Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
On Tue, 16 Nov 2004 01:31:22 +0100 in [EMAIL PROTECTED] Julian Mehnle [EMAIL PROTECTED] wrote: If people require machines as desperately as that to prevent themselves from falling for fraud attempts, humanity is truly doomed. It always has been. Never mind the quality, feel the *width*. -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] Procmail Entry
Hi, Versions: Clam 0.80 Clamassassin 1.2.1 I have installed ClamAssassin with Sendmail. Is there any way by which we can come to know if the virus was found in body of the message or in attachment ? I ask this because, if the virus is in attachment, we need to just delete the attachment and not the body of the message and vice versa. Also, can anybody help me with recepie which would just delete the attachement and not the body of the email ? I am currently using the following recepie: :0f * ^X-Virus-Status: Yes | formail -X but this deletes the body of the message also :( Regards, Peyush ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] The Answer (was Re: ClamAV should not try to detect phishing....)
On Mon, 15 Nov 2004, Trog wrote: Please give a full definition of Spam and Malware/Viruses that do not intersect, and will never intersect for all future Spam and Malware such that we can be sure we know what you are requesting. After reading the 100+ messages in this thread, I've gotta say I'm disappointed that nobody has stated the obvious answer: ClamAV should block things that propagate automatically. If it's something that is released into the wild, then propagates without intervention from a central organizing authority, then it obviously won't be changing and can be analyzed and a signature developed.[1] One-time-mailings, such as spam and phishing schemes, will change with every iteration. There is no hope of generating a signature for these, and any attempt to construct one will merely overload us with useless signatures that slow down the scanner and lead to false positives. [1] I realize this leaves the slightly shady area of trojans. Personally, I wouldn't mind if clamav didn't catch those. I want it to stop the latest threats that are attacking en masse. Missing an occasional targeted threat isn't such a big deal by comparison. So, if the developers insist on pursuing this silly phishing/spam signature thing, how about putting it in its own database that people can optionally download? Just don't corrupt the main database with it. It's a LOT easier for people to get two databases and combine them than for people to remove the stupid signatures from a single database. A few other notes for the general discussion: Virus blocking is easy, because it is a reactive process. We are given a virus sample. That sample contains all information about how the virus will behave in the future. You can therefore construct a signature to stop it. Furthermore, false positives can be easily checked for and eliminated. It is therefore safe to reject tagged mails without further review. In the unlikely event of a false positive, the original sender will be notified. Spam blocking is hard, because it must be a proactive process. No two spams are alike. Creating a signature for one spam is unlikely to be useful against another. As a result, any signatures must, of necessity, be so short as to lead to false positives. This requires a more advanced system to determine whether or not to flag a message, namely scoring. Users can choose a threshold they feel comfortable with. Finally, a rant: When I first saw the subject line, I thought it was some clueless newbie asking us to turn ClamAV into SA, and I expected a lot of bashing of newb stupidity for not using the right tool for the right job. Then I noticed the word not in the subject line, and wondered why there was so much discussion on such a basic concept. After reading 100+ messages, I'm somewhat frustrated. Really, folks. This is simple. Stop arguing. Just read the above and accept it. Oh, and stop claiming that almost everyone is on your side. Posting volume does not equal number of people. Especially when it's the same 3 people posting 20 times each. Damian Menscher -- -=#| Physics Grad Student SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| [EMAIL PROTECTED] www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] freshclam error
A symlink enables freshclam to start but I get an error message in the log saying that functionality is level 1 and level 3 is required. Paul Dobson ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] freshclam error
No sorry it doesn't. I know how to install clamav - I've been running it since 0.67. Paul ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] freshclam error
On Tue, 16 Nov 2004 08:57:33 + in [EMAIL PROTECTED] Paul Dobson [EMAIL PROTECTED] wrote: A symlink enables freshclam to start but I get an error message in the log saying that functionality is level 1 and level 3 is required. Looks like you have an old version of libclamav in your LD_PATH or else you are running an old version of freshclam. I'd suggest very carefully checking your installation and finding and clearing out the old stuff. -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] freshclam error
ClamAV users ML [EMAIL PROTECTED] writes: Looks like you have an old version of libclamav in your LD_PATH or else you are running an old version of freshclam. I'd suggest very carefully checking your installation and finding and clearing out the old stuff. I would guess that the version I have (libclamav.1.0.3.dylib) is a newer version than libclamav.1.dylib and I cleared out the old installation (0.70) using make uninstall and make distclean won't this have got everything? Paul ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] freshclam error
On Tue, 16 Nov 2004 10:01:07 + in [EMAIL PROTECTED] Paul Dobson [EMAIL PROTECTED] wrote: ClamAV users ML [EMAIL PROTECTED] writes: Looks like you have an old version of libclamav in your LD_PATH or else you are running an old version of freshclam. I'd suggest very carefully checking your installation and finding and clearing out the old stuff. I would guess that the version I have (libclamav.1.0.3.dylib) is a newer version than libclamav.1.dylib and I cleared out the old installation(0.70) using make uninstall and make distclean won't this have got everything? It probably should, but it sounds to me as if you need a symlink anyway. On Linux it is usual to have a shared library name such as foo.so linked to a major version like foo.so.1 which itself is a link to the actual library itself which is something like foo.so.1.0.3 (I hope that's clear). I'm not MacOS X-aware so maybe someone else can help you out with the equivalent naming convention there? The symptom you describe sounds like there is an old library somewhere else, but I forget when functionality level 2 was brought in, it might have been between 0.70 and 0.75, so whatever you had was older than this breakpoint. I'd say there is still a remnant of 0.70 on there somewhere though. -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] freshclam error
ClamAV users ML [EMAIL PROTECTED] writes: The symptom you describe sounds like there is an old library somewhere else, but I forget when functionality level 2 was brought in, it might have been between 0.70 and 0.75, so whatever you had was older than this breakpoint. I'd say there is still a remnant of 0.70 on there somewhere though. I was on functionality level 2 on 0.70 - I remember this because I upgraded from 0.67 to 0.70 because of an error message telling me that functionality should be level 2. I guess the thing to do is to uninstall 0.80 and look around for files that are left. Paul ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] freshclam error
On Tue, 16 Nov 2004 10:29:29 + in [EMAIL PROTECTED] Paul Dobson [EMAIL PROTECTED] wrote: I guess the thing to do is to uninstall 0.80 and look around for files that are left. Yes, that would work, you might just try a comprehensive search before you do something quite that drastic. -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] Exim 4.2 and Clam 0.80 problem
Hi I just upgraded from Clam 0.75 to Clam 0.80. Ownerships seem OK. I could not see anywhere that required major config changes. Everything works perfectly with 0.75. The freshclam update worked well. On startup, the clamd.log seems fine. Were there any major config changes that are required in Exim? Thanks Frank +++ Started at Tue Nov 16 07:35:13 2004 clamd daemon 0.80 (OS: netbsdelf, ARCH: i386, CPU: i386) Log file size limited to 2097152 bytes. Reading databases from /var/clamav Protecting against 26857 viruses. Unix socket file /tmp/clamd Setting connection queue length to 15 Archive: Archived file size limit set to 10485760 bytes. Archive: Recursion level limit set to 5. Archive: Files limit set to 1000. Archive: Compression ratio limit set to 250. Archive support enabled. Archive: RAR support disabled. Portable Executable support enabled. Mail files support enabled. OLE2 support enabled. HTML support enabled. Self checking every 1800 seconds. I am now getting the following errors: In clamd.log, continuosly: Tue Nov 16 07:58:29 2004 - Client disconnected In /log/exim/main 2004-11-16 08:03:29 1CU2zX-0002ns-RR malware acl condition: unable to read from clamav UNIX socket (/tmp/clamd) In /tmp srwxrwxrwx 1 exim wheel 0 Nov 16 07:56 clamd= - Frank DeChellis, President Internet Access Worldwide 3 East Main St. Welland, ON, Canada L3B 3W4 1-905-714-1400 http://www.iaw.com - -- ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ## ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] freshclam error
A search solved the problem. I had forgotten that as part of the original install the instructions had been to copy clamscan and freshclam to /usr/bin! Now removed and working ok. Paul ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
On Tue, 16 Nov 2004 at 1:31:22 +0100, Julian Mehnle wrote: If people require machines as desperately as that to prevent themselves from falling for fraud attempts, humanity is truly doomed. It already is ;-) . Anybody who doubts it can have a look: http://www.manbottle.com/humor/Further_proof_that_the_human_race_is_doomed.htm http://www.doheth.co.uk/funny/doomed.php -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/iso/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] freshclam error
On Tue, 16 Nov 2004 14:32:19 + in [EMAIL PROTECTED] Paul Dobson [EMAIL PROTECTED] wrote: A search solved the problem. I had forgotten that as part of the original install the instructions had been to copy clamscan and freshclam to/usr/bin! Now removed and working ok. Good! Pleased it's sorted out now -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
On Tue, 16 Nov 2004, Julian Mehnle wrote: If people require machines as desperately as that to prevent themselves from falling for fraud attempts... ...then they're pretty much behaving in the manner humanity always has and always will. To those of you who argue that ClamAV should detect phishing attacks even though tools like SpamAssassin are designed and inherently better suited for doing that, I'd like to say that you will never really be able to abandon SpamAssassin Co. anyway. Again, I don't think that's what the ClamAV team is trying to accomplish here. They're just going after the most active phishing threats out there, not trying to completely prevent your system from any sort of unwanted e-mail (or even every possible phishing attack). I understand that you want your users to have the right to screw themselves, which I understand from a philosophical standpoint, despite the fact that I think it's terribly silly. But, you aren't demanding that everyone else be terribly silly, so I don't see any problem with your request. Given the way things have happened in the past, I wouldn't be surprised if this functionality were quietly added in the next CVS release while everyone keeps arguing about how many clicks it takes to make something a virus. The argument I DON'T think much of is the slippery slope argument, mostly for this reason...interspersed between all the discussion in this thread are tons of confirmation messages in my inbox, letting me know that ClamAV has nailed tons of phishing messages that wouldn't have otherwise been caught. Job well done. There are dozens (hundreds?) of new viruses and tronjans added to the database every week that most of our systems will never see, but no one complains about the resource hit those are making, because we all know that on the off-chance we ever get one of these rare beasts, we'd be very happy ClamAV was there to stop it. The argument that phishing attacks are a bunch of one-offs that you'll never see again is not backed up by my data. The very first anti-phishing signature added to the database got nabbed a few specimens just today. Maybe in a month they'll be gone forever, but such is the way of worm flare-ups these days as well. Despite all the hyperbole, what's really happened here is that a small amount of work (ie, a few signatures) has been done that will save a disproportiately huge amount of headaches in the sys admin community. There's no point in claiming the sky is falling, just yet, anyway. I think this is a worthwhile discussion to have, and philosophical ideals are important, but we should also take a peek at the real world from time to time as well. We should be watchful of any drastic turns in ClamAV development, but we haven't seen any of those yet. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Exim 4.2 and Clam 0.80 problem
On Tue, 16 Nov 2004 08:38:05 -0500 in [EMAIL PROTECTED] Frank DeChellis [EMAIL PROTECTED] wrote: Hi I just upgraded from Clam 0.75 to Clam 0.80. Ownerships seem OK. I could not see anywhere that required major config changes. Everything works perfectly with 0.75. The freshclam update worked well. On startup, the clamd.log seems fine. Were there any major config changes that are required in Exim? [snip] I am now getting the following errors: In clamd.log, continuosly: Tue Nov 16 07:58:29 2004 - Client disconnected In /log/exim/main 2004-11-16 08:03:29 1CU2zX-0002ns-RR malware acl condition: unable to read from clamav UNIX socket (/tmp/clamd) In /tmp srwxrwxrwx 1 exim wheel 0 Nov 16 07:56 clamd= Are you using exiscan-acl? If so you need to upgrade to a version equal to or later than -21, there was some discussion about this a week or two back on this list so a look in the archives might be worthwhile. Using -28 with Exim 4.43 here and all working as it should. -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] Good job ClamAV team!
Title: Good job ClamAV team! 1024 viruses blocked in the last month (after 152,000 emails blocked by RBL's,etc) 68 were phishing attacks my users appreciated not seeing Then SpamAssassin flagged 1500 and Mimedefang removed 1300 attachments Overlapping products and multiple lines of defense are a great idea. I'd much rather have overlap than underlap. :) ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Good job ClamAV team!
I would like to second your thoughts on this matter. All to often we users tend to take this software and all the work behind it for granted. The vast majority of posts on this lists are problems with this or that, or why didn't you do it this way or that way. I'd like to just join in and say to all the developers and maintainers: Thank you very much for all your work on a project that benefits innumerable systems throughout the world. Clamav has truly made a difference! Your efforts to improve the system and take on the nasty job of keeping virus definitions up to date is truly appreciated! Thanks Again, Phil On Nov 16, 2004, at 10:52 AM, Minica, Nelson (EDS) wrote: x-tad-smaller1024 viruses blocked in the last month (after 152,000 emails blocked by RBL's,etc)/x-tad-smallerx-tad-smaller68 were phishing attacks my users appreciated not seeing/x-tad-smallerx-tad-smallerThen SpamAssassin flagged 1500 and Mimedefang removed 1300 attachments/x-tad-smallerx-tad-smallerOverlapping products and multiple lines of defense are a great idea. I'd much rather have overlap than underlap. :)/x-tad-smaller___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Good job ClamAV team!
On Nov 16, 2004, at 12:52 PM, Minica, Nelson (EDS) wrote: 1024 viruses blocked in the last month (after 152,000 emails blocked by RBL's,etc) 68 were phishing attacks my users appreciated not seeing Then SpamAssassin flagged 1500 and Mimedefang removed 1300 attachments Overlapping products and multiple lines of defense are a great idea. I'd much rather have overlap than underlap. :) Although I agree with the subject line sentiment, I thought the discussion/argument/etc. over philosophy and ideas was declared over and pointless? ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
On Tue, 16 Nov 2004, Julian Mehnle wrote: Announcingple require machines as desperately as that to prevent themselves from falling for fraud attempts... ...then they're pretty much behaving in the manner humanity always has and always will. To those of you who argue that ClamAV should detect phishing attacks even though tools like SpamAssassin are designed and inherently better suited for doing that, I'd like to say that you will never really be able to abandon SpamAssassin Co. anyway. Anouncing a NEW phishing threat ... this is an excerpt from winXP news ... how to disable the Windows Scripting Host (WSH) to prevent an insidious new phishing technique that uses a script to redirect you to a fraudulent Web site when you log on to do online banking. So some of the phishing attacks now use scripts -- Ken Jones [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Good job ClamAV team!
Here Here ... An excellent product and a huge thanks to ALL who have contributed to it ! -- Ken Jones [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ClamAV should not try to detect phishing andother social engineering attacks
On 2004-11-15 16:23:19 -0500, Bart Silverstrim wrote: I find it interesting though that I've yet to hear from anyone commenting on my proposal to create a filter that will extract and convert all emails into pure text, or reformat it so only certain things can get through as an attachment with a pure text message so it would be defanged of scripts, web content, potential scripting exploits, etc...I'm honestly beginning to wonder how hard that would be to make and whether it may be of use for some sites. Draconian, yet it would be extremely handy in stopping the maliciousness of viruses or spam tricks...dynamically rewriting all email to a standard format. Anyone? Does this already exist? A prefilter thing...not halfway to the task, like using MIMEDefang, but a whole here's the email stripped of HTML and in a standard format for the mail system type filter... I was under the impression that MIMEDefang can do this. But I'm afraid my users wouldn't like it, so I never looked into it closely. That said I think this is very easy to implement: Check if a mime entity is multipart/alternative with a text part: If it is, replace it with the text part. Otherwise, if it is HTML, filter it through w3m, lynx, or some other html to text converter. Pass through other content-types unaltered or strip them according to site policy. I guess a plugin for qpsmtpd which does this could be written in a day or so. hp -- _ | Peter J. Holzer| Je höher der Norden, desto weniger wird |_|_) | Sysadmin WSR | überhaupt gesprochen, also auch kein Dialekt. | | | [EMAIL PROTECTED] | Hallig Gröde ist fast gänzlich dialektfrei. __/ | http://www.hjp.at/ | -- Hannes Petersen in desd pgpVEfRfdzRww.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: defanging HTML email, was [Clamav-users] ClamAV should not try to detect phishing andothersocial engineering attacks
Peter J. Holzer wrote: Otherwise, if it is HTML, filter it through w3m, lynx, or some other html to text converter. This is the dangerous part. If there's going to be any way for a malignant HTML email to overflow a buffer, it's here. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] Re: defanging HTML, was ClamAV should not try to detect phishing and other social engineering attacks
Peter J. Holzer wrote: I was under the impression that MIMEDefang can do this. But I'm afraid my users wouldn't like it, so I never looked into it closely. That said I think this is very easy to implement: Check if a mime entity is multipart/alternative with a text part: If it is, replace it with the text part. I know MD can do this much *very* easily -- there's a built-in function, remove_reduntant_html_parts, that you can call in filter_end. All you have to do is uncomment it in the example filter. Otherwise, if it is HTML, filter it through w3m, lynx, or some other html to text converter. This can probably be done using action_external_filter, but you still need to figure out which parts to convert and which to discard, pick a parser (as Matthew pointed out, there can be security concerns here), change the mime type, etc. -- Kelson Vibber SpeedGate Communications www.speed.net ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: defanging HTML email, was [Clamav-users] ClamAV should not try to detect phishing andothersocial engineering attacks
[EMAIL PROTECTED] wrote: Peter J. Holzer wrote: Otherwise, if it is HTML, filter it through w3m, lynx, or some other html to text converter. This is the dangerous part. If there's going to be any way for a malignant HTML email to overflow a buffer, it's here. Well it's always about moving risk. Yes, compromise of your MTA is probably worse than a compromise of an end-user machine - but you have 10,000 end users and only a few MTAs... Typically an IS group is quicker at patching servers than end users... Remember the InfoSec saying:put all your eggs in one basket, AND THEN WATCH THE BASKET. Jason ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users