Hi there, On Tue, 25 Dec 2007 Paul Kosinski wrote:
> In December 2006, we were running ClamAV 0.88.7, and there were still > a fair number of "real" viruses being detected in inbound email. Now > running 0.91.2 and 0.92, there seem to be only phishing attempts, and > not even very many of them. In fact it seems that our log file shows > almost as many (hourly) signature update messages as phish detections > (much less "real" virus detections). > > Have other ClamAV users experienced a similar decline in email > attacks? If you're thinking that perhaps the later versions of ClamAV are less effective at finding viruses, I don't think that's the case at all but I don't have any evidence. I've been running ClamAV for a couple of years and I'm running ClamAV version 0.92 at present. Our firewall rules are updated by scripts which are fed from the mail and web server logs. IP addresses which fail certain tests and/or which attempt to send suspicious email or HTTP requests are added to the block lists automatically. The block can be temporary, but it is usually permanent. It may be for connections to port25 only or it may be for all connections, depending on the offending traffic. Some facts: 1. Some of our email addresses have been published on the Internet, either on mailing lists or on the Web, for more than a decade. 2. Daily, I see between a few thousand and a few tens of thousands of attempts to send email that nobody would want. As you can see the volume fluctuates wildly but there are definite patterns: http://www.jubileegroup.co.uk/JOS/misc/port25.gif 3. As I write, we're blocking about 36,000 networks - mostly /24. The majority of these are dynamic IP ranges used by ISP customers. 4. We run no Windows machines. 5. I very rarely see an email virus, but do I see a steady trickle of phishing emails and a few malware types, mostly casino advertising. Almost all are weeded out (with practically no false positives) by the Sanesecurity database. For example, in December so far, out of about 154,000 attempts to send mail that we don't want I have seen 18 phishing emails get as far as being scanned (and rejected) by ClamAV, and two casino advertisements actually reached an inbox. No viruses were seen, but I'd be very surprised if no attempts had been made to send any. Most of the attempts to send mail are made by compromised Windows boxes (http://lcamtuf.coredump.cx/p0f.shtml). These facts might be related or they might not. I hope they'll be of use to someone. -- 73, Ged. _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
