G.W. Haywood wrote: > Hi there, > > On Tue, 25 Dec 2007 Paul Kosinski wrote: > >> In December 2006, we were running ClamAV 0.88.7, and there were still >> a fair number of "real" viruses being detected in inbound email. Now >> running 0.91.2 and 0.92, there seem to be only phishing attempts, and >> not even very many of them. In fact it seems that our log file shows >> almost as many (hourly) signature update messages as phish detections >> (much less "real" virus detections). >> >> Have other ClamAV users experienced a similar decline in email >> attacks? > > If you're thinking that perhaps the later versions of ClamAV are less > effective at finding viruses, I don't think that's the case at all but > I don't have any evidence. I've been running ClamAV for a couple of > years and I'm running ClamAV version 0.92 at present. > > Our firewall rules are updated by scripts which are fed from the mail > and web server logs. IP addresses which fail certain tests and/or > which attempt to send suspicious email or HTTP requests are added to > the block lists automatically. The block can be temporary, but it is > usually permanent. It may be for connections to port25 only or it may > be for all connections, depending on the offending traffic. > > Some facts: > > 1. Some of our email addresses have been published on the Internet, > either on mailing lists or on the Web, for more than a decade. > > 2. Daily, I see between a few thousand and a few tens of thousands of > attempts to send email that nobody would want. As you can see the > volume fluctuates wildly but there are definite patterns: > http://www.jubileegroup.co.uk/JOS/misc/port25.gif > > 3. As I write, we're blocking about 36,000 networks - mostly /24. > The majority of these are dynamic IP ranges used by ISP customers. > > 4. We run no Windows machines. > > 5. I very rarely see an email virus, but do I see a steady trickle of > phishing emails and a few malware types, mostly casino advertising. > Almost all are weeded out (with practically no false positives) by > the Sanesecurity database. For example, in December so far, out of > about 154,000 attempts to send mail that we don't want I have seen > 18 phishing emails get as far as being scanned (and rejected) by > ClamAV, and two casino advertisements actually reached an inbox. > No viruses were seen, but I'd be very surprised if no attempts had > been made to send any. Most of the attempts to send mail are made > by compromised Windows boxes (http://lcamtuf.coredump.cx/p0f.shtml). > > These facts might be related or they might not. I hope they'll be > of use to someone. > > --
I also have another idea - I use a number of smeservers (aka e-smith), which all use clamav to scan incoming emails. Up to (and including) version 6 I got plenty of hits from clamav. As I upgraded to version 7, the clamav hits subsided to only phishing emails being detected. My explanation of this is the Version 7 contains qpsmtpd which "validates" the smtp protocol and rejects anything which is non standard, whereas previous versions (broadly) accepted everything, then relied on spamassassin and Clamav to weed out the baddies. So, my proposition is that the smtp engines for the "older" viruses may have been "simplified" and therefore are not acceptable to the very strict qpsmtpd. I upgraded the server in mid december and it was seeing 30-40 (real) viruses a day. Overnight it no longer logs any clamav hits (but rejects a hell of a lot of "illegal" email). Does that make sense? Cheers Brian Reliable, secure and affordable Office servers using Open Source software see: http://www.network-office-servers.co.uk _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
