Hi all,
since ClamAV reached v0.80, I am using it to scan and reject e-mail
messages. Today I noticed that ClamAV also detects phishing attacks.
Phishing is pure social engineering and poses no threat whatsoever in a
technical sense.
How can I configure ClamAV not to try to detect phishing and
Matt [EMAIL PROTECTED] wrote:
Julian Mehnle wrote:
How can I configure ClamAV not to try to detect phishing and other
social engineering attacks?
Why? Your prerogative, obviously, but I am just curious.
For three reasons:
1. I consider filtering technically harmful messages for my users
John Jolet [EMAIL PROTECTED] wrote:
On the issue of manually reviewing the mails to submitisn't this the
purpose of the quarantine directory? When it detects a phishing
malware, look at the file in the quarantine directory.
I also don't believe in quarantine directories, which have to be
BitFuzzy [EMAIL PROTECTED] wrote:
So blocking [social engineering attacks] can only be seen as a good
thing.
I disagree, and I already explained why.
I don't even request that ClamAV completely stop detecting such stuff, I
just request that I have the option of disabling it.
John Jolet [EMAIL PROTECTED] wrote:
On Sunday 14 November 2004 9:17 am, Julian Mehnle wrote:
[...] I outright reject unwanted messages during the SMTP transaction,
so the sender gets notified. [...]
I would agree with that practice, except in this day and age of spoofed
addresses
(although that would be better, see below):
I wrote:
Tomasz Kojm [EMAIL PROTECTED] wrote:
Julian Mehnle [EMAIL PROTECTED] wrote:
How can I configure ClamAV not to try to detect phishing and other
social engineering attacks?
Modify your mail scanner to pass HTML.Phishing.* through.
Yes, I
Matt [EMAIL PROTECTED] wrote:
Trog wrote:
I'm not trying to scare you away, I really don't care what you do.
I've told you how you can easily do what you want, using ClamAV.
As Trog has already mentioned, you can simply remove the phishing
signatures from the database. This is not
Steve Brown [EMAIL PROTECTED] wrote:
Julian Mehnle wrote:
http://julian.io.link-m.de/misc/rejected-messages
Very nice. What did you use to create that?
I am using Courier as my MTA and the self developed, Perl-based
Courier::Filter for rejecting messages. I wrote a logger module for
Courier
Graham Toal [EMAIL PROTECTED] wrote:
Haven't you had any privacy issues from your users yet? Maybe a real
mail wrongly filed, with a subject line and a from address which gave
away something they'd rather was not public?
The public table is just a static snapshot I took and anonymized before
Tomasz Kojm [EMAIL PROTECTED] wrote:
Julian Mehnle [EMAIL PROTECTED] wrote:
Thanks, but the point of my question was that I wanted to know whether
there are more social engineering signature in the database than
just phishing ones.
Yes, there are. E.g. HTML.Mydoom.email-gen-1 and others
Brian Morrison [EMAIL PROTECTED] wrote:
Julian Mehnle [EMAIL PROTECTED] wrote:
You're trying to kid me, right? I'm not going to be scared away just
because you wish to take a fundamentalist position that ClamAV should
_not_ offer an option to ignore social engineering attacks even
though
Matt [EMAIL PROTECTED] wrote:
The problem is that, as yourself and others have mentioned, the
distinction between the different categories are dependant upon personal
interpretation. What one classes as social engineering, someone else may
class as, for example, malware. Even though they can
Brian Morrison [EMAIL PROTECTED] wrote:
What I am suggesting is that, because you appear to have a requirement
that is significantly different from nearly everyone else that has
responded in this thread,
(I don't think you're judging the proportions correctly.)
you are in the best position
Trog [EMAIL PROTECTED] wrote:
What you don't seem to understand is that the distinction between
technical attacks and social engineering attacks is irrelevant, because
thats not what *any* anti-virus product has as a requirement.
So now you're declaring _my_ requirements irrelevant. I'm not
Brian Morrison [EMAIL PROTECTED] wrote:
Julian Mehnle [EMAIL PROTECTED] wrote:
Trog [EMAIL PROTECTED] wrote:
Please give a full definition of Spam and Malware/Viruses that do
not intersect, and will never intersect for all future Spam and
Malware such that we can be sure we know what
Chris Meadors [EMAIL PROTECTED] wrote:
How about an e-mail that contains a link that takes one to a webpage
that exploits the web browser to install a program that will intercept
the account information the next time the actual site is visited?
That's social engineering.
I know some of you
Daniel J McDonald [EMAIL PROTECTED] wrote:
On Mon, 2004-11-15 at 18:00 +0100, Julian Mehnle wrote:
What I don't understand is that no one seems to be willing to discuss
my proposal of making the signature database modular, i.e. offer
social engineering attack signatures separately from
Dennis Skinner [EMAIL PROTECTED] wrote:
Julian Mehnle wrote:
technical := affecting the technical systems involved in storing
and transporting the data items subject to being scanned by ClamAV.
technical threat := (go figure...)
Would that include viruses that require action on the part
Hanford, Seth [EMAIL PROTECTED] wrote:
I agree with Julian that Clam does not seem the logical solution to Spam
messages.
Please note that I have never talked about ClamAV unwantedly detecting
_spam_. I just talked about social engineering in general and about
phishing in particular.
Dennis Skinner [EMAIL PROTECTED] wrote:
Julian Mehnle wrote:
Counter question: What do have the following in common: 1. tricking a
user into clicking a link that takes him to a virus, and 2. tricking a
user into clicking a link that takes him to a web page that tricks him
into clicking
Ken Jones [EMAIL PROTECTED] wrote:
Knowing two freinds that have responded to phising emails and what it
took afterwards to correct the problem . they would beg you to
remove the possability of this threat.
Bit Fuzzy [EMAIL PROTECTED] wrote:
I'm sorry, but I personally know 7 people who
Matt [EMAIL PROTECTED] wrote:
Thanks, but the point of my question was that I wanted to know
whether there are more social engineering signature in the
database than just phishing ones.
Getting back to the somewhat original question, if you download the
signatures.pdf from the
Phil Endecott [EMAIL PROTECTED] wrote:
I am contemplating adding clam scanning to a web application. Files
that users upload via a web form will be scanned before being stored in
a database. The application is written in C and called by CGI from
Apache.
[...]
Has anyone written [a clamd
Dennis Duffner [EMAIL PROTECTED] wrote:
Phil,
Mailwasher is reporting your domain as a spammer. I think that may be
erroneous. You may wish to contact SpamCop.com and find out how that
happened.
I guess you mean spamcop.NET http://www.spamcop.net. spamcop.com is
some weird knock-off I
Tomasz Kojm wrote:
Brian Morrison wrote:
Is this part of the work in progress or have the html docs been
forgotten this time round? They are in the CVS tree.
There were technical problems with generating new html documentation. It
will be included in 0.81, though.
The HTML docs are
Sunet Sysadmin wrote:
We have a courier mail server. Running with courier:: filter with
modules ClamAV(unix socket), SA and SPF. Every thing works good. But all
of a sudden i get this error.
submit: Transport endpoint is not connected
Nov 5 04:03:55 jupiter courieresmtpd:
Jason Frisvold [EMAIL PROTECTED] wrote:
If this trojan were to be widespread, then RBL's could become virtually
non-effective. Or, the RBL's could start putting legitimate hosts in
the list.
There is no such thing as a legitimate host. There are only hosts that
send spam and viruses, and
Odhiambo Washington [EMAIL PROTECTED] wrote:
* Julian Mehnle [EMAIL PROTECTED] [20050208 06:02] wrote:
12345678901234567890123456789012345678901234567890123456789012345678901234
This is what I am doing:
http://julian.io.link-m.de/misc/rejected-messages
(The dynamic functionality doesn't
Trog wrote:
You can't send multiple commands. You *must* follow the following
sequence:
send: SESSION
pause
send: SCAN /my/file
read reply
send: SCAN /my/file2
read reply
What's pause supposed to mean?
___
Trog wrote:
On Mon, 2005-03-07 at 13:08 +0100, Julian Mehnle wrote:
Trog wrote:
You can't send multiple commands. You *must* follow the following
sequence:
send: SESSION
pause
send: SCAN /my/file
read reply
send: SCAN /my/file2
read reply
What's pause supposed
Trog wrote:
Robert Stampfli wrote:
My question: Does the ClamAV team want examples of these
phishing emails submitted to them through their
http://cgi.clamav.net/sendvirus.cgi interface?
You can submit them via the web interface.
Can I submit my spam, too? It is bad, so it should be
Trog wrote:
Julian Mehnle wrote:
Trog wrote:
Robert Stampfli wrote:
My question: Does the ClamAV team want examples of these
phishing emails submitted to them through their
http://cgi.clamav.net/sendvirus.cgi interface?
You can submit them via the web interface.
Can I
Matthew van Eerde wrote:
Sounds like a feature request to me... can we have a user.cvd file
(in addition to main.cvd and daily.cvd)
Probably more like: can we have 'technical-threats.cvd' and
'non-technical-threats.cvd' instead of 'main.cvd'?
___
Matt Fretwell wrote:
Julian Mehnle wrote:
Brian Morrison wrote:
You don't give up do you? ;-)
Not until someone convincingly explains to me why my request for a
practical option to distinguish between technical and non-technical
threats (i.e. exploitation of technical flaws
Brian Morrison wrote:
Julian Mehnle wrote:
Probably more like: can we have 'technical-threats.cvd' and
'non-technical-threats.cvd' instead of 'main.cvd'?
You don't give up do you? ;-)
Not until someone convincingly explains to me why my request for a
practical option to distinguish between
Tomasz Kojm wrote:
Julian Mehnle wrote:
| I absolutely concur. Considering that exactly _no one_ here demanded
| that ClamAV abandon its capacity for detecting phishing attacks,
| little yellow rubber ducks in PNG images, or whatever else, the uproar
| is truly ludicrous. What was actually
Dennis Peterson wrote:
Julian Mehnle said:
Well, that is certainly a nice prospect! Thanks a lot for not
ignoring my request.
That was pretty hard to do.
Yeah, people here keep telling me that, though they're not exactly
communicative about why that is. All I've read is _I_ don't need
Samuel Benzaquen wrote:
I think the problem is simple math: Finite number of devs with finite
time. They have to use it in what they think will be more productive
for the majority of us.
Hey, I'd accept that for a reason, even though I haven't been the only one
who found the feature request
BitFuzzy [EMAIL PROTECTED] wrote:
The difference between what's being detected as phishing attempts is
that they are crafted to make you believe you are at
http://www.your-bank.com, ebay.com, paypal.com, etc. They are in most
cases very convincing, thus not only the foolish can fall prey. (I
Matthew van Eerde wrote:
Julian Mehnle wrote:
The way to combat phishing is to employ sender authentication methods
such as SPF, DomainKeys, and public-key message cryptography.
This is unfortunately debatable. SPF, DomainKeys, cryptography,
SenderID, etc. can only work on info
Daniel J McDonald wrote:
Julian Mehnle wrote:
Matthew van Eerde wrote:
Nothing stops people from registering a domain like
onlinebanking.example and then sending out - perfectly legitimately
- from [EMAIL PROTECTED]
Still the sender is not @citibank.com.
But I could form
Brian Morrison wrote:
Joanna Roman wrote:
Can phishing be considered one kind of spam ?
When 0.90 is available it will allow you to decide whether to filter on
different types of content, until then please don't get this list going
on the phishing is not spam! discussion.
sarcasm Are you
Bill Taroli wrote:
Steffen Winther Soerensen wrote:
This seems more like a discussion for another mailing list or a Usenet
group on MTAs/SMTP IMHO
I don't disagree... are there any good ones for SPF or similar debates?
You're welcome to discuss things related to SPF on spf-discuss:
Bill Taroli wrote:
Eric Wheeler wrote:
[...] For email transfer and MTA's alike, putting SPF in DNS to help
authenticate the source is a step in the right direction. If SPF is
a good idea, and it is dns based, then so should forward-and-back
lookups.
I totally agree that some solution
Tomasz Kojm wrote:
Michel Arboi wrote:
I was about to ask how I can help the project. I will not. I think that
you don't need bad people.
Good bye.
You're a troll. Go away!
A tendency to ridicule people who even just remotely insinuate that not
everything about ClamAV is perfect can
Tomasz Kojm wrote:
Julian Mehnle wrote:
Tomasz Kojm wrote:
Michel Arboi wrote:
[ omitted:
Clamav does not even catch half of the worms that are currently in
the wild. Most of them are dangerous IRC bots.
]
I was about to ask how I can help the project. I will not. I think
Daniel J McDonald wrote:
Near the end of April, there were 32936 signatures. There are currently
34720 signatures, or an increase of 1784. Sounds like it is about 10%
signal / 90% noise.
No. A single signature can match multiple instances of malware. In fact,
the more instances a
Dennis Peterson wrote:
The ClamAV source distribution includes a contrib tree that contains
some perl code that allows you to connect to a Unix socket (or a tcp
socket). With a little bit of coding it would be easy to re-use that to
create an interactive CLI for your daemon. My testing in
Ronny Nussbaum wrote:
Forgive my ignorance, but I only know how to install Perl modules with
perl -MCPAN -e shell, then typing install moudule name.
Once I do that, how can I use the module that you wrote?
Should they be accessible from a script? or are they themselves already
scripts?
They
Thomas Cameron wrote:
Try adding this to the startup script for ClamAV:
export LANG=C
Perhaps it would be better to set LC_ALL=C instead?
LC_ALL overrides all the other locale variables (it has the highest
priority), LANG doesn't (lowest priority).
pgp1QvcbSMFSP.pgp
Description: PGP
[EMAIL PROTECTED] wrote:
I've got clam running as a daemon. I can open a socket to port 3310 and
send commands and it responds. I've done two things to ensure it's
working correctly. First if I send it a PING it responds with PONG,
second if I send a SCAN {filename} to the port, it responds to
Daniel Tiefnig wrote:
ClamAV wrote:
Dear ClamAV user,
The following submissions have been processed and published:
- 504853
The submission was a PayPal e-mail that was falsely classified as
Email.Phishing.Pay-10. Now, it is still identified as Phish. What should
I do now? Submit it
52 matches
Mail list logo