MSRBL (as it's no longer being updated)
And here's the answer from the actual project:
http://msrbl.blogspot.com/2010/01/msrbl-status-update-as-some-of-you-have.html
It's amazing what information you get when you actually talk to people.
___
Help us
removes MSRBL (as it's no longer being updated)
Did they declare themselves to be defunct, or are you declaring it for
them (without any actual announcement from them)?
Do you have any indication that MSRBL is still alive and that the
signature databases are being actively updated?
What do
Then you don't have a clue and are obviously not qualified to make a
judgment call on this matter.
They used to routinely have some signatures that would go weeks, even
months, without updates. I used tolook at their signatures and see
that they were a month or two old ... and a few months
Most recent update from them was 3 months ago.
rsync rsync://rsync.mirror.msrbl.com/msrbl/MSRBL-SPAM.ndb
-rw-r--r-- 244643 2009/07/27 01:21:23 MSRBL-SPAM.ndb
rsync rsync://rsync.mirror.msrbl.com/msrbl/MSRBL-Images.hdb
-rw-r--r-- 181337 2009/07/24 03:40:17 MSRBL-Images.hdb
rsync
rsync rsync://rsync.mirror.msrbl.com/msrbl/MSRBL-Images-FULL-SoN.hdb
-rw-r--r-- 19030813 2009/10/07 15:50:05 MSRBL-Images-FULL-SoN.hdb
Only the clueless would use that database.
Which is irrelevant to the point. The point isn't is it a
reasonable/accurate/etc. database, the point is it
removes MSRBL (as it's no longer being updated)
Did they declare themselves to be defunct, or are you declaring it for
them (without any actual announcement from them)?
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
Hope I haven't missed this one being discussed... but ...
APER is a project hosted at Google Code (Anti-Phishing Email Reply)
that tracks From, Reply-to, and Body URLs that match known phishing
attacks. There are a few examples for how to use it ... but I was
wondering:
Has anyone turned this
Check out Julian Field's ScamNailer:
http://www.scamnailer.info/
18/10/2009 - New scamnailer.ndb ClamAV signature database is now
available from http://www.mailscanner.eu/scamnailer.ndb. This is updated
very frequently. Do not download it more than once per hour!
Cheers,
Phil
While I have a
I have to ask however. You mentioned it contains phish urls as well.
I have not been able to find that. However, we track phish
urls/domains in winnow_phish_complete.ndb
Tom
When you download their distribution, you get 4 files:
phishing_cleared_addresses
phishing_from_addresses
phishing_links
Firstly, spear.ndb generated from the APER feed and has been for a while now:
http://sanesecurity.co.uk/databases.htm
I didn't realize spear.ndb includes APER. That's great news (as we
already use spear.ndb) ... looks like implementing APER is pretty
straight forward (and low effort) for me :-)
(sorry if this has come up and I missed it)
Apparently, the later/latest versions of Power Point actually write
out zip files that are merely named .ppt (or something like that).
Internally, it's apparently representing the slides and images as
sub-files within the zip archive. This means that
On Wed, Mar 18, 2009 at 05:55, Dennis Peterson denni...@inetnw.com wrote:
Moray Henderson (ICT) wrote:
From: Török Edwin [mailto:edwinto...@gmail.com]
Try using a href=... for the URL.
Is that a requirement? If so we should get the spammers on board because
some of
them may not know this
I think that was the point Dennis and I were making, with varying
degrees of subtlety and manners. :-)
On Wed, Dec 10, 2008 at 11:10, Jim Preston [EMAIL PROTECTED] wrote:
Derek sed with a straight face:
# Of course not. The arrogance of certain # dysfunctional clowns on this #
list is
On Mon, Dec 8, 2008 at 19:25, Derek Currie [EMAIL PROTECTED] wrote:
This list is incredible. Rudeness deluxe. Forgettable.
I don't suppose you've considered that you're the common element in
all of that. Probably not. Easier to blame the list (that had
extremely few problems with rudeness
Tomasz Kojm wrote:
On Thu, 16 Oct 2008 17:41:50 -0700
John Rudd [EMAIL PROTECTED] wrote:
Do you have any thoughts about how we can get the stats to you, so that
you can use them, without bypassing our mechanism for ensuring
consistent and safe updating of our virus signatures?
You
Tomasz Kojm wrote:
Freshclam also submits information about detections with 3rd party signatures.
We only have one host in our environment that does freshclam (or any of
the other virus signature update mechanisms). It verifies the validity
of the data (makes sure nothing will die as a
Jerry wrote:
It is not the operating systems job to stop the user from shooting
himself in the foot, but rather to deliver the bullet as
efficiently and expeditiously as possible.
If that were true, we wouldn't have things like protected memory, chroot
jails, etc. in our operating systems,
Bowie Bailey wrote:
However, doesn't this already exist with the upgrade notes? Take a look
here:
https://wiki.clamav.net/Main/UpgradeNotes093
I don't know if they are this detailed on all of the releases (the notes
for 0.94 don't say much), but this looks like exactly what John was
Dennis Peterson wrote:
With the tools we have available to us today there is no reason a failed
process should remain a secret.
Which does not explain the push-back on having the
applications/services/daemons provide better documentation and triggers
for helping that effort, instead of
At the very least, when the config file and options change, the ClamAV
team should post a notice which explicitly lists (and only lists):
1) new config items
2) removed config items
3) config items whose syntax, semantics, or options changed, and how
4) supported but deprecated items, and what,
Jerry wrote:
The sad part is that they will continue to blame others for their
lackadaisical approach.
So, let me attempt to summarize your side of this here (and do correct
me if my summary is wrong, as I'm not trying to build a strawman argument).
You're justifying the laziness of the
Jerry wrote:
On Sat, 04 Oct 2008 14:04:22 -0700
John Rudd [EMAIL PROTECTED] wrote:
Jerry wrote:
The sad part is that they will continue to blame others for their
lackadaisical approach.
So, let me attempt to summarize your side of this here (and do correct
me if my summary is wrong
Eric Rostetter wrote:
Quoting John Rudd [EMAIL PROTECTED]:
Tilman Schmidt wrote:
So why am I dissecting that list like this? Just to show that blocking
or not blocking certain unusal characters in mail addresses is indeed a
policy decision which should not be forced by a piece of software
this helps.
Frank
John Rudd wrote:
Oh, and, while we're on the subject, what about 0.88.6? is that
version
vulnerable? (don't tell me to upgrade -- I haven't been able to get
newer versions to compile on Mac OS X 10.4.x)
Frank John, I've used ./configure --enable-experimental CFLAGS=-O0
Dave Warren wrote:
In message [EMAIL PROTECTED] Stephen Gran
[EMAIL PROTECTED] wrote:
On Mon, Apr 14, 2008 at 05:22:56PM +0200, Bas van Rooijen said:
postfix would accept all three forms even
and why not ??
I assume you haven't looked at sendmail's security record.
I, for one, have
Nigel Horne wrote:
Roberto Ullfig wrote:
Nigel Horne wrote:
A vulnerability was identified by Secunia in 0.92.1 relating to the
PE module.
We immediately disabled this module about a month ago. Since then we
have been
working on, and produced, a fix which is included in 0.93. 0.93 is
Nigel Horne wrote:
Roberto Ullfig wrote:
Nigel Horne wrote:
A vulnerability was identified by Secunia in 0.92.1 relating to the
PE module.
We immediately disabled this module about a month ago. Since then we
have been
working on, and produced, a fix which is included in 0.93. 0.93 is
John Rudd wrote:
Nigel Horne wrote:
Roberto Ullfig wrote:
Nigel Horne wrote:
A vulnerability was identified by Secunia in 0.92.1 relating to the
PE module.
We immediately disabled this module about a month ago. Since then we
have been
working on, and produced, a fix which is included
Tilman Schmidt wrote:
So why am I dissecting that list like this? Just to show that blocking
or not blocking certain unusal characters in mail addresses is indeed a
policy decision which should not be forced by a piece of software, but at
most offered as a configurable option.
Absolutely
Török Edwin wrote:
[EMAIL PROTECTED] wrote:
Bas van Rooijen wrote:
Thanks for the replies so far;
however please note I already know the problem is ClamAV (hence i'm writing
to this list..)
Is there anyone who can answer my actual questions?
Comment out the check in the source
David F. Skoll wrote:
Stephen Gran wrote:
I assume you haven't looked at sendmail's security record. This has
been a pretty standard thing to do for a long time, and with even more
characters than the milter currently uses.
That may be true, but filtering suspicious recipient addresses
rick pim wrote:
Dennis Peterson writes:
But we know from the volumes of spam and viruses now approaching
if not exeeding 90% that you are the exception, not the norm.
spam yes, viruses. not so much. our experience has been that
email-borne viruses are way, way down: yesterday's
Dennis Peterson wrote:
And to follow up on the earlier
point about Windows systems not being the sole source of spam/virus
distribution,
The idea that any platform (windows, unix/linux, etc.) attached to the
net cannot be subverted into being a spam/virus zombie is, at best,
naive. And
Joe Sloan wrote:
John Rudd wrote:
Dennis Peterson wrote:
And to follow up on the earlier
point about Windows systems not being the sole source of spam/virus
distribution,
The idea that any platform (windows, unix/linux, etc.) attached to the
net cannot be subverted into being a spam
Joe Sloan wrote:
John Rudd wrote:
Joe Sloan wrote:
John Rudd wrote:
Dennis Peterson wrote:
And to follow up on the earlier
point about Windows systems not being the sole source of spam/virus
distribution,
The idea that any platform (windows, unix/linux, etc.) attached to the
net
Gerard wrote:
... is totally
unacceptable in any well organized business environment.
well organized business environment??
Is that like a frictionless surface? or an ideal gas?
___
Help us build a comprehensive ClamAV guide: visit
Randal, Phil wrote:
[EMAIL PROTECTED] wrote:
There is an article on eWeek.com today concerning instability in AV
software due to the impossibility of adequately testing updates when
releasing them as quickly as they are needed
Luis Miguel R. wrote:
El Monday, 24 December del 2007 a las 10:55:51AM, Dennis Peterson escribió:
Paul Kosinski wrote:
In December 2006, we were running ClamAV 0.88.7, and there were still
a fair number of real viruses being detected in inbound email. Now
running 0.91.2 and 0.92, there seem
I'll throw in some cash toward legal fees in pursuing the case. Let me
know if it comes up, how much you need from general user contributions,
and I'll see what I can contribute. Hopefully others feel the same.
Stan Cunningham wrote:
Hi,
I'd like to inform you that Xandros has been
G.W. Haywood wrote:
Please either make a
positive contribution or find another list on which to make trouble.
He IS trying to make a positive contribution. He's trying to establish
a best practice that fits for any production environment where the
sysadmins care about their quality of
rick pim wrote:
who on earth upgrades
from one beta to another and uses the same configfile???
Who on earth uses clamav in a way that requires a config file!? how
barbaric!
Any solution which only solves this problem via config file and/or
command line switches is an unacceptable solution.
Gerard Seibert wrote:
On Monday November 12, 2007 at 01:29:41 (PM) David F. Skoll wrote:
A request: When replying to an e-mail, please change the subject if it
no longer reflects the thread topic. I've been eagerly awaiting word
on my complaings about PhishingScanURLs from Clam developers
David F. Skoll wrote:
Really? All posters on this thread who gave an opinion wanted
PhishingScanURLs off by default. I invite users who want
PhishingScanURLs to be on by default to come forward; I'll happily go
with the majority decision.
If I have to choose between on vs off, then I go
Tilman Schmidt wrote:
(Remember the viruses ClamAV checks for
are *Windows* viruses. A unixoid OS doesn't run ClamAV for its own
protection but for the protection of Windows clients.)
OpenOffice isn't vulnerable to Office Macro viruses?
(I honestly don't know, just asking)
Daniel T. Staal wrote:
On Tue, October 30, 2007 10:15 am, David F. Skoll said:
(Our customers, in fact, always run ClamAV in conjunction with an
anti-spam scanner, so it's no benefit to them to have Clam try to do
anti-spam.)
I usually find it a detriment: ClamAV is nowhere _near_ as good
David F. Skoll wrote:
Hello,
A client of ours had a bunch of machines whose CPUs were maxed out
at 100% because of clam. Changing PhishingScanURLs to no from the
default yes dropped the load average from 70+ to about 3, and the
CPU usage from 100% to under 50%. This is under Linux, so
John Rudd wrote:
I can produce 2 examples of messages that cause the problem, in RFC822
format, for anyone who wants to experiment with them.
I decided I'd just go ahead and make them available:
http://people.ucsc.edu/~jrudd/ClamAV/318642.mbox
http://people.ucsc.edu/~jrudd/ClamAV/318715
Steve Holdoway wrote:
On Mon, 29 Oct 2007 19:25:14 -0700
Dennis Peterson [EMAIL PROTECTED] wrote:
I don't see where Linux is unique in this regard. I also don't see why the
success of
Linux is particularly important vs BSD, Solaris, Windows, etc. But I suppose
that
discussion is for
Rob MacGregor wrote:
On 10/14/07, Aniruddha [EMAIL PROTECTED] wrote:
Thanks for the answers, does anyone know this for sure?
Quoting the ClamAV home page:
...designed especially for e-mail scanning on mail gateways.
So no, it's not designed to detect rootkits.
Though, it might be
Gerard wrote:
Has anyone other than me been having problems download the Malware
signature files for the past 24 hours?
http://www.malware.com.br/cgi/submit?action=list_clamav
I'm getting the errors too, both on my home machines and my work machines.
Steve Holdoway wrote:
I think that you're falling into the all too common trap that sysadmin
work is really tedious, so the top priority is to use the solution that
takes the minimum time to implement, regardless of it's inherent quality.
I reckon that package management is *NOT* the
Graeme Nichols wrote:
Anyone any ideas please?
Build and install from source?
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
(to the developers, not in answer to Burnie)
See, the current name scheme needs to be fixed. And no one responded at
all to my proposed scheme from a month or two ago.
Burnie wrote:
Just a bit curious - what classification is this signature?
I can't find this naming scheme mentioned
Andy Fiddaman wrote:
On Wed, 12 Sep 2007, Karsten Bräckelmann wrote:
; On Wed, 2007-09-12 at 07:28 -0700, John Rudd wrote:
; (to the developers, not in answer to Burnie)
;
; See, the current name scheme needs to be fixed. And no one responded at
; all to my proposed scheme from
Dennis Peterson wrote:
Karsten Bräckelmann wrote:
On Wed, 2007-09-12 at 07:28 -0700, John Rudd wrote:
(to the developers, not in answer to Burnie)
See, the current name scheme needs to be fixed. And no one responded at
all to my proposed scheme from a month or two ago.
Coincidentally, my
Kelson wrote:
John Rudd wrote:
But, without a coherent and explicit name convention, the rules for
doing so would be so complex as to be not be worth the effort in writing
them. In some cases, it's even ambiguous as to which of the above
categories a given message falls
Did something happen to the MBL signature source? yesterday my
automated script got all errors for the download content, and today it's
complaining about it not existing.
Is it as simple as the URL changing? or did it go away entirely?
___
Help
Is anyone seeing a surge clamd loads today? Or has everyone upgraded
from 0.88.6 and 0.91.2 doesn't have the problem anymore?
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
Sergei Lavrov wrote:
people will stop contributing signatures, right ?
Or they'll start contributing more to the 3rd party signature databases,
instead (MSRBL, MBL, SaneSecurity, etc.).
If the engine is free, but the signatures aren't, you don't need to go
to Sourcefire for your
It has a dangerous (lack of) value for CL_SCAN_STDOPT. You're better
off not upgrading until they fix it.
(filed as bug 631, but it's nothing new: CL_SCAN_STDOPT still doesn't
include CL_SCAN_PHISHING_DOMAINLIST; that omission can cause crashing
and hanging on certain platforms ... the
Tilman Schmidt wrote:
John Rudd schrieb:
(filed as bug 631, but it's nothing new: CL_SCAN_STDOPT still doesn't
include CL_SCAN_PHISHING_DOMAINLIST; that omission can cause crashing
and hanging on certain platforms ... the clamav team already knows about
this problem, and they even enable
James Kosin wrote:
Tomasz Kojm wrote:
Ed Kasky wrote:
Tomasz Kojm wrote:
lead the advancement of ClamAV and the CVD as employees of Sourcefire.
Both the ClamAV engine and the signature database will remain under GPL.
Until they start charging for current updates, etc. like they do with
Mike Guiterman wrote:
Q. When will Sourcefire begin to integrate ClamAV technology into its
products?
A. Sourcefire intends to offer support and training services to ClamAV
users beginning in Q4 2007. We anticipate offering products based on
ClamAV as a part of our Enterprise Threat
Scott Beck wrote:
Hi,
Another note on this issue. Someone just reported that without the
CL_SCAN_PHISHING_DOMAINLIST option set they are seeing libclamav hang.
Please consider adding this to CL_SCAN_STDOPT or remove the option and
turn it on internally always or reverse the option and have
Identifying the exact nature of a signature, just from the name, is a
major pain. Especially when you throw in the 3rd party signatures. The
location in the signature name of the authority it came from varies from
group to group (and isn't present in the ClamAV signatures at all).
Whether
Jeff Thurston wrote:
Jeff Thurston wrote:
I thought ClamAV was able to catch these Greeting Cards from family
member, our domain keeps getting these emails in large quantities even
after upgrading to ClamAV 0.90.3 recently.
Do I need to upgrade again to .91?? I'm hesitant to do this so soon
Christopher Checca wrote:
I will be on vacation until July 30, 2007.
Think his house is unoccupied? Maybe we can throw a party ...
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
From past discussion on this list, it was discussed how easy it would
be to throw together a script to check validity before putting a message
into production. But I don't recall anyone ever actually offering up
their script. Earlier today, someone had posted something to the
SpamAssassin
Noel Jones wrote:
At 12:59 PM 7/12/2007, John Rudd wrote:
From past discussion on this list, it was discussed how easy it would
be to throw together a script to check validity before putting a message
into production. But I don't recall anyone ever actually offering up
their script
Noel Jones wrote:
At 02:02 PM 7/12/2007, John Rudd wrote:
Such scripts have
been posted frequently and several good ones are available from
http://sanesecurity.co.uk/clamav/usage.htm
I saw the supporting material on sanesecurity's downloads page, but it
looked like it was almost all windows
Jan-Pieter Cornet wrote:
On Mon, Jun 18, 2007 at 09:39:23AM -0400, Christopher X. Candreva wrote:
On Mon, 18 Jun 2007, Peter Boosten wrote:
I had some problems running clamd on one of the machines a long time
ago, and with mimedefang running clamscan is the second option (which
had worked
Henrik Krohns wrote:
On Mon, Jun 18, 2007 at 10:45:30PM -0500, Eric Rostetter wrote:
if you have sufficient system resources, and are willing to
tolerate slow delivery times (up to 4 minutes on my system, with clamscan
on 0.90.3 for example).
I'm just amazed by all the nitpicking in this
As more users upgrade from 0.8 to 0.9, this problem will disappear with
future updates. Version 0.9 only transfers the difference between CVDs
instead of the files in full.
Which isn't going to happen, at least for me, until 0.9 runs on mac os x
10.3.9.
Right now, it wont compile.
Dennis Peterson wrote:
You need to have better monitoring and notification, and a mail system
that delivers mail even if there is a fatal error in the AV tool. This
is hardly a ClamAV problem.
Depends on what your goals are.
For me, a reliable email system does not just mean mail gets
Dennis Peterson wrote:
John Rudd wrote:
Dennis Peterson wrote:
You need to have better monitoring and notification, and a mail system
that delivers mail even if there is a fatal error in the AV tool. This
is hardly a ClamAV problem.
Depends on what your goals are.
For me, a reliable
Randal, Phil wrote:
Does clamav have any certificate of any labs like www.icsalabs.com?
And how does that make it a better product, exactly?
Who said anything about a better product?
Certification doesn't indicate a better product. It indicates either
that someone has shown that it has
Dana Kashubeck wrote:
I am not able to compile the latest stable version on Mac OS X Server
10.3. There are a few different warnings here and there, most of them
are shown while compiling unrar.c:
...
The compile ends with:
/usr/bin/libtool: no library created (no object files in input
Tomasz Kojm wrote:
On Wed, 21 Feb 2007 12:16:02 -0500 (EST)
Daniel T. Staal [EMAIL PROTECTED] wrote:
Dear clamassassin users,
There is a compatibility problem when using clamassassin 1.2.3 with
the new ClamAV 0.90 release. The new ClamAV release has changed some of
the command line
Dennis Peterson wrote:
Erez Epstein wrote:
Hello,
I see that about every month, there is new version,
what does one do when it has about 30 servers, that need to be updated?
is there an automatic way?
all servers have compiled versions of clamav.
I use Cfengine. All updates happen within
Dennis Peterson wrote:
John Rudd wrote:
Dennis Peterson wrote:
Erez Epstein wrote:
Hello,
I see that about every month, there is new version,
what does one do when it has about 30 servers, that need to be updated?
is there an automatic way?
all servers have compiled versions of clamav.
I
Dennis Peterson wrote:
Any tool anyone can suggest comes with the
implication that some local effort is going to be required. Nobody has
yet written the magic.sh script that can run autonomously, scan your
network, and decide on it's own what needs to be done.
Sticking to talking about a
Fajar A. Nugraha wrote:
John Rudd wrote:
And, I'm happy to _write_ such a beast.
Very good!
I'm not just requesting it from someone else. I'm just saying, that's
what the OP's request brings to my mind. The main thing that keeps me
from writing it is: that lack of a -current copy
Christopher X. Candreva wrote:
On Sat, 30 Dec 2006, Sander Holthaus wrote:
There is no point in using a malformed database and could even spell
disaster. (Imagine it starts generating FP's en masse, which could be
a side effect of a corrupted database).
Having clam die spells disaster.
Sander Holthaus wrote:
A tempfail is not a disaster in most scenarios. You may not be able to
receive mail until it is fixed, but you still get the mail after it is
fixed.
I think that attitude works fine in trivially small email environments.
I don't think it works at all in environments
Sander Holthaus wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
John Rudd wrote:
Sander Holthaus wrote:
A tempfail is not a disaster in most scenarios. You may not be
able to receive mail until it is fixed, but you still get the
mail after it is fixed.
I think that attitude works fine
Dave Warren wrote:
In message [EMAIL PROTECTED] John Rudd [EMAIL PROTECTED] wrote:
Sander Holthaus wrote:
A tempfail is not a disaster in most scenarios. You may not be able to
receive mail until it is fixed, but you still get the mail after it is
fixed.
I think that attitude works fine
Sander Holthaus wrote:
Dennis Peterson wrote:
This is a very naive or at least uninformed position to take on the
monetary significance of email.
The issue is that email never was designed to be used in that
particular fashion.
No offense, but Dennis is right. You're being naive.
Per Jessen wrote:
Dennis Peterson wrote:
And as an old school Unix admin who still believes in the mentoring
responsibility of my position, I will make recommendations from time
to time regarding best practices and I recommend if you run freshclam
as a daemon that you monitor it and restart
Fajar A. Nugraha wrote:
Dennis Peterson wrote:
Fajar A. Nugraha wrote:
Database objects can include blobs (binary large objects). These can
be files including executables, documents, other databases. They can
have viruses. In some instances the blob in an internal representation
and can be
James Kosin wrote:
Like Dennis said Bringing it all together is what the admin is for.
I disagree. There are some things which are the admin's job, but they
are not the catch-all for all unresolved burdens (bringing it all
together).
Pardon my lecture, but lets review the root of our
tBB wrote:
I'm sorry for the probably arrogant and insulting tone but you're
literally asking for it.
Perhaps he is asking for it, but he's also right.
___
http://lurker.clamav.net/list/clamav-users.html
Dennis Peterson wrote:
My not-so-automated update process looks like this:
wget (link to current clamav-XXX.tar.gz)
tar xzf clamav-XXX.tar.gz
cd clamav-XXX
configure --disable-zlib-vcheck
make
su
make install
service clamav restart
service freshclam restart
You would be wise to uninstall the
Dennis Peterson wrote:
Bowie,
The obvious observation that while this might work for you it's not a
general solution, so now everyone needs to create a script.
F'chrissake... It is trivial to do this. Less than 10 minutes, start
to stop. I wrote the script I use 3 years and it took just
93 matches
Mail list logo