
/Sanesecurity.Cred/i
score SPAMVIRUSCred 3.0
header SPAMVIRUSDipl X-FastNet-MailScanner-SpamVirus-Report =~
/Sanesecurity.Dipl/i
score SPAMVIRUSDipl 3.0
header SPAMVIRUSHdr X-FastNet-MailScanner-SpamVirus-Report =~
/Sanesecurity.Hdr/i
score SPAMVIRUSHdr 3.0
header SPAMVIRUSImg X-FastNet-MailScanner-SpamVirus-Report =~
/Sanesecurity.Img/i
score SPAMVIRUSImg 3.0
header SPAMVIRUSJob X-FastNet-MailScanner-SpamVirus-Report =~
/Sanesecurity.Job/i
score SPAMVIRUSJob 3.0
header SPAMVIRUSLoan X-FastNet-MailScanner-SpamVirus-Report =~
/Sanesecurity.Loan/i
score SPAMVIRUSLoan 3.0
header SPAMVIRUSPorn X-FastNet-MailScanner-SpamVirus-Report =~
/Sanesecurity.Porn/i
score SPAMVIRUSPorn 3.0
header SPAMVIRUSImgo X-FastNet-MailScanner-SpamVirus-Report =~
/Sanesecurity.Imgo/i
score SPAMVIRUSImgo 3.0
header SPAMVIRUSScam4 X-FastNet-MailScanner-SpamVirus-Report =~
/Sanesecurity.Scam4/i
score SPAMVIRUSScam4 3.0
header SPAMVIRUSScamL X-FastNet-MailScanner-SpamVirus-Report =~
/Sanesecurity.ScamL/i
score SPAMVIRUSScamL 3.0
header SPAMVIRUSStk X-FastNet-MailScanner-SpamVirus-Report =~
/Sanesecurity.Stk/i
score SPAMVIRUSStk 3.0
header SPAMVIRUSTestSig X-FastNet-MailScanner-SpamVirus-Report =~
/Sanesecurity.TestSig/i
score SPAMVIRUSTestSig 3.0
#SaneSecurity Signature (junk.ndb)
header SPAMVIRUSJunk X-FastNet-MailScanner-SpamVirus-Report =~
/Sanesecurity.Junk/i
score SPAMVIRUSJunk 3.0
#SaneSecurity Signature (rogue.hdb)
header SPAMVIRUSRogue X-FastNet-MailScanner-SpamVirus-Report =~
/Sanesecurity.Rogue/i
score SPAMVIRUSRogue 3.0
header SPAMVIRUSTrogan X-FastNet-MailScanner-SpamVirus-Report =~
/Sanesecurity.Trojan/i
score SPAMVIRUSTrogan 3.0
#SaneSecurity Signature (lott.ndb)
header SPAMVIRUSLott X-FastNet-MailScanner-SpamVirus-Report =~
/Sanesecurity.Lott/i
score SPAMVIRUSLott 3.0
#SaneSecurity Signature (spear.ndb)
header SPAMVIRUSSpear X-FastNet-MailScanner-SpamVirus-Report =~
/Sanesecurity.Spear/i
score SPAMVIRUSSpear 3.0
#SaneSecurity Signature (spamimg.hdb)
header SPAMVIRUSSpamImg X-FastNet-MailScanner-SpamVirus-Report =~
/Sanesecurity.SpamImg/i
score SPAMVIRUSSpamImg 3.0
#SaneSecurity Signature (spam.ldb)
header SPAMVIRUSSpam.ldg X-FastNet-MailScanner-SpamVirus-Report =~
/Sanesecurity.Spam.ldb/i
score SPAMVIRUSSpam.ldg 3.0
... if it helps.
-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Hugo
van der Kooij
Sent: 21 October 2009 06:11
To: mailscanner at lists.mailscanner.info
Subject: Re: SPAMVIRUS Feature Question
On 10/20/09 22:45, Jonas A. Larsen wrote:
> I can only second the wish for a way to have the sigs that hit turn up
in
> our stats/mailwatch something that lets us monitor the effectiveness
of it.
>
> However since I was an early adopter of the new feature im not sure
how it
> would work.
>
> You could do it today by writing a ton of sa rules (1 for each
signature)
> but that would be a mess.
>
> An ugly hack fix would be to parse the log files (where message id and
sig
> name is parseable, and then make a script that inserted the sig name
intro
> the corresponding row in the mailwatch db. But as I said, that would
be
> really ugly :)
>
> I'd love to hear other people's take on this, not to mention Julians
:)
You mean something like this?
--------------------- MailScanner Begin ------------------------
MailScanner Status:
779 messages Scanned by MailScanner
9.8 Total MB
206 Spam messages detected by MailScanner
193 Spam messages with action(s) store
13 Spam messages with action(s) store,deliver,header
6 hits from MailScanner SpamAssassin cache
10 Viruses found by MailScanner
4 Banned attachments found by MailScanner
13 Content Problems found by MailScanner
584 Messages delivered by MailScanner
779 Messages logged to MailWatch database
6 SpamAssassin timeout(s)
Virus Sender Report: (Total Seen = 5)
: 3 Time(s)
81.252.202.129 : 2 Time(s)
Spam Whitelisted Host Report: (Total Seen = 452)
127.0.0.1 (forum-bounces at sixxs.net): 5 Time(s)
194.109.142.194 (clamav-virusdb-bounces at lists.clamav.net): 26
Time(s)
209.132.177.33 (fedora-package-announce-bounces at redhat.com): 199
Time(s)
213.136.17.26 (linux-bounce at lists.nllgg.nl): 10 Time(s)
216.200.241.73 (owner-fw-1-mailinglist at amadeus.us.checkpoint.com):
47 Time(s)
216.34.181.88 (simple-evcorr-users-bounces at lists.sourceforge.net):
2 Time(s)
72.26.200.202 (centos-announce-bounces at centos.org): 8 Time(s)
83.98.192.7 (mailscanner-bounces at lists.mailscanner.info): 126
Time(s)
85.13.226.40 (users-bounces at lists.rpmforge.net): 19 Time(s)
85.17.220.216 (pdns-users-bounces at mailman.powerdns.com): 10
Time(s)
RBL Report: (Total Seen = 120)
spamhaus-ZEN : 105 Time(s)
spamhaus-ZEN, RBL-JP : 3 Time(s)
spamhaus-ZEN, RBL-KR : 12 Time(s)
Content Report: (Total Seen = 13)
iframe, script, form, form input tags: 1 Time(s)
phishing tags: 5 Time(s)
web bug tags: 5 Time(s)
web bug, form, form input tags: 1 Time(s)
web bug, phishing tags: 1 Time(s)
Banned Filename Report: (Total Seen = 2)
windows/dos executable (document.htm -space- .exe) : 1 Time(s)
windows/dos executable (document.pdf -space- .exe) : 1 Time(s)
Banned Filetype Report: (Total Seen = 2)
no executables (document.htm -space- .exe) : 1 Time(s)
no executables (document.pdf -space- .exe) : 1 Time(s)
Phishing Report: (Total Seen = 11)
http://94d.koyojah.cn/?ifyzir=Sq14x7K738k668962cvdf93&ucixim=98073545714
939353881529&aviry=a459M466h12T84a40W34DgT50&ajemi=985758851551334858108
5129:
1 Time(s)
http://9a1.koyojah.cn/?yairoxaug=O2wD9e89005i06H52086Te5&ifafev=11800844
9058988882771837&wuapihaf=80g8814P8s995238693C0&imudiwe=4442204797340761
60683:
1 Time(s)
http://badc9.koyojah.cn/?iofaiofi=419651156J2e15E2Y286&ecylelyjo=1637324
136675286613573892&yuneuqy=2n05w2E8w34763P97j0747uD&deheei=3097527194685
0298113:
1 Time(s)
http://c8dcd9.koyojah.cn/?ikycuebavy=1KGVb65998p98TFGX9I79b&owueeja=2294
1960630312397626&oulau=8MVk22j4qB54je5400o1464b&ramaosisao=4245934965755
1249147470:
1 Time(s)
http://dbaseserver.mistermail.nl/t/676885/5858236/178400/0/: 1
Time(s)
http://feedproxy.google.com/~r/axvo/ZwVt/~3/4pUeKYCoWg0: 1 Time(s)
http://feedproxy.google.com/~r/axvo/ZwVt/~3/iu5rNf-Z5Zo: 1 Time(s)
http://url.aart06.net/t/55403/1524/5572846/3296402/0: 1 Time(s)
http://url.aart06.net/t/56362/1460/5577809/3346874/0: 2 Time(s)
http://us.mc1116.mail.yahoo.com/mc/compose?to=marie.diane10@yahoo.com: 1
Time(s)
HTML <FORM> tag report: (Total Seen = 4)
invitations at twitter.com : 1 Time(s)
postmaster at vanderkooij.org : 2 Time(s)
unive at emessaging.nl : 1 Time(s)
HTML <SCRIPT> tag report: (Total Seen = 1)
invitations at twitter.com : 1 Time(s)
HTML <IFRAME> tag report: (Total Seen = 1)
invitations at twitter.com : 1 Time(s)
HTML <IMG> tag report: (Total Seen = 125)
Details Suppressed at level 0. Level 10 required.
**Unmatched Entries**
Whitelist refresh time reached : 282 Time(s)
Virus Scanning: F-Prot6 found 1 infections : 2 Time(s)
/8C98517E900A.8E49E/document.pdf.exe Found the
Generic.dx!fpw trojan !!! : 1 Time(s)
[Found possible security risk] <W32/Heuristic-200!Eldorado (not
disinfectable)> ./8C98517E900A.8E49E.message->Invitation
Card.zip->document.pdf .exe : 1 Time(s)
./8C98517E900A.8E49E/Invitation Card.zip:
Suspect.DoubleExtension-zippwd-7 FOUND : 1 Time(s)
./8C98517E900A.8E49E.message: Suspect.DoubleExtension-zippwd-7
FOUND : 1 Time(s)
/ECA3A17E8F7E.1660C.message/Shipping documents.zip/document.htm
.exe Found the Generic.dx!fpw trojan !!! : 1 Time(s)
/ECA3A17E8F7E.1660C/document.htm.exe Found the
Generic.dx!fpw trojan !!! : 1 Time(s)
[Found possible security risk] <W32/Heuristic-200!Eldorado (not
disinfectable)> ./ECA3A17E8F7E.1660C.message->Shipping
documents.zip->document.htm .exe : 1 Time(s)
/8C98517E900A.8E49E/Invitation Card.zip/document.pdf .exe
Found the Generic.dx!fpw trojan !!! : 1 Time(s)
/8C98517E900A.8E49E.message/Invitation Card.zip/document.pdf .exe
Found the Generic.dx!fpw trojan !!! : 1 Time(s)
/ECA3A17E8F7E.1660C/Shipping documents.zip/document.htm .exe
Found the Generic.dx!fpw trojan !!! : 1 Time(s)
---------------------- MailScanner End -------------------------
From the logwatch parser (that I definitly need to improve upon).
Hugo
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list