Re: Combatting The new type of graphical spam

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: Combatting The new type of graphical spam

Andrew Porter-3
There are clamav signatures for a lot of the phishing and image SPAMs.

http://www.sanesecurity.com/clamav/news.htm

It's caught just about everything since I started using them.  The only downside is that it marks the SPAM as a virus and not SPAM.
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Assp-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-devel

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [SPAM] Re: Combatting The new type of graphical spam

Doug Traylor

 
----- Original Message -----
There are clamav signatures for a lot of the phishing and image SPAMs.
http://www.sanesecurity.com/clamav/news.htm
It's caught just about everything since I started using them.  The only downside is that it marks the SPAM as a virus and not SPAM.
These have been working tremendously well for me.  I am running them with clamav on an smtp gateway after ASSP and it was catching hundreds a day.  Most of them were failing one or another test in ASSP (I run in testmode on most things and handle the non-bayesian spam with my MTA and individual user spam folders).  Most of the ones that ASSP caught were only caught as Bayesian spam which I pass to my users after marking as spam.  These additional anti-phish and anti-scam filters have greatly reduced, almost eliminated these image spams that get through every other kind of filter.  Highly recommended.
 
With Fritz's improvements to ASSP's calling of clamd I have enabled virus scanning in ASSP again and am actually running them through the same clamd and signatures as my after-ASSP gateway.  Funny thing is that gateway is still catching some, but not as many as before using the same clamAV and sigs.  Strange.
 
Doug Traylor

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Assp-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-devel
Reply | Threaded
Open this post in threaded view
|

Re: [SPAM] Re: Combatting The new type of graphical spam

Andrew Porter-3
On Tue, 2007-02-20 at 08:48 -0600, Doug Traylor wrote:


With Fritz's improvements to ASSP's calling of clamd I have enabled virus scanning in ASSP again and am actually running them through the same clamd and signatures as my after-ASSP gateway.  Funny thing is that gateway is still catching some, but not as many as before using the same clamAV and sigs.  Strange.

Could this be something to do with the buffer size or AV Bytes size ? Perhaps the after-ASSP gateway scans the entire email  ?



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Assp-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-devel

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Combatting The new type of graphical spam

Lee Howard-2
In reply to this post by Andrew Porter-3
Andrew Porter wrote:

> There are clamav signatures for a lot of the phishing and image SPAMs.
>
> http://www.sanesecurity.com/clamav/news.htm
>
> It's caught just about everything since I started using them.  The
> only downside is that it marks the SPAM as a virus and not SPAM.


I guess it's just a matter of definition.  Spam is unsolicited
commercial bulk e-mail.  Phishing attempts via e-mail are not really
"commercial" if you ask me.  I would consider them to be closer to a
worm or a virus than to spam.

Lee.

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Assp-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-devel
Reply | Threaded
Open this post in threaded view
|

Re: Combatting The new type of graphical spam

Ralph Fowler
When I posted the original message to this thread, my intent was to catch
the image based spams, not really phishing attempts. If these definitions
grab image-spam, then they will certainly do something towards my original
problem.  I can't wait to give them a try!

Ralph


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Assp-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-devel
Reply | Threaded
Open this post in threaded view
|

Re: Combatting The new type of graphical spam

Andrew Porter-3
On Tue, 2007-02-20 at 11:39 -0500, rwf wrote:
When I posted the original message to this thread, my intent was to catch
the image based spams, not really phishing attempts. If these definitions
grab image-spam, then they will certainly do something towards my original
problem.  I can't wait to give them a try!

I've got a (slightly) better script for getting the updates than the ones on the sanesecurity site if anyone wants them.



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Assp-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-devel

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Combatting The new type of graphical spam

Doug Traylor
> I've got a (slightly) better script for getting the updates than the ones
> on the sanesecurity site if anyone wants them.

Better how?  For what OS are they used on?

I have been running the Windows batch file, ss-updater update.bat, hourly
for a few months with no trouble.

Doug


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Assp-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-devel
Reply | Threaded
Open this post in threaded view
|

Re: Combatting The new type of graphical spam

Andrew Porter-3
On Tue, 2007-02-20 at 11:16 -0600, Doug Traylor wrote:
> I've got a (slightly) better script for getting the updates than the ones 
> on the sanesecurity site if anyone wants them.

Better how?  For what OS are they used on?

LInux/Unix - it's just a bit tidier and easier to add new sources later.

#!/bin/bash

# ==========================
# Either set and export PATH
# ==========================
PATH=/bin:/usr/bin:/usr/local/bin
export PATH

# ===============================
# or set individual program paths
# ===============================
#clamscan="/usr/local/bin/clamscan"
#curl="/usr/local/bin/curl"
#gunzip="/bin/gunzip"
#test="/usr/bin/test"

# ====================================
# Set temporary working directory path
# ====================================
CLAMAVDBPATH=/var/lib/clamav
TEMP="/var/tmp/clamdb"
mkdir $TEMP > /dev/null 2>&1
trap "rm -rf $TEMP" EXIT

# =========================================
# Change shell to ClamAV database directory
# =========================================
cd $CLAMAVDBPATH

function getfile
{
        set -e
        SOURCEFILE=$1
        FILENAME=${SOURCEFILE##*/}

        curl -R -s -z $FILENAME -o $TEMP/$FILENAME $SOURCEFILE
        if [[ -s $TEMP/$FILENAME ]]
        then
                if [[ $FILENAME = *.gz ]]
                then
                        SRC=$TEMP/$FILENAME
                        FILENAME=${FILENAME%.gz}
                        gunzip -cdf $SRC > $TEMP/$FILENAME
                        mv -f $SRC .
                fi
                clamscan --quiet -d $TEMP/$FILENAME
                [[ -r $FILENAME ]] && cp -f $FILENAME $FILENAME.bak
                mv -f $TEMP/$FILENAME .
        fi
}

# =========================================================
# Check for new DB files.  If new, download, test & process
# =========================================================
getfile http://www.sanesecurity.com/clamav/scam.ndb.gz
getfile http://www.sanesecurity.com/clamav/phish.ndb.gz
getfile http://download.mirror.msrbl.com/MSRBL-SPAM.ndb
getfile http://download.mirror.msrbl.com/MSRBL-Images.hdb

# =============================================================================
# Set approprate file permission
#  (should be whateve user account ClamD is running under)
# =============================================================================
chown -R clamav:clamav /var/lib/clamav

# =============================================================================
# Reload database
#  (should not be necessary if you have "SelfCheck" enabled in clamd.conf
#   and "NotifyClamd" enabled in freshclam.conf)
# =============================================================================
#service clamd reload


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Assp-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-devel

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [SPAM] Re: Combatting The new type ofgraphical spam

Doug Traylor
In reply to this post by Andrew Porter-3
>> Funny thing is that gateway is still catching some, but not as many as
>> before using the same clamAV and sigs.
>
> Could this be something to do with the buffer size or AV Bytes size ?
> Perhaps the after-ASSP gateway scans the entire email  ?

No, it turns out that in ASSP 1.2.99.2 the emails that fail other tests do
not get scanned by the virus scanner in ASSP.  I verified that with one
email that failed RBL and invalid Helo and had a PB of 75, but since I run
in test mode that email was on it's way to the user's spam folder on our
MTA.  ASSP did not send it to clamd.  I don't know if this behavior exists
in the latest build.  This is potentially dangerous for users who depend on
ASSP to do their AV scanning.  I am doing further research and as time
allows, will probably download the latest version and see if that is still
the case.

Doug Traylor


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Assp-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-devel