Re: [Clamav-users] ClamAV should not try to detect phishing andother social engineering attacks

Sun, 14 Nov 2004 07:02:17 -0800 

On the issue of manually reviewing the mails to submit....isn't this the 
purpose of the quarantine directory?  When it detects a phishing malware, 
look at the file in the quarantine directory. 

On Sunday 14 November 2004 8:57 am, Julian Mehnle wrote:
> Matt [EMAIL PROTECTED] wrote:
> > Julian Mehnle wrote:
> > > How can I configure ClamAV not to try to detect phishing and other
> > > social engineering attacks?
> >
> > Why? Your prerogative, obviously, but I am just curious.
>
> For three reasons:
>
>  1. I consider filtering technically harmful messages for my users
>     acceptable, but I think filtering social engineering to be censorship.
>     I would rather educate my users.
>
>  2. While recognizing technical engineering (viruses, worms, other
>     malware) automatically has proven to be feasible, I _generally_ do not
>     believe in recognizing social engineering (scams, phishing, etc.)
>     automatically.  Technical state of the art is far from doing that
>     reliably.  Without machines being able to understand the meaning of
>     text, any heuristics can only be a crook.  I am using reputation
>     systems (AKA DNS blacklists) instead.
>
>  3. I am using the SpamCop reporting tool[1] to file complaints to ISPs
>     about spam (which specifically includes phishing attacks) that I
>     receive.  SpamCop requires spam samples to be manually checked for
>     spamminess before being reported.  Thus I _do_ want to receive social
>     engineering messages and classify them manually in order to report
>     them to SpamCop.
>
> Tomasz Kojm [EMAIL PROTECTED] wrote:
> > Julian Mehnle <[EMAIL PROTECTED]> wrote:
> > > How can I configure ClamAV not to try to detect phishing and other
> > > social engineering attacks?
> >
> > Modify your mail scanner to pass "HTML.Phishing.*" through.
>
> Yes, I can do that.  Is there an authoritative hierarchy of signature
> names from which I can see what hierarchy branches ("HTML.Phishing.*",
> etc.) I would have to whitelist?
>
> Besides there's oviously a fundamental difference between technical
> malware and social engineering malware, so there should be a way to
> configure what to detect and what not.
>
> References:
>  1. http://www.spamcop.net/anonsignup.shtml
>
> _______________________________________________
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

-- 
John Jolet
Your On-Demand IT Department
512-762-0729
[EMAIL PROTECTED]
www.jolet.net
_______________________________________________
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Reply via email to