Re: [Clamav-users] Unofficial Phishing Signatures: 369 sigs: 26th February 2006
On Sunday 26 Feb 2006 14:01, Steve Basford wrote: > Hi, > > You'll all be glad to hear I don't intend to post here every time I do > an update of the sigs, > but as I've added a few sigs today and updated the main website a > little, I thought post to the list: > > http://www.sanesecurity.com/clamav/ > > For those interested, here are some stats from a couple of sites, using > the sigs: > > http://www.efe.me.uk/vstat/ he, I forgot that was there, I apologise for the awful graph ;-( > http://www.marietta.edu/%7Erobinsom/virus.html > > In order to help prevent false positives, I've now got a folder of over > 1500 *genuine* ebay/paypal/amazon emails, > which I now scan against before I make the signatures live. I'm very happy with the phish.ndb, several customers have commented, 'have you done something? I'm getting far less junk'. I commend it to anyone, keep up the good work Steve. > > Cheers, > > Steve > > ___ > http://lurker.clamav.net/list/clamav-users.html -- - Bob Hutchinson Midwales dot com - ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unofficial Phishing Signatures: 369 sigs: 26th February 2006
Steve Basford wrote: Hi, You'll all be glad to hear I don't intend to post here every time I do an update of the sigs, but as I've added a few sigs today and updated the main website a little, I thought post to the list: Thanks for your work Steve. I yet don't use your signatures but I still respect what you are doing. Thanks. http://www.sanesecurity.com/clamav/ For those interested, here are some stats from a couple of sites, using the sigs: http://www.efe.me.uk/vstat/ http://www.marietta.edu/%7Erobinsom/virus.html In order to help prevent false positives, I've now got a folder of over 1500 *genuine* ebay/paypal/amazon emails, which I now scan against before I make the signatures live. Cheers, Steve ___ http://lurker.clamav.net/list/clamav-users.html ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Unofficial Phishing Signatures: 369 sigs: 26th February 2006
Hi, You'll all be glad to hear I don't intend to post here every time I do an update of the sigs, but as I've added a few sigs today and updated the main website a little, I thought post to the list: http://www.sanesecurity.com/clamav/ For those interested, here are some stats from a couple of sites, using the sigs: http://www.efe.me.uk/vstat/ http://www.marietta.edu/%7Erobinsom/virus.html In order to help prevent false positives, I've now got a folder of over 1500 *genuine* ebay/paypal/amazon emails, which I now scan against before I make the signatures live. Cheers, Steve ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unofficial Phishing Signatures
On Thu, 2 Feb 2006, George R. Kasica wrote:
> From: George R. Kasica <[EMAIL PROTECTED]>
> To: ClamAV users ML
> Date: Thu, 02 Feb 2006 15:40:41 -0600
> Subject: Re: [Clamav-users] Unofficial Phishing Signatures
> Reply-To: ClamAV users ML
>
> >On Thu, 02 Feb 2006 19:40:17 +, you wrote:
...
> Steve or Dennis:
>
> Where did you get the tool to get clamav stats? We just installed it
> here and could really use something like that.
I suspect this will greatly depend on the MTA you're using. I'm
using exim as my MTA and all incoming mail is run through both ClamAV
and Sophos virus scanners. Mail containing a virus is rejected after
the DATA phase of the SMTP dialogue and I've set up exim to log this.
For example:
2006-02-03 09:21:56 1F4x8d-0004hS-G1 H=mars.math.nctu.edu.tw
(Webmail.Math.NCTU.edu.tw) [140.113.22.51] I=[138.38.32.23]:25 U=root F=<[EMAIL
PROTECTED]> rejected after DATA: rejected by exiscan-acl: message contains
malware (Html.Phishing.Pay.Sanesecurity.05082900 ClamAV).
Logs are rotated daily. So it's a simple matter to run a perl script
over yesterday's logs, pick out lines similar to the above[1], and
produce a summary.
I do much the same with spam scores. Spam counts are logged and
a daily summary produced.
[1] Simple perl code of the form:
if ($line =~ "This message contains a virus" ||
$line =~ "message contains malware") {
($day, $time, $junk) = split (/ /, $line);
$last = $time;
$first = $time unless defined ($first);
print EXISCANLOG "$line\n";
$line =~ s/^.* \(//;
$line =~ s/..$//;
$virus{$line} += 1;
next;
}
will add up the virus counts and produce a "condensed" log
that can be used to produce weekly and/or monthly summaries.
--
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
[EMAIL PROTECTED] Phone: +44 1225 386101
___
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unofficial Phishing Signatures
Dennis Peterson wrote: I can verify it blocks legitimate mail from Ebay (outbidnotice and endofitem). I cannot provide samples for obvious reasons. Thanks to all for the reports... the signature was faulty and I've now disabled it.I've re-uploaded, with it removed. Sorry for all this... Cheers, Steve ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unofficial Phishing Signatures
> > > > I'm getting false positives with > > Html.Phishing.Auction.Gen009.Sanesecurity.06020102 > > > > Marking legit eBay communications as Phish; bid confirmations, outbid > > notices, "you won" notices. > > > Okay, I've disabled this sig and re-uploaded... that should fix it until > i can find sample email. > > One thing about that sig, is that it was using multiple matches.. but I > did test without any problems... hmmm. > > Out of interest... could you email me a header from the false positive > email? > If you can, steveb_clamav ATT sanesecurity DOTT COMM I can verify it blocks legitimate mail from Ebay (outbidnotice and endofitem). I cannot provide samples for obvious reasons. dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unofficial Phishing Signatures
I'm getting false positives with Html.Phishing.Auction.Gen009.Sanesecurity.06020102 Marking legit eBay communications as Phish; bid confirmations, outbid notices, "you won" notices. Okay, I've disabled this sig and re-uploaded... that should fix it until i can find sample email. One thing about that sig, is that it was using multiple matches.. but I did test without any problems... hmmm. Out of interest... could you email me a header from the false positive email? If you can, steveb_clamav ATT sanesecurity DOTT COMM Cheers, Steve ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unofficial Phishing Signatures
On Thu, 2 Feb 2006, Steve Basford wrote: > Could you give me the signature names that match the false positives > please. Oh, duh. Of course. Looks like 2 completely different kinds of eBay communications both matched: Html.Phishing.Auction.Gen009.Sanesecurity.06020102 Thanks. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unofficial Phishing Signatures
At 03:43 PM 2/2/2006, Steve Basford wrote: jef moskot wrote: The latest batch seems to include a number of false positives, so I had to revert. I don't want to submit private user data, but an example is the apparently legit report from eBay entitled "Changes to eBay User Agreement and Privacy Policy". Other issues include apparently legitimate communications between buyers and sellers. Could you give me the signature names that match the false positives please. Cheers, Steve ___ I'm getting false positives with Html.Phishing.Auction.Gen009.Sanesecurity.06020102 Marking legit eBay communications as Phish; bid confirmations, outbid notices, "you won" notices. -- Noel Jones ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unofficial Phishing Signatures
jef moskot wrote: The latest batch seems to include a number of false positives, so I had to revert. I don't want to submit private user data, but an example is the apparently legit report from eBay entitled "Changes to eBay User Agreement and Privacy Policy". Other issues include apparently legitimate communications between buyers and sellers. Could you give me the signature names that match the false positives please. Cheers, Steve ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unofficial Phishing Signatures
>On Thu, 02 Feb 2006 19:40:17 +, you wrote: > >Dennis Davis wrote: >> Very useful. I started using these signatures on this University's >> mail servers on Monday. Appended below are the stats on the >> incoming crap they stopped yesterday (Tuesday). >> >> Virus Count >> - - >> Total 308 >> >> The total incoming virus count for yesterday was 512[1]. So these >> signatures account for some 60% of what was detected. >> >> > >Thanks for those stats :) I'm glad they seem to be working great. > >I've just done an sig update, increasing from 164 sigs to 199 sigs. >Hopefully, they improve things a little more :) > >Cheers, > >Steve Steve or Dennis: Where did you get the tool to get clamav stats? We just installed it here and could really use something like that. Thanks, ===[George R. Kasica]===+1 262 677 0766 President +1 206 374 6482 FAX Netwrx Consulting Inc. Jackson, WI USA http://www.netwrx1.com [EMAIL PROTECTED] ICQ #12862186 ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unofficial Phishing Signatures
The latest batch seems to include a number of false positives, so I had to revert. I don't want to submit private user data, but an example is the apparently legit report from eBay entitled "Changes to eBay User Agreement and Privacy Policy". Other issues include apparently legitimate communications between buyers and sellers. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unofficial Phishing Signatures
Mark Twells wrote: Apologies for wibbling in the group, but I don't appear to have the root message of this thread. Where might I obtain these unofficial signatures? From Steve Basford on 1/24/06: http://www.sanesecurity.com/clamav/ ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unofficial Phishing Signatures
Mark Twells wrote: Where might I obtain these unofficial signatures? http://www.sanesecurity.com/clamav/ Cheers, Steve ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unofficial Phishing Signatures
Apologies for wibbling in the group, but I don't appear to have the root message of this thread. Where might I obtain these unofficial signatures? Mark Dennis Davis wrote: >>From: Steve Basford <[EMAIL PROTECTED]> >>To: clamav-users@lists.clamav.net >>Date: Tue, 24 Jan 2006 20:49:03 +0000 >>Subject: [Clamav-users] Unofficial Phishing Signatures >> >>There are already a number of great phishing signatures in ClamAV ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unofficial Phishing Signatures
Dennis Davis wrote: Very useful. I started using these signatures on this University's mail servers on Monday. Appended below are the stats on the incoming crap they stopped yesterday (Tuesday). Virus Count - - Total 308 The total incoming virus count for yesterday was 512[1]. So these signatures account for some 60% of what was detected. Thanks for those stats :) I'm glad they seem to be working great. I've just done an sig update, increasing from 164 sigs to 199 sigs. Hopefully, they improve things a little more :) Cheers, Steve ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unofficial Phishing Signatures
> I feel that it's going to be quite difficult for me to go though 500-odd > ClamAV phishing signatures and > compare them, with an editor to my 100-ish signatures and find out what > bits are duplicated. I really > need some samples. > > If possible, to save a whole load of time... could you: > > a) give me the sample phishing emails that are duplicated > b) give me the sample phishing emails that are missed > > Email me, to chat off-list: steveb_clamav -AT- sanesecurity -DOT- com > > Thanks again for the feedback... I will give you access to the mails you requested, but here a few statistics first for everybody outthere. I used ClamAV 0.88-1 with main.cvd 35 and daily.cvd 1263. The Unoffical Phsihing sigantues are the 162 ones from 31st January. Total Phishing mail count - 522 Deteted by ClamAV only - 490 (of 522) Undetected - 32 (of 522) >From the undetected, detected by unofficial signatues - 13 (of 32) Total undetected - 19 (of 522) Detected by ClamAV and also by unofficial signatures - 121 (of 490) ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unofficial Phishing Signatures
On Tue, 24 Jan 2006, Steve Basford wrote: > From: Steve Basford <[EMAIL PROTECTED]> > To: clamav-users@lists.clamav.net > Date: Tue, 24 Jan 2006 20:49:03 +0000 > Subject: [Clamav-users] Unofficial Phishing Signatures > > There are already a number of great phishing signatures in ClamAV > but the Official ClamAV signature makers are obviously very busy > taking care of the higher priority Virus/Trojan signatures. > > As, I've seen a number of new phishing attempts get past the > Official ClamAV signatures, I thought I'd try to produce my own > signatures, to see if some of these newer phishing attempts could > be stopped. ... Very useful. I started using these signatures on this University's mail servers on Monday. Appended below are the stats on the incoming crap they stopped yesterday (Tuesday). Virus Count - - Html.Phishing.Bank.Sanesecurity.06012200 169 Html.Phishing.Pay.Sanesecurity.0508290038 Html.Phishing.Bank.Sanesecurity.06012600 19 Html.Phishing.Bank.Sanesecurity.06013001.rock 19 Html.Phishing.Bank.Sanesecurity.06012000 15 Html.Phishing.Auction.Gen004.Sanesecurity.06012903 12 Html.Phishing.Bank.Sanesecurity.06012500 11 Html.Phishing.Auction.Gen002.Sanesecurity.06012901 3 Html.Phishing.Pay.Gen001.Sanesecurity.06012700 3 Html.Phishing.Pay.Sanesecurity.06010901 3 Html.Phishing.Bank.Sanesecurity.051019002 Html.Phishing.Pay.Gen002.Sanesecurity.06012700 2 Html.Phishing.Pay.Gen003.Sanesecurity.06012700 2 Html.Phishing.Auction.Gen005.Sanesecurity.06012904 1 Html.Phishing.Azon.Sanesecurity.060110001 Html.Phishing.Bank.Sanesecurity.051181031 Html.Phishing.Bank.Sanesecurity.051208001 Html.Phishing.Bank.Sanesecurity.060110021 Html.Phishing.Bank.Sanesecurity.060126011 Html.Phishing.Pay.Sanesecurity.05100500 1 Html.Phishing.Pay.Sanesecurity.05120802 1 Html.Phishing.Pay.Sanesecurity.06011103 1 Html.Phishing.Pay.Sanesecurity.06012201 1 -- Total 308 The total incoming virus count for yesterday was 512[1]. So these signatures account for some 60% of what was detected. [1] I'm blocking on several RBLs and using other methods for reducing incoming rubbish. These may well be preventing a lot of viruses even reaching the scanning stage. -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK [EMAIL PROTECTED] Phone: +44 1225 386101 ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unofficial Phishing Signatures
Webmaster wrote: Your signatures are based on HTML (Filetype = 3). Shouldn't it be based on Mail (Filetype = 4) ? Interesting... I'll do some tests later today changing the type. The interesting thing though, is that when you go to the online database search site http://clamav-du.securesites.net/cgi-bin/clamgrok and type in "Phishing", Select "contains" and then tick the "signature" box, you'll get a list of current ClamAV signatures... the majority of which are type 3. But you're right... it does work... but would mail format be better? This could avoid false positive like this one : - Go to http://www.sanesecurity.com/clamav/ - Save the html page on your hardisk - Scan the saved web page with your phish.ndb signatures => Html.Phishing.Auction.Sanesecurity.06010701 FOUND Doh ;) Okay...thanks for reporting that one... I'll take a look Anyway, thank you for creating signatures. This is usefull for a lot of us. No problem... just trying to help. In fact, yesterday the sigs certainly saved me a job yesterday, as this attempt came in and was blocked by the sig that I make in November. ClamAV's default sigs didn't know about the virus in the attachment but I caught it using the content of the text :) Eg: http://groups.google.co.uk/groups?q=sightings+%22picture+is+not+to+your+liking%22&start=0&scoring=d&hl=en&; Thanks again, Steve ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unofficial Phishing Signatures
Hello Steve, Le Mardi 24 Janvier 2006 21:49, Steve Basford a écrit : > As, I've seen a number of new phishing attempts get past the Official > ClamAV signatures, I thought I'd try to produce my own signatures, to > see if some of these newer phishing attempts could be stopped. > > They are here to download, if anyone is interested: > http://www.sanesecurity.com/clamav/ Your signatures are based on HTML (Filetype = 3). Shouldn't it be based on Mail (Filetype = 4) ? This could avoid false positive like this one : - Go to http://www.sanesecurity.com/clamav/ - Save the html page on your hardisk - Scan the saved web page with your phish.ndb signatures => Html.Phishing.Auction.Sanesecurity.06010701 FOUND Anyway, thank you for creating signatures. This is usefull for a lot of us. Best regards, Arnaud Jacques Consultant Sécurité Téléphone / Fax : +33-(0)3.44.39.76.46 Portable : +33-(0)6.24.40.95.03 E-mail : [EMAIL PROTECTED] Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unofficial Phishing Signatures
Oliver Stöneberg wrote: You should really cleanup your signatures. I have a Phishing set of 512 Phishing of which 23 are not recognised by ClamAV. From those only 4 are captured by your signatures, which are the following: Firstly, thanks for the feedback. Although I must say, I'm disappointed but not really surprised that my signatures, didn't get all your samples, as there are sooo many ways of doing phishing attempts. If I scan the complete set with your signatures a lot of mails already recognised by ClamAV are actually recognised by your signatures, so there are quite some duplicates in your signatures, compared to ClamAV. Hmmm well, in my sample set, I've certainly scanned them with the default ClamAV sigs and then used --remove to remove the samples *before* I try to create a sig for the missed ones. I guess there muar be dupes...elsewhere. Both signatures will match... but I might post a list of the signatures, that are recognising mails, that are already in ClamAV signatues, but I rather see you doing a cleanup first I feel that it's going to be quite difficult for me to go though 500-odd ClamAV phishing signatures and compare them, with an editor to my 100-ish signatures and find out what bits are duplicated. I really need some samples. If possible, to save a whole load of time... could you: a) give me the sample phishing emails that are duplicated b) give me the sample phishing emails that are missed Email me, to chat off-list: steveb_clamav -AT- sanesecurity -DOT- com Thanks again for the feedback... Steve ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unofficial Phishing Signatures
Dennis Peterson wrote: It's worth repeating the question I asked over a week ago - what methodology is used in collecting these so that dupes are avoided? Nobody answered, unfortunately, so now we see we have dupes. Sorry for the delay... apart from being more than a little busy... I must admit, I've spent more time adding to the signatures, then doing the "boring" bit of documenting the methods of producing them. Anyway, here's a very rushed, "first draft" version of how I put together one signature: http://sanesecurity.com/clamav/method.pdf No doubt, it's got a lot of stuff missing and people will have much better/quicker way of doing the same thing. but, I guess that's life! ;) Cheers, Steve ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unofficial Phishing Signatures
Oliver Stöneberg wrote: So these are Phishing mails, that are not recognised by ClamAV, but by your signatures. If I scan the complete set with your signatures a lot of mails already recognised by ClamAV are actually recognised by your signatures, so there are quite some duplicates in your signatures, compared to ClamAV. I might post a list of the signatures, that are recognising mails, that are already in ClamAV signatues, but I rather see you doing a cleanup first. I did this test with 0.88-1 and siagntures database version 1257. It's worth repeating the question I asked over a week ago - what methodology is used in collecting these so that dupes are avoided? Nobody answered, unfortunately, so now we see we have dupes. dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unofficial Phishing Signatures
You should really cleanup your signatures. I have a Phishing set of 512 Phishing of which 23 are not recognised by ClamAV. From those only 4 are captured by your signatures, which are the following: d:\_ham-mails\_scan/phishing.070: Html.Phishing.Bank.Sanesecurity.05080100 FOUND d:\_ham-mails\_scan/phishing.192: Html.Phishing.Auction.Sanesecurity.05080100 FOUND d:\_ham-mails\_scan/phishing.199: Html.Phishing.Pay.Sanesecurity.05120802 FOUND d:\_ham-mails\_scan/phishing.335: Html.Phishing.Pay.Sanesecurity.06011101 FOUND So these are Phishing mails, that are not recognised by ClamAV, but by your signatures. If I scan the complete set with your signatures a lot of mails already recognised by ClamAV are actually recognised by your signatures, so there are quite some duplicates in your signatures, compared to ClamAV. I might post a list of the signatures, that are recognising mails, that are already in ClamAV signatues, but I rather see you doing a cleanup first. I did this test with 0.88-1 and siagntures database version 1257. > Hi, > > Firstly, I've done an update to the Unofficial Phishing Signatures. > > Secondly... will whoever is using ip address 216.35.188.119, please sort > out their wget config file: > > 216.35.188.119 - - [29/Jan/2006:20:36:01 +] "HEAD /clamav/phish.ndb > HTTP/1.0" 200 0 "-" "Wget/1.10.2" > 216.35.188.119 - - [29/Jan/2006:20:38:01 +] "HEAD /clamav/phish.ndb > HTTP/1.0" 200 0 "-" "Wget/1.10.2" > 216.35.188.119 - - [29/Jan/2006:20:40:01 +] "HEAD /clamav/phish.ndb > HTTP/1.0" 200 0 "-" "Wget/1.10.2" > 216.35.188.119 - - [29/Jan/2006:20:42:01 +] "HEAD /clamav/phish.ndb > HTTP/1.0" 200 0 "-" "Wget/1.10.2" > 216.35.188.119 - - [29/Jan/2006:20:44:01 +] "HEAD /clamav/phish.ndb > HTTP/1.0" 200 0 "-" "Wget/1.10.2" > 216.35.188.119 - - [29/Jan/2006:20:46:01 +] "HEAD /clamav/phish.ndb > HTTP/1.0" 200 0 "-" "Wget/1.10.2" > 216.35.188.119 - - [29/Jan/2006:20:48:01 +] "HEAD /clamav/phish.ndb > HTTP/1.0" 200 0 "-" "Wget/1.10.2" > 216.35.188.119 - - [29/Jan/2006:20:50:02 +] "HEAD /clamav/phish.ndb > HTTP/1.0" 200 0 "-" "Wget/1.10.2" > 216.35.188.119 - - [29/Jan/2006:20:52:01 +] "HEAD /clamav/phish.ndb > HTTP/1.0" 200 0 "-" "Wget/1.10.2" > 216.35.188.119 - - [29/Jan/2006:20:54:01 +] "HEAD /clamav/phish.ndb > HTTP/1.0" 200 0 "-" "Wget/1.10.2" > 216.35.188.119 - - [29/Jan/2006:20:56:01 +] "HEAD /clamav/phish.ndb > HTTP/1.0" 200 0 "-" "Wget/1.10.2" > 216.35.188.119 - - [29/Jan/2006:20:58:01 +] "HEAD /clamav/phish.ndb > HTTP/1.0" 200 0 "-" "Wget/1.10.2" > > I don't update the sigs *that* often ;) > > IP has been blocked access for now. > > Cheers, > > Steve > > ___ > http://lurker.clamav.net/list/clamav-users.html ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unofficial Phishing Signatures
On 1/29/06, Steve Basford <[EMAIL PROTECTED]> wrote: > Hi, > > Firstly, I've done an update to the Unofficial Phishing Signatures. > > Secondly... will whoever is using ip address 216.35.188.119, please sort > out their wget config file: A quick WhoIS check says it's mail.mrball.net (POC todd mrball.net). -- Please keep list traffic on the list. Rob MacGregor Whoever fights monsters should see to it that in the process he doesn't become a monster. Friedrich Nietzsche ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unofficial Phishing Signatures
Hi, Firstly, I've done an update to the Unofficial Phishing Signatures. Secondly... will whoever is using ip address 216.35.188.119, please sort out their wget config file: 216.35.188.119 - - [29/Jan/2006:20:36:01 +] "HEAD /clamav/phish.ndb HTTP/1.0" 200 0 "-" "Wget/1.10.2" 216.35.188.119 - - [29/Jan/2006:20:38:01 +] "HEAD /clamav/phish.ndb HTTP/1.0" 200 0 "-" "Wget/1.10.2" 216.35.188.119 - - [29/Jan/2006:20:40:01 +] "HEAD /clamav/phish.ndb HTTP/1.0" 200 0 "-" "Wget/1.10.2" 216.35.188.119 - - [29/Jan/2006:20:42:01 +] "HEAD /clamav/phish.ndb HTTP/1.0" 200 0 "-" "Wget/1.10.2" 216.35.188.119 - - [29/Jan/2006:20:44:01 +] "HEAD /clamav/phish.ndb HTTP/1.0" 200 0 "-" "Wget/1.10.2" 216.35.188.119 - - [29/Jan/2006:20:46:01 +] "HEAD /clamav/phish.ndb HTTP/1.0" 200 0 "-" "Wget/1.10.2" 216.35.188.119 - - [29/Jan/2006:20:48:01 +] "HEAD /clamav/phish.ndb HTTP/1.0" 200 0 "-" "Wget/1.10.2" 216.35.188.119 - - [29/Jan/2006:20:50:02 +] "HEAD /clamav/phish.ndb HTTP/1.0" 200 0 "-" "Wget/1.10.2" 216.35.188.119 - - [29/Jan/2006:20:52:01 +] "HEAD /clamav/phish.ndb HTTP/1.0" 200 0 "-" "Wget/1.10.2" 216.35.188.119 - - [29/Jan/2006:20:54:01 +] "HEAD /clamav/phish.ndb HTTP/1.0" 200 0 "-" "Wget/1.10.2" 216.35.188.119 - - [29/Jan/2006:20:56:01 +] "HEAD /clamav/phish.ndb HTTP/1.0" 200 0 "-" "Wget/1.10.2" 216.35.188.119 - - [29/Jan/2006:20:58:01 +] "HEAD /clamav/phish.ndb HTTP/1.0" 200 0 "-" "Wget/1.10.2" I don't update the sigs *that* often ;) IP has been blocked access for now. Cheers, Steve ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unofficial Phishing Signatures
On Thu, Jan 26, 2006 at 10:32:22PM +, Steve Basford said: > > > Mike Robinson wrote: > >The first question is, does clamd automatically detect changes to .ndb > >files? > Sorry for the late reply... > > I did a quick test and it seems to only get "re-loaded", after running > freshclam, clamd notices new databases after a restart, a RELOAD command, a signal, or SelfCheck seconds have passed. Pick the one that works for you. -- -- | Stephen Gran | Now there's a violent movie titled, | | [EMAIL PROTECTED] | "The Croquet Homicide," or "Murder With | | http://www.lobefin.net/~steve | Mallets Aforethought." -- Shelby | || Friedman, WSJ. | -- signature.asc Description: Digital signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unofficial Phishing Signatures
On Thu, 26 Jan 2006 22:32:22 + Steve Basford <[EMAIL PROTECTED]> wrote: > Mike Robinson wrote: > > The first question is, does clamd automatically detect changes to .ndb > > files? > Sorry for the late reply... > > I did a quick test and it seems to only get "re-loaded", after running > freshclam, clamd automatically detects and loads new databases on every SelfCheck -- oo. Tomasz Kojm <[EMAIL PROTECTED]> (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Jan 26 23:35:49 CET 2006 signature.asc Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unofficial Phishing Signatures
On Wednesday 25 January 2006 10:24 am, Mike Robinson wrote: > Jason Haar wrote: > > Dennis Peterson wrote: > >> What methodology are you using to create these? It looks > >> like an opportunity for collaboration if there's a way > >> to avoid dupes. > > > > If signature development is truly getting bogged down, perhaps more > > official people are needed? I guess we'd hear a call for volunteers > > if it was? > > > > Is there a process by which people can volunteer? I think more skills > > than "need to know how to run md5sum" will be required ;-) > The first question is, does clamd automatically detect changes to .ndb > files? If not, I'm thinking we should get it put into the newest clamd loads the databases once at startup. You can restart clamd, send a notify to clamd, or run freshclam to have it reload the databases. clamscan loads the databases each time it is called, so it will pick up the new databases right away. clamdscan uses clamd, see above. -- Freddie Cash, LPIC-1 CCNT CCLP Helpdesk / Network Support Tech. School District 73 (250) 377-HELP [377-4357] [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unofficial Phishing Signatures
Mike Robinson wrote: The first question is, does clamd automatically detect changes to .ndb files? Sorry for the late reply... I did a quick test and it seems to only get "re-loaded", after running freshclam, ie: like this: 1) example phish.ndb has two sigs 2) clamd is running 3) you overwrite the phish.ndb, with one that has a total update of four sigs 4) clamdscan, when run will not recognize the last two updated sigs, when scanning 5) run freshclam 6) the database then gets reloaded and the last two updated sigs, are available to clamd, when scanning I guess it's this section of freshclam.conf: # Send the RELOAD command to clamd. # Default: no #NotifyClamd /path/to/clamd.conf NotifyClamd /cygdrive/c/clamav-devel/etc/clamd.conf So, I doubt any code-changes are needed but then... it's been a long day ;) Cheers, Steve ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unofficial Phishing Signatures
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, Jan 25, 2006 at 06:40:37PM +, Steve Basford wrote: >If you look at Section 3.3 (Basic Signature format) you'll see that >these databases are .db format, which >doesn't have a html type, it looks for matches in ALL file types, which >I thought would increase the risk of >false positives. Very good reasoning. Quite frankly I'm a bit embarrassed having asked that question now. - -- Regards... Todd They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. --Benjamin Franklin Linux kernel 2.6.12-15mdksmp load average: 0.14, 0.11, 0.08 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFD18chY2VBGxIDMLwRApNNAJ9eSW4IBuSd0KCZzOU/PGGiR8AyHQCeOOHd OiNL0Jdc9hfwSLDI90OhN5Y= =BopR -END PGP SIGNATURE- ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unofficial Phishing Signatures
Todd Lyons wrote: Any reason to call it phish.ndb instead of phish.db? Just a way to make automating it easier? Hi Todd, If you look at the current signature pdf docs here: http://www.clamav.net/doc/0.88/signatures.pdf If you look at Section 3.3 (Basic Signature format) you'll see that these databases are .db format, which doesn't have a html type, it looks for matches in ALL file types, which I thought would increase the risk of false positives. So, I went for Extended Signature format (Section 3.4), which MUST be in a .ndb format. I think that's right anyway ;) Steve ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unofficial Phishing Signatures
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Jan 24, 2006 at 08:49:03PM +, Steve Basford wrote: >Note 2: Use the unofficial phish.ndb at your own risk. Any reason to call it phish.ndb instead of phish.db? Just a way to make automating it easier? - -- Regards... Todd when you shoot yourself in the foot, just because you are so neurally broken that the signal takes years to register in your brain, it does not mean that your foot does not have a hole in it. --Randy Bush Linux kernel 2.6.12-15mdksmp load average: 0.12, 0.10, 0.04 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFD18PNY2VBGxIDMLwRAvT5AJ9OsDd5U5AFeKC7xowqQQnUPvyi+gCeMZmx oI/Lxue/SXfq0Z0r00hy0KE= =vLZW -END PGP SIGNATURE- ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unofficial Phishing Signatures
Jason Haar wrote: > Dennis Peterson wrote: > >> What methodology are you using to create these? It looks >> like an opportunity for collaboration if there's a way >> to avoid dupes. >> >> > If signature development is truly getting bogged down, perhaps more > official people are needed? I guess we'd hear a call for volunteers if > it was? > > Is there a process by which people can volunteer? I think more skills > than "need to know how to run md5sum" will be required ;-) > > The first question is, does clamd automatically detect changes to .ndb files? If not, I'm thinking we should get it put into the newest CVS...then we would need someone to host the updates...maybe make a tool like freshclam or get a change into freshclam that lets us put in extra signature locations. We could do it something like SARE for SpamAssassin... (http://www.rulesemporium.com/) You know, having different signatures...some bleeding edge, others that we can eventually feed back into the ClamAV database... ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unofficial Phishing Signatures
Dennis Peterson wrote: > What methodology are you using to create these? It looks > like an opportunity for collaboration if there's a way > to avoid dupes. > If signature development is truly getting bogged down, perhaps more official people are needed? I guess we'd hear a call for volunteers if it was? Is there a process by which people can volunteer? I think more skills than "need to know how to run md5sum" will be required ;-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unofficial Phishing Signatures
> > They are here to download, if anyone is interested: > http://www.sanesecurity.com/clamav/ > What methodology are you using to create these? It looks like an opportunity for collaboration if there's a way to avoid dupes. dp ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Unofficial Phishing Signatures
There are already a number of great phishing signatures in ClamAV but the Official ClamAV signature makers are obviously very busy taking care of the higher priority Virus/Trojan signatures. As, I've seen a number of new phishing attempts get past the Official ClamAV signatures, I thought I'd try to produce my own signatures, to see if some of these newer phishing attempts could be stopped. They are here to download, if anyone is interested: http://www.sanesecurity.com/clamav/ Note 1: Please, no discussion on whether phishing sigs should be included, in ClamAv (see clamscan: --no-phishing option and clamd: DetectPhishing option) Note 2: Use the unofficial phish.ndb at your own risk. Cheers, Steve ___ http://lurker.clamav.net/list/clamav-users.html
