On 2007-03-03 05:52, Dennis Peterson wrote: > This is an interesting list for what it shows. It is a list from the > last 10,000 "viruses" caught here where there were 10 or more of a > particular virus caught. Clearly most of them are not viruses at all but > image spam and penny stock scams. Might be time to re-word the way the > information is reported back to the milter. The message says it's all > viruses.
Be careful about using clamav with the MSRBL image-spams database!! It seems to me like detecting the image spams with clamav signatures are not really an improvement. In fact, it is probably dangerous! The programs generating these spams make unique images with variations with speckles, lines, color, size, etc making the image signature unique for each mail sent. I still have to catch the first real spam using the MSRBL-Image clamav signtures. I did caught some false positives on the other hand... >From the list below, all of the images caught are actually false positives (which the MSRBL people will have removed by now: they are cleaning up the db removing all too-small images.). You can get the image it refers to on the url: http://store.msrbl.com/<last_part_of_virus_name> like: http://store.msrbl.com/0-AHL > > It also shows that Steve's lists from Sane Security are continuing to > kick some serious butt. Thanks again, Steve! > > > count pattern > 1233 Email.Img.Gen021.Sanesecurity.06126001 > 1182 Email.Img.Gen018.Sanesecurity.06122000 > 1053 Email.Img.Gen016.Sanesecurity.06121201 > 812 Email.Hdr.Sanesecurity.07012400 > 659 Email.Img.Gen001.Sanesecurity.06111101 > 283 Html.Img.Gen013.Sanesecurity.06112900 > 197 Email.Stk.Gen298.Sanesecurity.07021504 > 196 Email.Stk.Gen294.Sanesecurity.07021500 > 191 Email.Stk.Gen299.Sanesecurity.07021505 > 180 Email.Stk.Gen297.Sanesecurity.07021503 > 175 Email.Stk.Gen295.Sanesecurity.07021501 > 173 Email.Stk.Gen300.Sanesecurity.07021506 > 169 Email.Stk.Gen296.Sanesecurity.07021502 > 140 Email.Spam.Gen253.Sanesecurity.07022303 > 139 Email.Img.Gen040.Sanesecurity.07010600 > 120 Email.Img.Gen064.Sanesecurity.07022301 > 116 Email.Spam.Gen103.Sanesecurity.07011703 > 89 Email.Img.Gen031.Sanesecurity.07010100 > 51 Email.Stk.Gen301.Sanesecurity.07021507 > 45 Html.Dipl.Gen003.Sanesecurity.07010300 > 39 Worm.Stration.pac > 36 MSRBL-Images/0-IYC false positive, see: http://store.msrbl.com/0-IYC > 35 MSRBL-Images/0-OUI false positive, see: http://store.msrbl.com/0-OUI > 35 MSRBL-Images/0-Iwd false positive, see: http://store.msrbl.com/0-Iwd > 33 MSRBL-Images/0-O3Y false positive, see: http://store.msrbl.com/0-O3Y > 33 Html.Img.Gen037.Sanesecurity.07010501 > 29 Html.Phishing.RockGen11.Sanesecurity.07021701 > 26 Html.Phishing.Rock.Sanesecurity.06080102 > 24 Email.Stk.Gen205.Sanesecurity.07012204 > 24 Email.ImgO.Gen010.Sanesecurity.07022100 > 22 MSRBL-SPAM.BounceBack.2504 > 22 Html.Phishing.Bank.Gen818u.Sanesecurity.06062707 > 18 MSRBL-Images/0-OwI false positive, see: http://store.msrbl.com/0-OwI > 18 Email.Stk.Gen193.Sanesecurity.07011706 > 17 MSRBL-Images/0-OO1 false positive, see: http://store.msrbl.com/ > 16 MSRBL-SPAM.Meds.2660 > 16 Html.Phishing.Pay.Gen017.Sanesecurity.06022800 > 15 MSRBL-Images/0-OR9 ...find this out for yourself... > 15 MSRBL-Images/0-IYu > 15 Email.Hdr.Sanesecurity.07022100 > 14 MSRBL-SPAM.SpamBlowBack.1150 > 14 MSRBL-SPAM.Bounce.URL.914 > 14 Html.Phishing.Pay.Gen001.Sanesecurity.06012700 > 14 Html.Phishing.Azon.Gen034.Sanesecurity.06112900 > 13 MSRBL-Images/0-OSE This is first "real image" (the above were most spacer-gifs used to position the images in webpages), but still a false positive. See: http://store.msrbl.com/0-OSE > 12 Worm.Somefool.AR > 12 HTML.Phishing.Bank-362 > 12 ClamAV-Test-File > 11 Html.Phishing.RockGen6.Sanesecurity.06122300 > 11 Html.Phishing.Rock.Sanesecurity.06050500 > 10 MSRBL-Images/0-Ihq And another spacer gif... http://store.msrbl.com/0-Ihq > 10 Html.Img.Gen034.Sanesecurity.07010302 I removed the msrbl-image database from my system, reducing the number signatures clamav has to watch to 1/3th. And no more false positives either as benefit. Now trying to get fuzzy-OCR working instead... (nevertheless I *do* appreciate the effort from the MSRBL people fighting spam) -- Paul Bijnens, xplanation Technology Services Tel +32 16 397.511 Technologielaan 21 bus 2, B-3001 Leuven, BELGIUM Fax +32 16 397.512 http://www.xplanation.com/ email: [EMAIL PROTECTED] *********************************************************************** * I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, ^^, * * F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, * * stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, * * PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, * * init 0, kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... * * ... "Are you sure?" ... YES ... Phew ... I'm out * *********************************************************************** _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
