Re: [clamav-users] False Positives - Heuristics.Phishing.Email.SpoofedDomain
Thanks Joel, Testing confirmed the issue appears to be with the WDB/PDB databases, I'm assuming 101.0 was when they were introduced For now I've changed my scan settings from blackhole (in use since 99.4) to Quarantine. Hopefully as I submit samples, white listings can get added. Thanks again Ken On 01/08/2019 02:58 PM, Joel Esler (jesler) wrote: Check out http://www.clamav.net/documents/miscellaneous-faq On Jan 8, 2019, at 2:43 PM, Ken Campney <mailto:bitfu...@campbus.com>> wrote: Emails from credit card companies I deal with have since 12/10/18 been getting flagged by Heuristics.Phishing.Email.SpoofedDomain. These include Best Buy/Citi Bank (accountsonline.com <http://accountsonline.com>) and American Express. Sending Domain and IP's have been verified Upgraded to ClamAV version: 101.0 on 12/06/18 Is there anyway to fix this? Thank you, Ken ___ clamav-users mailing list clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] False Positives - Heuristics.Phishing.Email.SpoofedDomain
Emails from credit card companies I deal with have since 12/10/18 been getting flagged by Heuristics.Phishing.Email.SpoofedDomain. These include Best Buy/Citi Bank (accountsonline.com) and American Express. Sending Domain and IP's have been verified Upgraded to ClamAV version: 101.0 on 12/06/18 Is there anyway to fix this? Thank you, Ken ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [Clamav-users] (no subject)
I can't believe I've been suckered into this nonsense This is part of the attitude problem from many open source projects. They are (too often) run by technicians and programmers with no input from the business side. OH, lets not forget certain users What the Clamav team did, I can't believe it would have made it through a business analyst and I can't believe that any executive would have signed off on something like that after considering the potential impact it could have on their clients. For the last 4 years or so I have had to shift my mindset from that of pure sysadmin to taking business considerations into account; its very easy for someone who is absorbed with programming and engineering to forget that IT is there to support business and that business is not there to support IT. This is something that I personally have struggled hard with, it can be difficult for a 'geek' to move in that direction. You're giving yourself too much credit. Lets look at this (yet again) shall we? People (and you) are upset because they (not me, not them, not the clamav dev team) decided to ignore the notifications and warnings and their ( and your) out of date and E-O-L'd AV stopped working. On top of this due to MTA configuration choices made by some of these same people when their AV died, so did their mail system. S it must be somebody's fault other than the person(s) in charge of the configuration and maintenance of these boxes that fault tolerance was not taken into consideration? Who set up the mail system to die if clam-av was not available? Not the the Clam dev team. So many OSS projects do not view their users as clients or customers; they view them either as experimental subjects or as fellow experimenters. They only take the technical considerations into account and largely ignore potential impact on business. Business impact was caused by the person(s) maintaining, and configuring the systems that tears are being spilled over. Speaking of impact, what would the impact be if certain affected customers should find out that the reason for the service interruption they experienced was because their service provider couldn't be bothered to take notice of EOL warnings and properly update their Anti-Virus? This is true both of the Clamav developers and of those people who didn't take precautions against potential problems such as the Clamav developers introduced. (And make no mistake; a problem was *created* by the Clamav team, a problem that did not exist prior to the changes they made). There is no problem. If you want to run a EOL version of ClamAV all you have to do (I believe) is stop running freshclam. The obvious issue with this is that you will no longer be receiving virus updates. If you want to receive virus updates, then UPDATE your version to the current and functional version. But no, you expect ClamAV to do what no other company would do. Keep the old supported and fork the new version so both can be ran. Perhaps all the fuss is because your dist is also out of date, and not capable of supporting or compiling the new version? This too can be fixed by upgrading either your dist, or components. (Hint: The later only requires sources and the knowledge to use a compiler) Like I'm sure Microsoft would support a EOL'd OS past it's DOD (Date of Death). It's just not going to happen. And on the business side, it doesn't make business sense for them to do so. This isn't a vendor problem. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] (no subject)
Sh They've simmered down, I don't need the issue stirred up again Spiro Harvey wrote: Shame you haven't talked to to others - like havp for example - before doing this. The announcement to EOL the old releases was made at the start of october last year. If people using clam as an integral part of their software don't read announcements, what fault is that of the clam developers? They had 6 months to sort it out. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] (no subject)
yup, that's me, though in all honesty the comment was supposed to read They've simmered down, I don't think the issue needs stirring up again Proof reading is a wonderful thing when not practiced in moderation :\ And you run the risk of being called the most arrogant and ignorant person on the Internet... Oh my ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Capturing message header data
G.W. Haywood wrote: Hi there, On Tue, 24 Nov 2009 Ken Campney wrote: What I'm trying to do is log message virus statistics either to a database or log file ... Grab syslog-ng, it can do anything you need of that nature. I can't use the maillog because the destination isn't logged Er, what MTA are you using? I don't know of one that can't log what you need. The MTA is Sendmail, and mail logging works just fine except for messages where an infection is found. Im thinking the logging issue is due to clamav-milter which is why I'm posting to this list. Running cat /var/log/maillog | grep Infected I get: Nov 24 05:42:09 myserver sm-mta[22365]: nAOAg8uf022365: Milter add: header: X-Virus-Status: Infected (Phishing.Heuristics.Email.SSL-Spoof) Running cat /var/log/maillog | grep nAOAg8uf022365 I get: Nov 24 05:42:09 myserver sm-mta[22365]: nAOAg8uf022365: from=u...@somedomain.com, size=27436, class=0, nrcpts=1,msgid=de.8c.15584.978bb...@prs, bodytype=8BITMIME, proto=ESMTP, daemon=MTA, relay=somedomain.net [xxx.xxx.xx.xxx] Nov 24 05:42:09 myserver sm-mta[22365]: nAOAg8uf022365: Milter add: header: X-Virus-Scanned: clamav-milter 0.95.3 at myserver Nov 24 05:42:09 myserver sm-mta[22365]: nAOAg8uf022365: Milter add: header: X-Virus-Status: Infected (Phishing.Heuristics.Email.SSL-Spoof) Nov 24 05:42:09 myserver sm-mta[22365]: nAOAg8uf022365: Milter: data, discard Nov 24 05:42:09 myserver sm-mta[22365]: nAOAg8uf022365: discarded Clamav-milter.log has: Message from u...@somedomain.com to JoeK infected by Phishing.Heuristics.Email.SSL-Spoof As you can see there is no destination logged when a infection is processed. My guess this is because its not being delivered. Which would explain why the clamav-milter.log has the intended local delivery address. Unfortunately I'm needing the Envelope Recipient Ken -- 73, Ged. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml -- --- Campney Business Solutions http://www.campney.net Phone: (585)663-5616[9am-5pm M-F EST] Email: supp...@campney.net serv...@campney.net --- ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Capturing message header data
lists wrote: On Tue, 2009-11-24 at 08:06 -0500, Ken Campney wrote: G.W. Haywood wrote: Hi there, On Tue, 24 Nov 2009 Ken Campney wrote: What I'm trying to do is log message virus statistics either to a database or log file ... Grab syslog-ng, it can do anything you need of that nature. I can't use the maillog because the destination isn't logged Er, what MTA are you using? I don't know of one that can't log what you need. The MTA is Sendmail, and mail logging works just fine except for messages where an infection is found. Im thinking the logging issue is due to clamav-milter which is why I'm posting to this list. Running cat /var/log/maillog | grep Infected I get: Nov 24 05:42:09 myserver sm-mta[22365]: nAOAg8uf022365: Milter add: header: X-Virus-Status: Infected (Phishing.Heuristics.Email.SSL-Spoof) Running cat /var/log/maillog | grep nAOAg8uf022365 I get: Nov 24 05:42:09 myserver sm-mta[22365]: nAOAg8uf022365: from=u...@somedomain.com, size=27436, class=0, nrcpts=1,msgid=de.8c.15584.978bb...@prs, bodytype=8BITMIME, proto=ESMTP, daemon=MTA, relay=somedomain.net [xxx.xxx.xx.xxx] Nov 24 05:42:09 myserver sm-mta[22365]: nAOAg8uf022365: Milter add: header: X-Virus-Scanned: clamav-milter 0.95.3 at myserver Nov 24 05:42:09 myserver sm-mta[22365]: nAOAg8uf022365: Milter add: header: X-Virus-Status: Infected (Phishing.Heuristics.Email.SSL-Spoof) Nov 24 05:42:09 myserver sm-mta[22365]: nAOAg8uf022365: Milter: data, discard Nov 24 05:42:09 myserver sm-mta[22365]: nAOAg8uf022365: discarded Clamav-milter.log has: Message from u...@somedomain.com to JoeK infected by Phishing.Heuristics.Email.SSL-Spoof As you can see there is no destination logged when a infection is processed. My guess this is because its not being delivered. Which would explain why the clamav-milter.log has the intended local delivery address. Unfortunately I'm needing the Envelope Recipient Ken -- 73, Ged. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml That's unlucky. Using Postfix with the clam-av milter it obliges with: Nov 23 08:41:02 inbound/cleanup[15078]: 305E0AD108: milter-reject: END-OF-MESSAGE from 93-41-51-175.ip80.fastwebnet.it[93.41.51.175]: 5.7.1 Virus Found; from=alighting...@rancon.com to=@com proto=ESMTP helo=93-41-51-175.ip80.fastwebnet.it All that is missing, is the year :-) {trivial to add} Annoying is more like it heh Actually using the OnInfected setting of Reject rather than Blackhole or Quarantine does provide the envelope recipient (to=@...com) in the maillog (though clamav-milter.log still records local names regardless. The missing information in maillog now defiantly appears to be directly related to using Blackhole or Quarantine. Bug?? Ken ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] Capturing message header data
I've got an issue I'm trying to resolve and to be honest I'm at a loss. What I'm trying to do is log message virus statistics either to a database or log file to be parsed for inclusion into a database. The information we are interested in is the detected malware/virus, and the destination email address (envelope recipient). Using Clamav-milter (0.95.3) I've noticed that when a virus is found the destination address is resolved to the local user or forward destination via (more than likely) the virtusertable I can't use the maillog because the destination isn't logged So my question is this. Is it possible to get clamav to log the envelope recipient? If not Is the message data accessible after clamav detects a virus for further processing? (to capture virus name and other desired information through script or other) If so, what is the best method/mechanism for achieving this Any insight is greatly appreciated Ken ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml