Koozali.org: home of the SME Server

Phishing and Scam Signatures for ClamAV

Offline william_syd

  • ****
  • 1,608
  • +0/-0
  • Nothing to see here.
    • http://www.magicwilly.info
Phishing and Scam Signatures for ClamAV
« on: July 21, 2007, 03:12:28 PM »
Anybody using the signatures from...

http://sanesecurity.co.uk/clamav/
Regards,
William

IF I give advise.. It's only if it was me....

Offline Paul Howard

  • 17
  • +0/-0
    • The Devil Wears A Mechanical Heart
Re: Phishing and Scam Signatures for ClamAV
« Reply #1 on: September 08, 2008, 05:42:50 PM »
I have manually added the Phishing Signatures today to see how they perform.

Being a linux newbie I wasn't entirely sure whether to have a go with the auto update script and take my life in my hands on a production server since I don't have a spare box for testing. So played safe.

On a side note, I did try and enter phishing signatures manually before finding / implementing the sanesecurity list but couldn't get ClamAV to match them to the emails for some reason beyond me although it was reading the database.

 







Offline Knuddi

  • *
  • 540
  • +0/-0
    • http://www.scanmailx.com
Re: Phishing and Scam Signatures for ClamAV
« Reply #2 on: September 08, 2008, 08:30:32 PM »
If you look at the DB then it seem pretty old = outdated. I am not so sure that it has real value anymore. Without having tried then I think the database from http://www.malware.com.br/ is more up-to-date even though it is a malware DB.

Offline Stefano

  • *
  • 10,820
  • +1/-0
Re: Phishing and Scam Signatures for ClamAV
« Reply #3 on: September 08, 2008, 10:36:52 PM »
Hi

I'm using signatures from sanesecurity on 5 of my servers.. nothing to say, they work..

Ciao
Stefano

Offline Knuddi

  • *
  • 540
  • +0/-0
    • http://www.scanmailx.com
Re: Phishing and Scam Signatures for ClamAV
« Reply #4 on: September 08, 2008, 11:13:42 PM »
Interesting - and they catch something that SpamAssassin/ClamAV would not catch on their own?

Have you used both the Scam and the Phishing signatures? What about the MSRBL signatures for images and Spam?

Offline Knuddi

  • *
  • 540
  • +0/-0
    • http://www.scanmailx.com
Re: Phishing and Scam Signatures for ClamAV
« Reply #5 on: September 09, 2008, 10:02:37 AM »
Well I have now also downloaded and installed the various signatures and clam seems to understand them. The download script from the sanesecurity.com site seem to work well with my SME 7.3 after a minor modification.

Micro Howto:
Code: [Select]
cd /etc/cron.daily
wget  http://www.sanesecurity.com/clamav/update_sanesecurity.txt
mv update_sanesecurity.txt update_sanesecurity.sh
chmod +x update_sanesecurity.sh

You need to make a small manual modification. Find the line:

Code: [Select]
unprivileged_user=${sigfile_owner_and_group%:*}
and comment it out:
Code: [Select]
# unprivileged_user=${sigfile_owner_and_group%:*}
You can now run it the first with debug enabled to see that all is OK:
Code: [Select]
./update_sanesecurity.sh -d
Your output should look something like this (even though yours will hopefully be updated)

Code: [Select]
[root@maildk cron.daily]# ./update_sanesecurity.sh -d
update_sanesecurity: [debug] Debug mode is ON
update_sanesecurity: [debug] Starting.
update_sanesecurity: [debug] Created temporary directory: '/tmp/update_sanesecurity.OmA30589'
update_sanesecurity: [debug] Checking for ClamAV database directory...
update_sanesecurity: [debug] Found ClamAV database directory: /var/clamav
update_sanesecurity: [debug] PHISH_SIGS    : http://www.sanesecurity.com/clamav/phishsigs/phish.ndb.gz
update_sanesecurity: [debug] SCAM_SIGS     : http://www.sanesecurity.com/clamav/scamsigs/scam.ndb.gz
update_sanesecurity: [debug] SPAM_SIGS     : rsync://rsync.mirror.msrbl.com/msrbl/MSRBL-SPAM.ndb
update_sanesecurity: [debug] IMAGE_SIGS    : rsync://rsync.mirror.msrbl.com/msrbl/MSRBL-Images.hdb
update_sanesecurity: [debug] ClamScan      : /usr/bin/clamscan
update_sanesecurity: [debug] CURL          : /usr/bin/curl
update_sanesecurity: [debug] GunZip        : /bin/gunzip
update_sanesecurity: [debug] RSync         : /usr/bin/rsync
update_sanesecurity: [debug] ClamAV db dir : /var/clamav
update_sanesecurity: [debug] temp dir      : /tmp/update_sanesecurity.OmA30589
update_sanesecurity: [debug] Created temporary directory: '/tmp/update_sanesecurity.jqP30690'
update_sanesecurity: [debug] Checking for ClamAV database directory...
update_sanesecurity: [debug] Found ClamAV database directory: /var/clamav
update_sanesecurity: [debug] Checking for newer version of '/var/clamav/scam.ndb.gz'
update_sanesecurity: [info] '/var/clamav/scam.ndb.gz' was NOT updated
update_sanesecurity: [info] '/var/clamav/scam.ndb' was NOT updated
update_sanesecurity: [debug] Checking for newer version of '/var/clamav/phish.ndb.gz'
update_sanesecurity: [info] '/var/clamav/phish.ndb.gz' was NOT updated
update_sanesecurity: [info] '/var/clamav/phish.ndb' was NOT updated
update_sanesecurity: [debug] Checking for newer version of '/var/clamav/MSRBL-SPAM.ndb'
update_sanesecurity: [info] '/var/clamav/MSRBL-SPAM.ndb' was NOT updated
update_sanesecurity: [debug] Checking for newer version of '/var/clamav/MSRBL-Images.hdb'
update_sanesecurity: [info] '/var/clamav/MSRBL-Images.hdb' was NOT updated
update_sanesecurity: [debug] Exiting.


« Last Edit: September 09, 2008, 10:26:51 AM by Knuddi »

Offline Paul Howard

  • 17
  • +0/-0
    • The Devil Wears A Mechanical Heart
Re: Phishing and Scam Signatures for ClamAV
« Reply #6 on: September 09, 2008, 10:32:33 AM »
Thanks Knuddi, much appreciated for the howto.  :pint:

I will give it a whirl.


Edit:
Works Perfect  :-P
« Last Edit: September 09, 2008, 11:02:59 AM by Paul Howard »

Offline Confucius

  • ****
  • 235
  • +0/-0
Re: Phishing and Scam Signatures for ClamAV
« Reply #7 on: September 09, 2008, 05:17:10 PM »
I think the HowTo is missing 1 element.

Code: [Select]
signal-event email-update
I couldn't get it working till I restarted ClamAV.

After this it recognized the test-signatures right away.

Offline Knuddi

  • *
  • 540
  • +0/-0
    • http://www.scanmailx.com
Re: Phishing and Scam Signatures for ClamAV
« Reply #8 on: September 09, 2008, 06:38:16 PM »
That is true - otherwise it will be reload the database and recognize the new signatures after the default 30mins.

Offline Normando

  • *
  • 841
  • +2/-1
    • Unixlan
Re: Phishing and Scam Signatures for ClamAV
« Reply #9 on: September 10, 2008, 06:41:44 AM »
Hi Kanuddi and thanks for your how to.

I think this is a valuable piece for a how to or extend the "email" page.

Can you have the rights to add content at the wiki? Because this information will be lost inside the deep of history.

Offline Confucius

  • ****
  • 235
  • +0/-0
Re: Phishing and Scam Signatures for ClamAV
« Reply #10 on: September 10, 2008, 09:25:58 AM »
Jesper,

I also think it's important this end up in the wiki. In not even 12 hours on my relaxed home-server with max 25 (valid) e-mails a day I already see in the unjunkmgr 2 e-mails that have been intercepted by this procedure.

For me this was a very nice addition and should maybe be default on every server.

Harro

Offline cactus

  • *
  • 4,880
  • +3/-0
    • http://www.snetram.nl
Re: Phishing and Scam Signatures for ClamAV
« Reply #11 on: September 10, 2008, 11:19:04 AM »
For me this was a very nice addition and should maybe be default on every server.
If you think so please motivate it in the bugtracker in the New Feature Request category please.
Be careful whose advice you buy, but be patient with those who supply it. Advice is a form of nostalgia, dispensing it is a way of fishing the past from the disposal, wiping it off, painting over the ugly parts and recycling it for more than its worth ~ Baz Luhrmann - Everybody's Free (To Wear Sunscreen)

Offline Knuddi

  • *
  • 540
  • +0/-0
    • http://www.scanmailx.com
Re: Phishing and Scam Signatures for ClamAV
« Reply #12 on: September 10, 2008, 12:39:29 PM »
I have updated the script to now also download signatures from:

http://www.securiteinfo.com/services/clamav_unofficial_malwares_signatures.shtml

I have placed an updated script here for now (will get moving on the wiki later)

http://sme.swerts-knudsen.com/downloads/update_sanesecurity

Offline Knuddi

  • *
  • 540
  • +0/-0
    • http://www.scanmailx.com
Re: Phishing and Scam Signatures for ClamAV
« Reply #13 on: September 10, 2008, 08:44:00 PM »
Added this small howto in the wiki:
http://wiki.contribs.org/Email#Anti_Virus

Offline Normando

  • *
  • 841
  • +2/-1
    • Unixlan
Re: Phishing and Scam Signatures for ClamAV
« Reply #14 on: September 10, 2008, 11:24:13 PM »