SPAMVIRUS Feature Question

Thu Oct 22 21:13:25 IST 2009

Hi Richard

> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
> bounces at lists.mailscanner.info] On Behalf Of Richard Mealing
> Sent: 21. oktober 2009 10:15
> To: MailScanner discussion
> Subject: RE: SPAMVIRUS Feature Question
> 
> Hi,
> 
> Not sure if this will help anyone, but I already did write a ton of
> rules with the help of Jules...
> 
> #Sanesecurity Signature (jurlbl.ndb)
> header SPAMVIRUSJurlbl.Auto X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Jurlbl.Auto/i
> score SPAMVIRUSJurlbl.Auto 3.0
> 
> #SaneSecurity Signature (phish.ndb)
> header SPAMVIRUSDoc X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Doc/i
> score SPAMVIRUSDoc 3.0
> header SPAMVIRUSFake X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Fake/i
> score SPAMVIRUSFake 3.0
> header SPAMVIRUSPhishing.Auction X-FastNet-MailScanner-SpamVirus-Report
> =~ /SaneSecurity.Phishing.Auction/i
> score SPAMVIRUSPhishing.Auction 3.0
> header SPAMVIRUSPhishing.Azon X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Phishing.Azon/i
> score SPAMVIRUSPhishing.Azon 3.0
> header SPAMVIRUSPhishing.Bank X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Phishing.Bank/i
> score SPAMVIRUSPhishing.Bank 3.0
> header SPAMVIRUSPhishing.Card X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Phishing.Card/i
> score SPAMVIRUSPhishing.Card 3.0
> header SPAMVIRUSPhishing.Cur X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Phishing.Cur/i
> score SPAMVIRUSPhishing.Cur 3.0
> header SPAMVIRUSPhishing.Dca X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Phishing.Dca/i
> score SPAMVIRUSPhishing.Dca 3.0
> header SPAMVIRUSPhishing.Fake X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Phishing.Fake/i
> score SPAMVIRUSPhishing.Fake 3.0
> header SPAMVIRUSPhishing.GiftCard X-FastNet-MailScanner-SpamVirus-
> Report
> =~ /SaneSecurity.Phishing.GiftCard/i
> score SPAMVIRUSPhishing.GiftCard 3.0
> header SPAMVIRUSPhishing.Hex X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Phishing.Hex/i
> score SPAMVIRUSPhishing.Hex 3.0
> header SPAMVIRUSPhishing.Ivt X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Phishing.Ivt/i
> score SPAMVIRUSPhishing.Ivt 3.0
> header SPAMVIRUSPhishing.Jsc X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Phishing.Jsc/i
> score SPAMVIRUSPhishing.Jsc 3.0
> header SPAMVIRUSPhishing.Nam X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Phishing.Nam/i
> score SPAMVIRUSPhishing.Nam 3.0
> header SPAMVIRUSPhishing.Onf X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Phishing.Onf/i
> score SPAMVIRUSPhishing.Onf 3.0
> header SPAMVIRUSPhishing.Pay X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Phishing.Pay/i
> score SPAMVIRUSPhishing.Pay 3.0
> header SPAMVIRUSPhishing.Rdi X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Phishing.Rdi/i
> score SPAMVIRUSPhishing.Rdi 3.0
> header SPAMVIRUSPhishing.Rock X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Phishing.Rock/i
> score SPAMVIRUSPhishing.Rock 3.0
> header SPAMVIRUSPhishing.RockGen X-FastNet-MailScanner-SpamVirus-Report
> =~ /SaneSecurity.Phishing.RockGen/i
> score SPAMVIRUSPhishing.RockGen 3.0
> header SPAMVIRUSPhishing.Shop X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Phishing.Shop/i
> score SPAMVIRUSPhishing.Shop 3.0
> header SPAMVIRUSPhishing.Slw X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Phishing.Slw/i
> score SPAMVIRUSPhishing.Slw 3.0
> header SPAMVIRUSPhishing.Url X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Phishing.Url/i
> score SPAMVIRUSPhishing.Url 3.0
> header SPAMVIRUSPhishing.Wrd X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Phishing.Wrd/i
> score SPAMVIRUSPhishing.Wrd 3.0
> header SPAMVIRUSPhishingTestSig X-FastNet-MailScanner-SpamVirus-Report
> =~ /SaneSecurity.PhishingTestSig/i
> score SPAMVIRUSPhishingTestSig 3.0
> header SPAMVIRUSTestSig_Type3_Bdy X-FastNet-MailScanner-SpamVirus-
> Report
> =~ /TestSig_Type3_Bdy/i
> score SPAMVIRUSTestSig_Type3_Bdy 3.0
> header SPAMVIRUSTestSig_Type4_Bdy X-FastNet-MailScanner-SpamVirus-
> Report
> =~ /TestSig_Type4_Bdy/i
> score SPAMVIRUSTestSig_Type4_Bdy 3.0
> header SPAMVIRUSTestSig_Type4_Hdr X-FastNet-MailScanner-SpamVirus-
> Report
> =~ /TestSig_Type4_Hdr/i
> score SPAMVIRUSTestSig_Type4_Hdr 3.0
> 
> #SaneSecurity Signature (scam.ndb)
> header SPAMVIRUSSpam X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Spam/i
> score SPAMVIRUSSpam 3.0
> header SPAMVIRUSCred X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Cred/i
> score SPAMVIRUSCred 3.0
> header SPAMVIRUSDipl X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Dipl/i
> score SPAMVIRUSDipl 3.0
> header SPAMVIRUSHdr X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Hdr/i
> score SPAMVIRUSHdr 3.0
> header SPAMVIRUSImg X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Img/i
> score SPAMVIRUSImg 3.0
> header SPAMVIRUSJob X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Job/i
> score SPAMVIRUSJob 3.0
> header SPAMVIRUSLoan X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Loan/i
> score SPAMVIRUSLoan 3.0
> header SPAMVIRUSPorn X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Porn/i
> score SPAMVIRUSPorn 3.0
> header SPAMVIRUSImgo X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Imgo/i
> score SPAMVIRUSImgo 3.0
> header SPAMVIRUSScam4 X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Scam4/i
> score SPAMVIRUSScam4 3.0
> header SPAMVIRUSScamL X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.ScamL/i
> score SPAMVIRUSScamL 3.0
> header SPAMVIRUSStk X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Stk/i
> score SPAMVIRUSStk 3.0
> header SPAMVIRUSTestSig X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.TestSig/i
> score SPAMVIRUSTestSig 3.0
> 
> #SaneSecurity Signature (junk.ndb)
> header SPAMVIRUSJunk X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Junk/i
> score SPAMVIRUSJunk 3.0
> 
> #SaneSecurity Signature (rogue.hdb)
> header SPAMVIRUSRogue X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Rogue/i
> score SPAMVIRUSRogue 3.0
> header SPAMVIRUSTrogan X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Trojan/i
> score SPAMVIRUSTrogan 3.0
> 
> #SaneSecurity Signature (lott.ndb)
> header SPAMVIRUSLott X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Lott/i
> score SPAMVIRUSLott 3.0
> 
> #SaneSecurity Signature (spear.ndb)
> header SPAMVIRUSSpear X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Spear/i
> score SPAMVIRUSSpear 3.0
> 
> #SaneSecurity Signature (spamimg.hdb)
> header SPAMVIRUSSpamImg X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.SpamImg/i
> score SPAMVIRUSSpamImg 3.0
> 
> #SaneSecurity Signature (spam.ldb)
> header SPAMVIRUSSpam.ldg X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Spam.ldb/i
> score SPAMVIRUSSpam.ldg 3.0
> 
> 
> ... if it helps.
> 

Im horribly busy at work atm, so I have not read your SA rules in detail,
but I can guess what your doing, this is definitely better than the normal
"1 rule for all 3rdparty sigs setup"

However it is a bit of a painfull way to do it, since u would have to keep
it update for each signature source u add, not to mention its always a
generalization since ur matching fragments/"families" og either signature
db's or phishing/virus families.

It would be neat if there was someway to just grab whatever clamd calls the
signature/virus and somehow auto generate sa rules for them (in a
performance friendly manner)

Without having read all ur rules in detail, I assume there's a generic one
somewhere that scores stuff that isn't matched by your more specific rules?
(Unless you wrote specific rules for all your signature bases)

However as I started out saying, its definitely an improvement, and ile
implement ur rules in my own setup, when time allows it.

Best regards

Jonas Larsen