> Paul Kosinski wrote: > > In December 2006, we were running ClamAV 0.88.7, and there were still > > a fair number of "real" viruses being detected in inbound email. Now > > running 0.91.2 and 0.92, there seem to be only phishing attempts, and > > not even very many of them. In fact it seems that our log file shows > > almost as many (hourly) signature update messages as phish detections > > (much less "real" virus detections). > > > > Have other ClamAV users experienced a similar decline in email > > attacks?
Yes. We (xs4all, a mid-sized european ISP) actually keep online graphs of the number of viruses and spam detected. Note that we do not count phishes as a virus (phishes detected by clamav count as a score in SA). See: http://www.xs4all.nl/uk/veiligheid/statistieken.php As you can see in the yearly graphs, there have been a few outbreaks of viruses causing a temporary raise in the number of email viruses detected. The number of 'real' viruses we see now is typically less than 0.1%. Of course, more than 95% of the rest is spam... Note that even that 'outbreak' in January was rather weak, topping at 18 viruses/second. We used to see virus outbreaks with over 60 virus delivery (attempts) per second back in 2005. The going theory is that classical email viruses have basically become almost extinct. Congratulations. The email virus scanners won. The bad guys smartened up and moved to infected webpages (hi, Alicia Keys!), p2p fakes and malware (WoWarcraftPingAccelerator.exe.torrent ?), and IM threats. Also, if a virus ever does spread by email, it is usually extremely targetted and quite rare, and it doesn't generate a huge outgoing flood because it doesn't want to be detected. So it is not uncommon for "0-day malwarez" to be detected by less than 20% of the scanners available. Currently, the only solution is for end users to have really up to date virus scanners on the desktop, and a healthy dose of scepticism before clicking on anything. Wait, is that a pig flying by my window? So while the battle on email viruses might be won, the war certainly isn't over. If end users continue to be too ignorant to get their security straight, then ISPs will have to run all of their connections through some sort of transparent proxy/virusscanner, at some point, to keep the users secure. And at the moment the NSA (or your local favorite TLA secret agency) hears that that is possible, ISPs will get a request for some more functionality in the transparent proxy, and your privacy will be completely hosed. -- Jan-Pieter Cornet <[EMAIL PROTECTED]> !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html