Re: [Clamav-users] APER

2009-10-22 Thread Steve Basford
 Hope I haven't missed this one being discussed... but ...

 Has anyone turned this into a regularly updated set of ClamAV signatures?

Hi,

Firstly, spear.ndb generated from the APER feed and has been for a while now:

http://sanesecurity.co.uk/databases.htm

Secondly, I've two more databases coming online soon based on their
feeds... watch this space, as they say ;)

Cheers,

Steve
Sanesecurity

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] APER

2009-10-22 Thread Tom Shaw

At 7:02 AM -0700 10/22/09, John Rudd wrote:

Hope I haven't missed this one being discussed... but ...

APER is a project hosted at Google Code (Anti-Phishing Email Reply)
that tracks From, Reply-to, and Body URLs that match known phishing
attacks.  There are a few examples for how to use it ... but I was
wondering:

Has anyone turned this into a regularly updated set of ClamAV signatures?

I've been tasked with implementing it, and I'd love to be able to just
plug it into my existing regiment of ClamAV signatures (I currently
use MBL, MSRBL, and some (but not all) of the signatures hosted at
Sane Security).


John

Steve (sane security) was in the process of implementing at least a subset.

I have to ask however. You mentioned it contains phish urls as well. 
I have not been able to find that. However, we track phish 
urls/domains in winnow_phish_complete.ndb


Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] APER

2009-10-22 Thread Randal, Phil
Check out Julian Field's ScamNailer:

http://www.scamnailer.info/

18/10/2009 - New scamnailer.ndb ClamAV signature database is now
available from http://www.mailscanner.eu/scamnailer.ndb. This is updated
very frequently. Do not download it more than once per hour!

Cheers,

Phil

--
Phil Randal | Networks Engineer
NHS Herefordshire  Herefordshire Council  | Deputy Chief Executive's
Office | I.C.T. Services Division
Thorn Office Centre, Rotherwas, Hereford, HR2 6JT
Tel: 01432 260160
email: pran...@herefordshire.gov.uk

Any opinion expressed in this e-mail or any attached files are those of
the individual and not necessarily those of Herefordshire Council.

This e-mail and any attached files are confidential and intended solely
for the use of the addressee. This communication may contain material
protected by law from being passed on. If you are not the intended
recipient and have received this e-mail in error, you are advised that
any use, dissemination, forwarding, printing or copying of this e-mail
is strictly prohibited. If you have received this e-mail in error please
contact the sender immediately and destroy all copies of it.

-Original Message-
From: clamav-users-boun...@lists.clamav.net
[mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of John Rudd
Sent: 22 October 2009 15:03
To: ClamAV users ML
Subject: [Clamav-users] APER

Hope I haven't missed this one being discussed... but ...

APER is a project hosted at Google Code (Anti-Phishing Email Reply) that
tracks From, Reply-to, and Body URLs that match known phishing attacks.
There are a few examples for how to use it ... but I was
wondering:

Has anyone turned this into a regularly updated set of ClamAV
signatures?

I've been tasked with implementing it, and I'd love to be able to just
plug it into my existing regiment of ClamAV signatures (I currently use
MBL, MSRBL, and some (but not all) of the signatures hosted at Sane
Security).
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Any opinion expressed in this e-mail or any attached files are those of the 
individual and not necessarily those of Herefordshire Council.
You should be aware that Herefordshire Council monitors its email service.
This e-mail and any attached files are confidential and intended solely for the 
use of the addressee. This communication may contain material protected by law 
from being passed on. If you are not the intended recipient and have received 
this e-mail in error, you are advised that any use, dissemination, forwarding, 
printing or copying of this e-mail is strictly prohibited. If you have received 
this e-mail in error please contact the sender immediately and destroy all 
copies of it.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] APER

2009-10-22 Thread John Rudd
Check out Julian Field's ScamNailer:

http://www.scamnailer.info/

18/10/2009 - New scamnailer.ndb ClamAV signature database is now
available from http://www.mailscanner.eu/scamnailer.ndb. This is updated
very frequently. Do not download it more than once per hour!

Cheers,

Phil

While I have a lot of respect for Julian's work (I used to use
mailscanner), and it's great to see more anti-phishing resources ... I
don't see anything in the descriptions that says it's based on APER.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] APER

2009-10-22 Thread John Rudd
I have to ask however. You mentioned it contains phish urls as well.
I have not been able to find that. However, we track phish
urls/domains in winnow_phish_complete.ndb

Tom

When you download their distribution, you get 4 files:

phishing_cleared_addresses
phishing_from_addresses
phishing_links
phishing_reply_addresses


The file phishing_links is what I was referring to.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] APER

2009-10-22 Thread John Rudd
Firstly, spear.ndb generated from the APER feed and has been for a while now:

http://sanesecurity.co.uk/databases.htm

I didn't realize spear.ndb includes APER.  That's great news (as we
already use spear.ndb) ... looks like implementing APER is pretty
straight forward (and low effort) for me :-)

is spear using all 3 parts (from, reply, and links)?  Just want to be
sure, when our director asks.

Secondly, I've two more databases coming online soon based on their
feeds... watch this space, as they say ;)

Great!  I look forward to hearing more :-)

Cheers,

Steve
Sanesecurity


Thanks!
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] APER

2009-10-22 Thread Steve Basford
 Check out Julian Field's ScamNailer:

 http://www.scamnailer.info/

 18/10/2009 - New scamnailer.ndb ClamAV signature database is now
 available from http://www.mailscanner.eu/scamnailer.ndb. This is updated
 very frequently. Do not download it more than once per hour!

Ok, that's the database that I'm in the process of distributing, after
discussions with Julian/Tony Finch regarding the .ndb format.

I'm also sorting out the phishing_links feed too, it'll no doubt be called
spearl.ndb at a guess but again, not ready yet.

Few bits to sort out yet, once done you'll be able to sync from the
Sanesecurity mirrors.

Cheers,

Steve
Sanesecurity


___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml