SPAMVIRUS Feature Question
Jonas A. Larsen
jonas at vrt.dk
Thu Oct 22 21:13:25 IST 2009
Hi Richard
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
> bounces at lists.mailscanner.info] On Behalf Of Richard Mealing
> Sent: 21. oktober 2009 10:15
> To: MailScanner discussion
> Subject: RE: SPAMVIRUS Feature Question
>
> Hi,
>
> Not sure if this will help anyone, but I already did write a ton of
> rules with the help of Jules...
>
> #Sanesecurity Signature (jurlbl.ndb)
> header SPAMVIRUSJurlbl.Auto X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Jurlbl.Auto/i
> score SPAMVIRUSJurlbl.Auto 3.0
>
> #SaneSecurity Signature (phish.ndb)
> header SPAMVIRUSDoc X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Doc/i
> score SPAMVIRUSDoc 3.0
> header SPAMVIRUSFake X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Fake/i
> score SPAMVIRUSFake 3.0
> header SPAMVIRUSPhishing.Auction X-FastNet-MailScanner-SpamVirus-Report
> =~ /SaneSecurity.Phishing.Auction/i
> score SPAMVIRUSPhishing.Auction 3.0
> header SPAMVIRUSPhishing.Azon X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Phishing.Azon/i
> score SPAMVIRUSPhishing.Azon 3.0
> header SPAMVIRUSPhishing.Bank X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Phishing.Bank/i
> score SPAMVIRUSPhishing.Bank 3.0
> header SPAMVIRUSPhishing.Card X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Phishing.Card/i
> score SPAMVIRUSPhishing.Card 3.0
> header SPAMVIRUSPhishing.Cur X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Phishing.Cur/i
> score SPAMVIRUSPhishing.Cur 3.0
> header SPAMVIRUSPhishing.Dca X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Phishing.Dca/i
> score SPAMVIRUSPhishing.Dca 3.0
> header SPAMVIRUSPhishing.Fake X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Phishing.Fake/i
> score SPAMVIRUSPhishing.Fake 3.0
> header SPAMVIRUSPhishing.GiftCard X-FastNet-MailScanner-SpamVirus-
> Report
> =~ /SaneSecurity.Phishing.GiftCard/i
> score SPAMVIRUSPhishing.GiftCard 3.0
> header SPAMVIRUSPhishing.Hex X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Phishing.Hex/i
> score SPAMVIRUSPhishing.Hex 3.0
> header SPAMVIRUSPhishing.Ivt X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Phishing.Ivt/i
> score SPAMVIRUSPhishing.Ivt 3.0
> header SPAMVIRUSPhishing.Jsc X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Phishing.Jsc/i
> score SPAMVIRUSPhishing.Jsc 3.0
> header SPAMVIRUSPhishing.Nam X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Phishing.Nam/i
> score SPAMVIRUSPhishing.Nam 3.0
> header SPAMVIRUSPhishing.Onf X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Phishing.Onf/i
> score SPAMVIRUSPhishing.Onf 3.0
> header SPAMVIRUSPhishing.Pay X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Phishing.Pay/i
> score SPAMVIRUSPhishing.Pay 3.0
> header SPAMVIRUSPhishing.Rdi X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Phishing.Rdi/i
> score SPAMVIRUSPhishing.Rdi 3.0
> header SPAMVIRUSPhishing.Rock X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Phishing.Rock/i
> score SPAMVIRUSPhishing.Rock 3.0
> header SPAMVIRUSPhishing.RockGen X-FastNet-MailScanner-SpamVirus-Report
> =~ /SaneSecurity.Phishing.RockGen/i
> score SPAMVIRUSPhishing.RockGen 3.0
> header SPAMVIRUSPhishing.Shop X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Phishing.Shop/i
> score SPAMVIRUSPhishing.Shop 3.0
> header SPAMVIRUSPhishing.Slw X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Phishing.Slw/i
> score SPAMVIRUSPhishing.Slw 3.0
> header SPAMVIRUSPhishing.Url X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Phishing.Url/i
> score SPAMVIRUSPhishing.Url 3.0
> header SPAMVIRUSPhishing.Wrd X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Phishing.Wrd/i
> score SPAMVIRUSPhishing.Wrd 3.0
> header SPAMVIRUSPhishingTestSig X-FastNet-MailScanner-SpamVirus-Report
> =~ /SaneSecurity.PhishingTestSig/i
> score SPAMVIRUSPhishingTestSig 3.0
> header SPAMVIRUSTestSig_Type3_Bdy X-FastNet-MailScanner-SpamVirus-
> Report
> =~ /TestSig_Type3_Bdy/i
> score SPAMVIRUSTestSig_Type3_Bdy 3.0
> header SPAMVIRUSTestSig_Type4_Bdy X-FastNet-MailScanner-SpamVirus-
> Report
> =~ /TestSig_Type4_Bdy/i
> score SPAMVIRUSTestSig_Type4_Bdy 3.0
> header SPAMVIRUSTestSig_Type4_Hdr X-FastNet-MailScanner-SpamVirus-
> Report
> =~ /TestSig_Type4_Hdr/i
> score SPAMVIRUSTestSig_Type4_Hdr 3.0
>
> #SaneSecurity Signature (scam.ndb)
> header SPAMVIRUSSpam X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Spam/i
> score SPAMVIRUSSpam 3.0
> header SPAMVIRUSCred X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Cred/i
> score SPAMVIRUSCred 3.0
> header SPAMVIRUSDipl X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Dipl/i
> score SPAMVIRUSDipl 3.0
> header SPAMVIRUSHdr X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Hdr/i
> score SPAMVIRUSHdr 3.0
> header SPAMVIRUSImg X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Img/i
> score SPAMVIRUSImg 3.0
> header SPAMVIRUSJob X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Job/i
> score SPAMVIRUSJob 3.0
> header SPAMVIRUSLoan X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Loan/i
> score SPAMVIRUSLoan 3.0
> header SPAMVIRUSPorn X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Porn/i
> score SPAMVIRUSPorn 3.0
> header SPAMVIRUSImgo X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Imgo/i
> score SPAMVIRUSImgo 3.0
> header SPAMVIRUSScam4 X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Scam4/i
> score SPAMVIRUSScam4 3.0
> header SPAMVIRUSScamL X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.ScamL/i
> score SPAMVIRUSScamL 3.0
> header SPAMVIRUSStk X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Stk/i
> score SPAMVIRUSStk 3.0
> header SPAMVIRUSTestSig X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.TestSig/i
> score SPAMVIRUSTestSig 3.0
>
> #SaneSecurity Signature (junk.ndb)
> header SPAMVIRUSJunk X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Junk/i
> score SPAMVIRUSJunk 3.0
>
> #SaneSecurity Signature (rogue.hdb)
> header SPAMVIRUSRogue X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Rogue/i
> score SPAMVIRUSRogue 3.0
> header SPAMVIRUSTrogan X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Trojan/i
> score SPAMVIRUSTrogan 3.0
>
> #SaneSecurity Signature (lott.ndb)
> header SPAMVIRUSLott X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Lott/i
> score SPAMVIRUSLott 3.0
>
> #SaneSecurity Signature (spear.ndb)
> header SPAMVIRUSSpear X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Spear/i
> score SPAMVIRUSSpear 3.0
>
> #SaneSecurity Signature (spamimg.hdb)
> header SPAMVIRUSSpamImg X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.SpamImg/i
> score SPAMVIRUSSpamImg 3.0
>
> #SaneSecurity Signature (spam.ldb)
> header SPAMVIRUSSpam.ldg X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Spam.ldb/i
> score SPAMVIRUSSpam.ldg 3.0
>
>
> ... if it helps.
>
Im horribly busy at work atm, so I have not read your SA rules in detail,
but I can guess what your doing, this is definitely better than the normal
"1 rule for all 3rdparty sigs setup"
However it is a bit of a painfull way to do it, since u would have to keep
it update for each signature source u add, not to mention its always a
generalization since ur matching fragments/"families" og either signature
db's or phishing/virus families.
It would be neat if there was someway to just grab whatever clamd calls the
signature/virus and somehow auto generate sa rules for them (in a
performance friendly manner)
Without having read all ur rules in detail, I assume there's a generic one
somewhere that scores stuff that isn't matched by your more specific rules?
(Unless you wrote specific rules for all your signature bases)
However as I started out saying, its definitely an improvement, and ile
implement ur rules in my own setup, when time allows it.
Best regards
Jonas Larsen
More information about the MailScanner
mailing list