The idea is that there are additional clamd definitions one can use to scan for spam such as the MSRBL definitions ( http://www.msrbl.com/site/ ) and the SaneSecurity definitions ( http://www.sanesecurity.co.uk/clamav/ ) that have been discussed here earlier.
These definitions allow one to use clamd to scan for spam in a definitions-based manner. They pick up spam (pharm, oem, etc), scams (lotto, 419, phishing, job offer, loan, mortgage), image spam, pdf spam, and various others. They are highly effective and carry very little risk of false-positives due to the strict definition-based nature of the detection. Here are a few log snippets to show what I mean: Jul-29-07 17:09:04 [VIRUS] ... virus detected 'Email.Img.Gen115.Sanesecurity.07061400' Jul-29-07 18:15:50 [VIRUS] ... virus detected 'Html.Phishing.Bank.Rockv2Gen49.Sanesecurity.07072700' Jul-30-07 16:42:01 [VIRUS] ... virus detected 'Html.Loan.Gen102.Sanesecurity.07072600' Jul-30-07 13:51:44 [VIRUS] ... virus detected 'Email.Malware.Sanesecurity.07070300' Jul-28-07 13:47:00 [VIRUS] ... virus detected 'Email.Stk.Gen592.Sanesecurity.07071801.pdf' Jul-28-07 17:05:10 [VIRUS] ... virus detected 'Email.Spam.Gen275.Sanesecurity.07030600' Jul-29-07 04:42:04 [VIRUS] ... virus detected 'MSRBL-SPAM.Meds.2336' Jul-29-07 13:04:49 [VIRUS] ... virus detected 'Html.Phishing.Auction.Gen011.Sanesecurity.06020103' And regular viruses look like this Jul-25-07 03:39:47 ... Trojan.Downloader-11827 I'm actually having a really hard time finding actual viruses in my logs. Looking through my logs, I find that the spam caught by clamd far far outweighs the real viruses caught by clamd. Numbers like 1000:1 come to mind. The use of virus scoring with regexes would allow one to score the email/html "viruses" differently from the trojan/worm/flooder/backdoor/etc real viruses. Perhaps even coming to the point of scoring "Email.Img" differently from "Html.Phishing". It's all the same to me, though. I'm fine with a virus hit being blocked outright because the definitions are rather fool-proof and so far have not resulted in any false positives for me. I hope that covered everything. Micheal Espinola Jr wrote: > David wrote: > >> I think the request for virus scoring comes not to score executable >> binary viruses, but to score the wide variety of non-virus items now >> >> > > I don't understand the concept of virus scoring for non-virus items. > Please elaborate. > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > Assp-user mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/assp-user > ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Assp-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-user
