Trog [EMAIL PROTECTED] wrote: > I am, unfortunately, familiar with SpamCop (and all the other similar > 'tools'). As a listed contact for over 16million Internet IP addresses I > receive notices from such 'tools' all the time, and I've *never* had > one that is accurate yet. > > They are incredibly dumb pieces of software that achieve nothing other > than annoying innocent sys admins and giving their mis-guided users a > warm feeling. Please stop using them [1].
Sorry, your rant is too vague to convince me. I have heard a lot of fuzzy criticism regarding SpamCop but nothing really concrete. > The definition of malware has always been a grey area, there are no > defined rules as to what an AV product should stop and what it > shouldn't. I never disputed that phishing attacks wasn't malware (it might be considered as such). I just said there _is_ a clear distinction between technical attacks and social engineering attacks, that phishing definitely is only the latter, and that I'd like to have an option to only detect technical attacks with ClamAV. > In the case of phishing, it is obviously intended to directly > defraud people, or be used as an avenue to install other malware > (keyloggers etc.) and as such, is distinctly different from spam, which > merely tries to get you to buy something. Definitely not. Spam certainly cannot be defined as trying to get you to buy something. Spam is commonly defined as UCE and UBE, and -- contrary to SpamCop -- I even consider worms spam, because they're definitely UBE (unsolicited bulk e-mail). Phishing attacks usually are UBE, too. > The 'technical' and 'social' divide you appear to like to use is a > red-herring. No, it is a useful distinction because technical attacks practically never carry any valuable information for the recipient. With regard to social engineering (besides them generally being much harder to detect automatically), I'm not willing to make that call for my users. Someone might want to receive a bank or 419 fraud attack in order to make fun of the sender (I guess you know those games). Whatever. I don't know, so I consider blocking non-technical attacks to be censorship. Users _may_ choose to block those using whatever criteria. But that is not something a virus scanner should do. They can do it using SpamAssassin if they want. > For example, the last Bagle (or Bofra) outbreak simply sent an email to > it's target victims, who then have to click on a link to download the > Worm. According to your definition, that is a 'social' attack, and > should not be blocked. I agree that there is a gray area, but that doesn't mean the distinction between technical attacks and social engineering attacks isn't meaningful. > You have a number of options: > > 1. Use another product. > 2. Unlike a commercial product, with ClamAV you are in the enviable > position of being able to use a subset of the signatures by using > sigtool to unpack the sig DB files and remove any signatures you don't > want. You're trying to kid me, right? I'm not going to be scared away just because you wish to take a fundamentalist position that ClamAV should _not_ offer an option to ignore social engineering attacks even though they are clearly different from technical attacks. _______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
