Re: [Clamav-users] RE: Re: This is how I use ClamAV
On Fri, Dec 03, 2004 at 02:54:44PM -0800, Todd Lyons wrote:
> Jan Pieter Cornet wanted us to know:
> >What I find really odd is your complete lack of Worm.Sober-I. Our stats for
> >Thu Dec 2:
>
> Good point. I had totally missed that too.
>
> >Top-5:
> >W32/Sober-I : 1078544
> >W32/Netsky-P: 57920
>
> That's a pretty big difference, seems more like an internal infection
Erm... I cheat bit, because I'm counting recipients, not emails.
Sober-I sends to multiple recipients. We "only" had 178405 viruses
that day (about 2 per second). Still makes it to the #1 position, though.
Viruses come in from 2212 different IP addresses, from all over the
world... but the top-10 /8s are all from the RIPE region.. first non-RIPE
is 66.0.0.0/8 with 66 different IPs (66x66/8. Coincidence? I think not! :)
Yep, it might be regional indeed. Odd.
--
#!perl -wpl # mmfppfmpmmpp mmpffm <[EMAIL PROTECTED]>
$p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+
$_[2]}->(map{/p|f/i+/f/i}split//,$&)+97):qw(m p f)[map{((ord$&)%32-1)/$_%3}(9,
3,1)]),5,1)='`'lt$&;$f.eig;# Jan-Pieter Cornet
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] RE: Re: This is how I use ClamAV
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sasa Stupar wrote: | Todd Lyons wrote: | | Sasa Stupar wanted us to know: | | | | | |>Guys, how do you make this stats? I am running Sendmail 8.13.1 on FC3 | |>with clamav-milter. Is there some settings on sendmail or Clamav? | | | | | | cat /var/log/clamav/clamd.log | showviruses.pl | | | | The showviruses.pl is attached to this email. It's very very simple, no | | error checking, and no command line options. It could be added very | | easily though. | | | | Great, it works like a charm. I just needed to change command line to: | cat /var/log/clamav/clamd.log | ./showviruses.pl | othervise I get "command not found". Copy the file to a directory on your $PATH, e.g. /usr/local/bin BR, Matías. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBtK3JRB0HKLRQp/gRAmLBAKCKb5wF3l0NlWjz70SuSD5hc6uhEgCglPmX Vlh06o7o0/KIjDU83bJW5J8= =rI10 -END PGP SIGNATURE- ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] RE: Re: This is how I use ClamAV
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Todd Lyons wrote: | Sasa Stupar wanted us to know: | | |>Guys, how do you make this stats? I am running Sendmail 8.13.1 on FC3 |>with clamav-milter. Is there some settings on sendmail or Clamav? | | | cat /var/log/clamav/clamd.log | showviruses.pl | | The showviruses.pl is attached to this email. It's very very simple, no | error checking, and no command line options. It could be added very | easily though. | Great, it works like a charm. I just needed to change command line to: cat /var/log/clamav/clamd.log | ./showviruses.pl othervise I get "command not found". This is my first test: - # cat /var/log/clamav/clamd.log | ./showviruses.pl Worm.Mydoom.Gen-unp: 15 Worm.Gibe.F: 12 Worm.SomeFool.P: 3 HTML.Phishing.Bank-31: 2 Exploit.JPEG.Comment.ED: 2 Worm.Mabutu.A-unp: 2 - - Sasa -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBtKxtZfogXwY+ISIRAlxUAJ9toi6OgeoRG5lQGpM7HQ/JwrfgOQCg6PVH zBfPElAuFSl81P4ftKRCVJo= =d04z -END PGP SIGNATURE- ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] RE: Re: This is how I use ClamAV
Sasa Stupar wanted us to know:
>Guys, how do you make this stats? I am running Sendmail 8.13.1 on FC3
>with clamav-milter. Is there some settings on sendmail or Clamav?
cat /var/log/clamav/clamd.log | showviruses.pl
The showviruses.pl is attached to this email. It's very very simple, no
error checking, and no command line options. It could be added very
easily though.
--
Regards... Todd
OS X: We've been fighting the "It's a mac" syndrome with upper management
for years now. Lately we've taken to just referring to new mac
installations as "Unix" installations when presenting proposals and
updates. For some reason, they have no problem with that. -- /.
Linux kernel 2.6.8.1-12mdkenterprise 3 users, load average: 0.04, 0.11, 0.13
#!/usr/bin/perl
use strict;
my %virus;
while (<>) {
if ( m#^.*\s([^\s]+)\sFOUND$# ) {
$virus{$1}++;
}
}
foreach (sort { $virus{$b} <=> $virus{$a} } keys %virus) {
print "\n$_: $virus{$_}";
}
print "\n";
pgpJsiiTtA3LA.pgp
Description: PGP signature
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] RE: Re: This is how I use ClamAV
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Jeremy > Kitchen > Sent: Friday, December 03, 2004 11:51 AM > To: ClamAV users ML > Subject: Re: [Clamav-users] RE: Re: This is how I use ClamAV > > > On Friday 03 December 2004 09:44 am, Kiril Todorov wrote: > > Ian Lewis wrote: > > > That is very interesting information Samuel. I shall be interested to > > > compare it to my own data. > > > > > > We quarantine our emails just in case there are any which are > genuine but > > > holding viruses. Not very likely but you never know. > > > > > > Do I understand from what you say that having identified 4 million > > > viruses you reject them and they go 'back' to the often > spoofed sender, > > > still capable of causing trouble? > > > > I belive he meant rejected at SMTP level with a permanent error code > > (5.x.x) > > in which case, the only way they would go to an innocent third > party is if > they were relayed through another smtp server, and that's Somebody Else's > Problem, because if that other smtp server had rejected the virus in the > first place, you wouldn't have had to reject the message yourself. > > Any legit emails that get rejected because of infections (false > positive or > not) should go back to the original sender without any problems. > That's just what I meant =) I don't like the idea of adding to quarantine 300K viruses daily 'just in case' and then use the helpdesk to help people recover their messages. -Samuel ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] RE: Re: This is how I use ClamAV
V sob, 04.12.2004 ob 19:53 je Krištof Petr napisal(a): > Sasa Stupar wrote: > > >>Worm.Sober.I: 4081 > >>Worm.Zafi.B: 3552 > >>Worm.SomeFool.P: 3529 > >>Worm.Bagle.Gen-zippwd: 612 > >>Worm.SomeFool.Gen-1: 573 > >>HTML.Phishing.Bank-1: 392 > >>Worm.Bagle.N: 328 > >>HTML.Phishing.Bank-27: 316 > > > > > > Guys, how do you make this stats? I am running Sendmail 8.13.1 on FC3 > > with clamav-milter. Is there some settings on sendmail or Clamav? > > > > Do you have logwatch package installed? > If yes, you will get daily stats in root's email. > > Petr Yes, I have Logwatch installed and I get some of the sendmail stats but for viruses I get only how much was clean and how much infected but there is no description on what viruses. Sasa signature.asc Description: To je digitalno podpisani del =?iso-8859-2?Q?sporo=E8ila?= ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] RE: Re: This is how I use ClamAV
Sasa Stupar wrote: Worm.Sober.I: 4081 Worm.Zafi.B: 3552 Worm.SomeFool.P: 3529 Worm.Bagle.Gen-zippwd: 612 Worm.SomeFool.Gen-1: 573 HTML.Phishing.Bank-1: 392 Worm.Bagle.N: 328 HTML.Phishing.Bank-27: 316 Guys, how do you make this stats? I am running Sendmail 8.13.1 on FC3 with clamav-milter. Is there some settings on sendmail or Clamav? Do you have logwatch package installed? If yes, you will get daily stats in root's email. Petr ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] RE: Re: This is how I use ClamAV
On Sat, Dec 04, 2004 at 09:32:47AM +0100, Sasa Stupar said: > Guys, how do you make this stats? I am running Sendmail 8.13.1 on FC3 > with clamav-milter. Is there some settings on sendmail or Clamav? I generally parse the clamav log, as that seems easiest. Several of us have posted our scripts that we use for this in the past. I don't have the time to trawl the list archives right now, but if you have trouble finding one you like, write back. -- -- | Stephen Gran | Cahn's Axiom: When all else fails, | | [EMAIL PROTECTED] | read the instructions. | | http://www.lobefin.net/~steve | | -- pgpPW7zKNYrKs.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] RE: Re: This is how I use ClamAV
V pet, 03.12.2004 ob 23:54 je Todd Lyons napisal(a): > Jan Pieter Cornet wanted us to know: > > >What I find really odd is your complete lack of Worm.Sober-I. Our stats for > >Thu Dec 2: > > Good point. I had totally missed that too. > > >Top-5: > >W32/Sober-I : 1078544 > >W32/Netsky-P: 57920 > > That's a pretty big difference, seems more like an internal infection > than mail coming from the outside. Or am I stating the obvious since > most viruses/worms have their own smtp engines and connect directly to > MX boxen anyway? > > >W32/Netsky-D:9193 > >Troj/BkFraud-A :7238 > >W32/Netsky-Z:7157 > > For us, it's less drastic for our top 5, and I included a few extra to > show just how much positive hits I'm getting from the Phishing sigs: > > Worm.Sober.I: 4081 > Worm.Zafi.B: 3552 > Worm.SomeFool.P: 3529 > Worm.Bagle.Gen-zippwd: 612 > Worm.SomeFool.Gen-1: 573 > HTML.Phishing.Bank-1: 392 > Worm.Bagle.N: 328 > HTML.Phishing.Bank-27: 316 Guys, how do you make this stats? I am running Sendmail 8.13.1 on FC3 with clamav-milter. Is there some settings on sendmail or Clamav? Sasa signature.asc Description: To je digitalno podpisani del =?iso-8859-2?Q?sporo=E8ila?= ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] RE: Re: This is how I use ClamAV
Jan Pieter Cornet wanted us to know: >What I find really odd is your complete lack of Worm.Sober-I. Our stats for >Thu Dec 2: Good point. I had totally missed that too. >Top-5: >W32/Sober-I : 1078544 >W32/Netsky-P: 57920 That's a pretty big difference, seems more like an internal infection than mail coming from the outside. Or am I stating the obvious since most viruses/worms have their own smtp engines and connect directly to MX boxen anyway? >W32/Netsky-D:9193 >Troj/BkFraud-A :7238 >W32/Netsky-Z:7157 For us, it's less drastic for our top 5, and I included a few extra to show just how much positive hits I'm getting from the Phishing sigs: Worm.Sober.I: 4081 Worm.Zafi.B: 3552 Worm.SomeFool.P: 3529 Worm.Bagle.Gen-zippwd: 612 Worm.SomeFool.Gen-1: 573 HTML.Phishing.Bank-1: 392 Worm.Bagle.N: 328 HTML.Phishing.Bank-27: 316 -- Regards... Todd They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. --Benjamin Franklin Linux kernel 2.6.8.1-12mdkenterprise 2 users, load average: 0.05, 0.06, 0.06 ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] RE: Re: This is how I use ClamAV
On Fri, Dec 03, 2004 at 03:15:49PM -, Ian Lewis wrote:
> >I think it could be nice to have like a list of "known systems". That way a
> >newbie could read and choose the best for his needs.
Sendmail 8.12.11, mimedefang, f-prot, sophos and Clamav as soon as the
thread concurrency problems on FreeBSD 4 are tackled or we upgraded to
FreeBSD 5 (whichever comes first). Discarding in case of virus.
> >Viruses stopped Yesterday: Thu Dec 2
> >77550 Worm.SomeFool.Gen-1
> >76936 Worm.SomeFool.P
> >26800 Worm.Mydoom.M
> >21249 Worm.Bagle.Gen-zippwd
What I find really odd is your complete lack of Worm.Sober-I. Our stats for
Thu Dec 2:
Scanned mail: 5730363
Virus : 1195719 (20%)
Top-5:
W32/Sober-I : 1078544
W32/Netsky-P: 57920
W32/Netsky-D:9193
Troj/BkFraud-A :7238
W32/Netsky-Z:7157
Sober-I raised the percentage of viruses in email from about 2% to nearly
30% at peak...
--
#!perl -wpl # mmfppfmpmmpp mmpffm <[EMAIL PROTECTED]>
$p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+
$_[2]}->(map{/p|f/i+/f/i}split//,$&)+97):qw(m p f)[map{((ord$&)%32-1)/$_%3}(9,
3,1)]),5,1)='`'lt$&;$f.eig;# Jan-Pieter Cornet
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] RE: Re: This is how I use ClamAV
Kiril Todorov wrote:
Ian Lewis wrote:
That is very interesting information Samuel. I shall be interested to
compare
it to my own data.
We quarantine our emails just in case there are any which are genuine
but
holding viruses. Not very likely but you never know.
Do I understand from what you say that having identified 4 million
viruses
you reject them and they go 'back' to the often spoofed sender, still
capable
of causing trouble?
I belive he meant rejected at SMTP level with a permanent error code
(5.x.x)
Which could mean that a host not running a virus scanner would then
bounce the DSN to the "sender"
Counter arguments are usualy
a) They should be running a virus scanner and they too should be 5xx/4xx
rejecting. Serves them right.
b) Modern virus infected hosts are direct to MX emailers
Remember, there is a point that can be made here. Its plausible to
conclude that every un virus scanned email service is contributing
directly to the epidemic by allowing their users to become infected and
spew crap to everyone else. Clogged queues are therefore no less than
they deserve, as the arguments against virus scanning are usualy in the
form of resource concerns.
Service providers should be aware too that allowing their users to
become infected which generally result in tech support calls to the
effect of "My internet is {slow|broken}"
Joe
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] RE: Re: This is how I use ClamAV
On Friday 03 December 2004 09:44 am, Kiril Todorov wrote: > Ian Lewis wrote: > > That is very interesting information Samuel. I shall be interested to > > compare it to my own data. > > > > We quarantine our emails just in case there are any which are genuine but > > holding viruses. Not very likely but you never know. > > > > Do I understand from what you say that having identified 4 million > > viruses you reject them and they go 'back' to the often spoofed sender, > > still capable of causing trouble? > > I belive he meant rejected at SMTP level with a permanent error code > (5.x.x) in which case, the only way they would go to an innocent third party is if they were relayed through another smtp server, and that's Somebody Else's Problem, because if that other smtp server had rejected the virus in the first place, you wouldn't have had to reject the message yourself. Any legit emails that get rejected because of infections (false positive or not) should go back to the original sender without any problems. -Jeremy -- Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc. [EMAIL PROTECTED] ++ www.inter7.com ++ 866.528.3530 ++ 815.776.9465 int'l kitchen @ #qmail #gentoo on EFnet IRC ++ scriptkitchen.com/qmail GnuPG Key ID: 481BF7E2 ++ jabber:[EMAIL PROTECTED] pgpIGtSXEYprG.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] RE: Re: This is how I use ClamAV
Ian Lewis wrote: That is very interesting information Samuel. I shall be interested to compare it to my own data. We quarantine our emails just in case there are any which are genuine but holding viruses. Not very likely but you never know. Do I understand from what you say that having identified 4 million viruses you reject them and they go 'back' to the often spoofed sender, still capable of causing trouble? I belive he meant rejected at SMTP level with a permanent error code (5.x.x) -- 'Can death be sleep, when life is but a dream' --John Keats /* waiting... dreaming... wishing... */ ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] RE: Re: This is how I use ClamAV
>I think it could be nice to have like a list of "known systems". That way a >newbie could read and choose the best for his needs. > >We use Sendmail 8.13.0 (since 8.12.11) + Clamav-milter + Clamd. >No quarantine, no postmaster/sender/recipient notice, just reject messages. >Centralized freshclam on two servers at different times (minutes 23 and 53 >respectively). OnUpdate it propagates vía sftp to the other 9 servers >(including the other one that runs freshclam, so it doesn't have to update >again). OnUpdate & OnError sends a message to postmaster. > >Viruses stopped Yesterday: Thu Dec 2 >77550 Worm.SomeFool.Gen-1 >76936 Worm.SomeFool.P >26800 Worm.Mydoom.M >21249 Worm.Bagle.Gen-zippwd > [...] > 1 Worm.Sircam > 1 W97M.Marker.C.2 > 1 Trojan.Downloader.Small-165 >-- > 330556 >You can guess our monthly stats. >We have more than 4 million mails daily, 150 clamav-milter and 26 clamd >threads concurrently per server on peak hour. >Regards, >Samuel Benzaquen >From Ian Lewis: That is very interesting information Samuel. I shall be interested to compare it to my own data. We quarantine our emails just in case there are any which are genuine but holding viruses. Not very likely but you never know. Do I understand from what you say that having identified 4 million viruses you reject them and they go 'back' to the often spoofed sender, still capable of causing trouble? Best wishes, Ian Lewis --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.803 / Virus Database: 546 - Release Date: 30/11/2004 ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
