Hi Steve, On Sat, 4 Oct 2014, Steve Basford wrote:
Slightly off topic, does anyone have a folder full of saved malware zips/rars etc. they have kept over the past xxx months, if so can U contact me off-list...
I don't, exactly, but I do keep records and do I look at them. Firstly I'm only interested in what's in electronic mail. I don't run Windows boxes, and on the odd occasion that I need one I fire up a VM. However the several mail servers and many other Linux boxes for which I'm responsible have the potential to assist in the propagation of malicious software to customers, suppliers, colleagues, family and casual acquaintances all around the world. Although running only Linux boxes means I can more or less forget the threat from malware to the machines themselves, I take the view that using them to communicate with more vulnerable systems gives me some responsibilities. One of my employees could, for example, forward a message with a malicious link in it (to which the Linux box she uses is not vulnerable) to someone using XP. Six months after XP went EOL, over 25% of the Windows boxes in the UK for example are still running it. I can't say I blame people for not wanting to be shafted by Microsoft yet again, but I don't think they're being very responsible. Perhaps they'd only have themselves to blame for not using Linux, but I don't want to add to their problems, nor to those of almost everyone else, by sending them a virus for which their machine has no defence - and thus help to create a source of yet more trouble. So here's what I do: after binning stuff from 25% of the IPV4 address space without even looking at it, and then everything from (at present) seventy-four county codes after paying them much the same attention, I then pass the much-thinned cream of the crop through a huge regular expression filter which looks for things like my spam-trap addresses (more for the bin) and if anything's left I use MIMEDefang to delete every attachment that might be some sort of Windows executable. If a message contains an archive which can't be extracted (e.g. password protected) then it goes in the bit bucket as well. Finally, ClamAV gets to look at what little is left. Why am I scanning stuff that can't be executed? Well, it still might be cr@p that we don't want. That's where Sansecurity comes in. I don't actually care if ClamAV can find a virus or not, that's not what I'm use it for. (And here we are almost back on topic:). My contribution to the off-topic topic is that the vast majority of malicious email messages that I see now contains links to the real payload, not the payload itself, and ClamAV doesn't get much to do: 2014.01.06 05:28:44 mail5 clamd[19238]: Sanesecurity.Junk.37650.UNOFFICIAL FOUND 2014.01.16 01:03:28 mail5 clamd[19238]: Phishing.Heuristics.Email.SpoofedDomain FOUND 2014.01.27 11:14:13 mail5 clamd[19238]: Sanesecurity.Phishing.Cur.17130.UNOFFICIAL FOUND 2014.01.28 13:43:18 mail5 clamd[19238]: Sanesecurity.Phishing.Cur.1117.UNOFFICIAL FOUND 2014.02.01 22:35:24 mail5 clamd[19238]: Email.Phishing.Card-9 FOUND 2014.02.11 18:40:51 mail5 clamd[19238]: Phishing.Heuristics.Email.SpoofedDomain FOUND 2014.02.19 08:39:54 mail5 clamd[19238]: Phishing.Heuristics.Email.SpoofedDomain FOUND 2014.02.22 18:19:02 mail5 clamd[19238]: Sanesecurity.Lott.1874.UNOFFICIAL FOUND 2014.03.03 15:46:01 mail5 clamd[19238]: Sanesecurity.Scam4.1567.UNOFFICIAL FOUND 2014.03.20 22:52:32 mail5 clamd[19238]: Sanesecurity.Junk.24795.UNOFFICIAL FOUND 2014.05.01 19:01:25 mail5 clamd[19238]: ScamNailer.Phish.administrator_AT_domain.com.UNOFFICIAL FOUND 2014.05.14 18:41:24 mail5 clamd[19238]: Phishing.Heuristics.Email.SpoofedDomain FOUND 2014.05.16 08:36:28 mail5 clamd[19238]: Sanesecurity.Junk.43451.UNOFFICIAL FOUND 2014.05.30 22:36:11 mail5 clamd[19238]: Phishing.Heuristics.Email.SpoofedDomain FOUND 2014.06.17 23:12:36 mail5 clamd[19238]: Sanesecurity.Spear.info_at_it_dot_org.UNOFFICIAL FOUND 2014.06.25 01:40:45 mail5 clamd[19238]: Phishing.Heuristics.Email.SpoofedDomain FOUND 2014.07.14 17:01:21 mail5 clamd[19238]: Phishing.Heuristics.Email.SpoofedDomain FOUND 2014.07.19 02:01:59 mail5 clamd[19238]: Sanesecurity.Scam4.1570.UNOFFICIAL FOUND 2014.07.28 17:41:24 mail5 clamd[19238]: Sanesecurity.Junk.20083.UNOFFICIAL FOUND 2014.08.14 18:42:14 mail5 clamd[19238]: Phishing.Heuristics.Email.SpoofedDomain FOUND 2014.09.06 15:33:23 mail5 clamd[19238]: Phishing.Heuristics.Email.SpoofedDomain FOUND 2014.09.12 21:13:47 mail5 clamd[19238]: Sanesecurity.Phishing.Fake.20863.UNOFFICIAL FOUND This server has an incoming load of about 5,000 mostly spam messages per day, the vast majority of which never get past MAIL FROM: in the SMTP conversation. As you can see, twenty-two messages were rejected by ClamAV in nine months, of which *none* contained viruses because I already dealt with them the easy way, using practcally no CPU cycles. So, in the same period, how many messages were rejected by MIMEDefang on this server because of executable attachments? Four. And three of them were perfectly kosher shell scripts from the Cygwin mailing list. (Oops. :) In nine months of spam collection, with a conservatively estimated body of a million messages, exactly one containing a virus got as far as MIMEDefang, which rejected it before ClamAV even saw it. Maybe we're getting better here at handling mail, I'd like to think so, but absolute volumes of spam attempts here are down by at least 50% from a couple of years ago. In 2012 this same system saw 66 rejections by third-party signatures (mostly Sanesecurity), four being viruses, from a body of a couple of million messages. I think our target is intelligent, and it seems to me that it's moved, but things do seem to be going in the right direction. And yes, I probably should reboot that server more often. :) HTH -- 73, Ged. _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
