Re: [clamav-users] MailFollowUrl alternative?

2017-04-02 Thread G.W. Haywood 

Hi there,

On Sun, 2 Apr 2017, Matus UHLAR wrote:

On 31.03.17 19:51, Steve Basford wrote:


It did a curl on any urls found in the body ...


among other, it provided spammers evidence their mail was read.


Yes, almost the last thing you want to do is give some scrote feedback
that he has a genuine address that might even accept mail if he keeps
trying for long enough.

I say 'almost' because apart from verifying for some criminal that he
has a genuine address to sell, scanning URLs in mail is rather begging
to participate in a DOS attack on some innocent bystander - presumably
you don't want to do that.  If you intend to follow URLs to the ends
of the Earth, try to be intelligent about it and be prepared to invest
considerable resources into the activity.

There are much, much better ways of dealing with dodgy messages with
unknown URLs in them.  For example most of them come from the country
codes we blacklist, so they're very easy to spot.  Here's the list at
the moment, suggestions for new candidates are welcome:

AE AL AM AO AP AR AT AU AZ BA BD BE BG BH BJ BO BR BW BY CI CL CM CN
CO CR CV CZ DK DO DZ EC EE EG ES ET FI GA GE GH GR GT HN HR HT HU ID
IL IN IQ IR IS IT JM JO JP KE KG KH KR KW KZ LA LB LK LT LV LY MA MD
ME MK ML MN MQ MR MU MV MX MY MZ NG NO PA PE PH PK PL PR PS QA RO RS
RU RW SA SC SD SE SG SK SN SV TG TH TJ TL TN TR TT TW TZ UA UY VE VN
ZA ZM

Anything in that list automatically gets the '550' treament until the
sender can persuade us to whitelist him.

At the moment we're seeing of the order of ten thousand attempts per
month to send us suspicious messages.  This is down by a factor of
about fifteen since we moved to an IPv6-only primary mail exchanger
last November.  In 2017 we've averaged accepting about three of them.

Really irritating.

--

73,
Ged.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] MailFollowUrl alternative?

2017-04-01 Thread Matus UHLAR - fantomas 

On 31 March 2017 19:14:36 Steven Morgan  wrote:

It is not clear what MailFollowURL did. Have a look at
docs/phishsigs_howto.pdf for a description of how to scan for URLs. This
may have subsumed MailFollowURL.


On 31.03.17 19:51, Steve Basford wrote:
It did a curl on any urls found in the body and fetched the 
content... before scanning the content... bit of a summary here...


https://lists.gt.net/clamav/users/22230


among other, it provided spammers evidence their mail was read.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"To Boot or not to Boot, that's the question." [WD1270 Caviar]
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] MailFollowUrl alternative?

2017-03-31 Thread Mauro Celli 
Some ramsomware send an email with a link to download one zip with a excel or 
word docunent with a macro.
This macro download another code and crypt files on pc.
I need to scan all possible downloaded file for my custommers...
The macro signature is present in clamav unofficial signatures, but i need 
clamav download and scan all url in email
phishsigs is not for me, i need MailFollowURL
Thanks


Il 31 Mar 2017 8:14 PM, Steven Morgan  ha scritto:
Mauro,

It is not clear what MailFollowURL did. Have a look at
docs/phishsigs_howto.pdf for a description of how to scan for URLs. This
may have subsumed MailFollowURL.

Steve

On Fri, Mar 31, 2017 at 12:34 PM, Mauro Celli 
wrote:

> Hi,
> i need to scan link in email, in the past i use MailFollowUrl but now is
> deprecated,
> There are an alternative to make this test?
> Thanks
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] MailFollowUrl alternative?

2017-03-31 Thread Steve Basford 




On 31 March 2017 19:14:36 Steven Morgan  wrote:


Mauro,

It is not clear what MailFollowURL did. Have a look at
docs/phishsigs_howto.pdf for a description of how to scan for URLs. This
may have subsumed MailFollowURL.


It did a curl on any urls found in the body and fetched the content... 
before scanning the content... bit of a summary here...


https://lists.gt.net/clamav/users/22230




Cheers,

Steve
Twitter: @sanesecurity


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] MailFollowUrl alternative?

2017-03-31 Thread Steven Morgan 
Mauro,

It is not clear what MailFollowURL did. Have a look at
docs/phishsigs_howto.pdf for a description of how to scan for URLs. This
may have subsumed MailFollowURL.

Steve

On Fri, Mar 31, 2017 at 12:34 PM, Mauro Celli 
wrote:

> Hi,
> i need to scan link in email, in the past i use MailFollowUrl but now is
> deprecated,
> There are an alternative to make this test?
> Thanks
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml