Re: [Clamav-users] APER
Hope I haven't missed this one being discussed... but ... Has anyone turned this into a regularly updated set of ClamAV signatures? Hi, Firstly, spear.ndb generated from the APER feed and has been for a while now: http://sanesecurity.co.uk/databases.htm Secondly, I've two more databases coming online soon based on their feeds... watch this space, as they say ;) Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] APER
At 7:02 AM -0700 10/22/09, John Rudd wrote: Hope I haven't missed this one being discussed... but ... APER is a project hosted at Google Code (Anti-Phishing Email Reply) that tracks From, Reply-to, and Body URLs that match known phishing attacks. There are a few examples for how to use it ... but I was wondering: Has anyone turned this into a regularly updated set of ClamAV signatures? I've been tasked with implementing it, and I'd love to be able to just plug it into my existing regiment of ClamAV signatures (I currently use MBL, MSRBL, and some (but not all) of the signatures hosted at Sane Security). John Steve (sane security) was in the process of implementing at least a subset. I have to ask however. You mentioned it contains phish urls as well. I have not been able to find that. However, we track phish urls/domains in winnow_phish_complete.ndb Tom ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] APER
Check out Julian Field's ScamNailer: http://www.scamnailer.info/ 18/10/2009 - New scamnailer.ndb ClamAV signature database is now available from http://www.mailscanner.eu/scamnailer.ndb. This is updated very frequently. Do not download it more than once per hour! Cheers, Phil -- Phil Randal | Networks Engineer NHS Herefordshire Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: pran...@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -Original Message- From: clamav-users-boun...@lists.clamav.net [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of John Rudd Sent: 22 October 2009 15:03 To: ClamAV users ML Subject: [Clamav-users] APER Hope I haven't missed this one being discussed... but ... APER is a project hosted at Google Code (Anti-Phishing Email Reply) that tracks From, Reply-to, and Body URLs that match known phishing attacks. There are a few examples for how to use it ... but I was wondering: Has anyone turned this into a regularly updated set of ClamAV signatures? I've been tasked with implementing it, and I'd love to be able to just plug it into my existing regiment of ClamAV signatures (I currently use MBL, MSRBL, and some (but not all) of the signatures hosted at Sane Security). ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. You should be aware that Herefordshire Council monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] APER
Check out Julian Field's ScamNailer: http://www.scamnailer.info/ 18/10/2009 - New scamnailer.ndb ClamAV signature database is now available from http://www.mailscanner.eu/scamnailer.ndb. This is updated very frequently. Do not download it more than once per hour! Cheers, Phil While I have a lot of respect for Julian's work (I used to use mailscanner), and it's great to see more anti-phishing resources ... I don't see anything in the descriptions that says it's based on APER. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] APER
I have to ask however. You mentioned it contains phish urls as well. I have not been able to find that. However, we track phish urls/domains in winnow_phish_complete.ndb Tom When you download their distribution, you get 4 files: phishing_cleared_addresses phishing_from_addresses phishing_links phishing_reply_addresses The file phishing_links is what I was referring to. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] APER
Firstly, spear.ndb generated from the APER feed and has been for a while now: http://sanesecurity.co.uk/databases.htm I didn't realize spear.ndb includes APER. That's great news (as we already use spear.ndb) ... looks like implementing APER is pretty straight forward (and low effort) for me :-) is spear using all 3 parts (from, reply, and links)? Just want to be sure, when our director asks. Secondly, I've two more databases coming online soon based on their feeds... watch this space, as they say ;) Great! I look forward to hearing more :-) Cheers, Steve Sanesecurity Thanks! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] APER
Check out Julian Field's ScamNailer: http://www.scamnailer.info/ 18/10/2009 - New scamnailer.ndb ClamAV signature database is now available from http://www.mailscanner.eu/scamnailer.ndb. This is updated very frequently. Do not download it more than once per hour! Ok, that's the database that I'm in the process of distributing, after discussions with Julian/Tony Finch regarding the .ndb format. I'm also sorting out the phishing_links feed too, it'll no doubt be called spearl.ndb at a guess but again, not ready yet. Few bits to sort out yet, once done you'll be able to sync from the Sanesecurity mirrors. Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml