Re: [Clamav-users] Phishing Questions
jef moskot wrote: On Thu, 27 Jan 2005, Jim Maul wrote: What if the plumber and the mechanic work on it together? ;) What if the electrician goes to night school to learn ornithology? ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Or better yet, after learning Ornithology, he they flys you to work in his Orinithopter ... -- In Reach Technology:http://www.inreachtech.net/ Robert G. Werner [EMAIL PROTECTED] Tel: 559.304.5122 You can create your own opportunities this week. Blackmail a senior executive. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 27 Jan 2005, Sam wrote: I have yet another question. I have noticed Clam stopping (or at least to me it appears to be stopping) various phishing attempts. Or am I wrong? If this is the case, I will start submitting phishing attemps I see (I probably get 3 - 4 a day). Please don't. Phishing attempts do not automatically propagate (by infecting a machine and being re-sent) and therefore are generally one-time events. As such, they can be trivially changed to evade any signature-based filter, which must obviously generate a signature _after_ the release of each phishing email. As a result, blocking of phishing schemes is best left to anti-spam tools such as SpamAssassin. In contrast, once a virus (or other auto-propagating code) is released, the author no longer has control, so signatures can be developed. There was a discussion about this several months ago. Unfortunately, many people (including part of the signature-generation team) are too dogmatic about their feelings that phishing is bad, so we should block it to look at it logically. Damian Menscher -- -=#| Physics Grad Student SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| [EMAIL PROTECTED] www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Jan 27, 2005, at 10:25 AM, Damian Menscher wrote: There was a discussion about this several months ago. Unfortunately, many people (including part of the signature-generation team) are too dogmatic about their feelings that phishing is bad, so we should block it to look at it logically. Can I submit win.com for inclusion as a signature? :-) /duck -Bart ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
Damian Menscher wrote: Please don't. Phishing attempts do not automatically propagate (by infecting a machine and being re-sent) and therefore are generally one-time events. As such, they can be trivially changed to evade any signature-based filter, which must obviously generate a signature _after_ the release of each phishing email. As a result, blocking of phishing schemes is best left to anti-spam tools such as SpamAssassin. In contrast, once a virus (or other auto-propagating code) is released, the author no longer has control, so signatures can be developed. I have a lot of those one-time events that clamav blocks. On my installation, I see about the same number of phishing-mails being block by clamav than the somefool-virus. It certainly helps my users. -- Paul Bijnens, XplanationTel +32 16 397.511 Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax +32 16 397.512 http://www.xplanation.com/ email: [EMAIL PROTECTED] *** * I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, F6, * * quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, * * stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, * * PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, * * kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ...* * ... Are you sure? ... YES ... Phew ... I'm out * *** ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 27 Jan 2005, Jim Maul wrote: Is it causing you (or anyone for that matter) a problem by clamav catching some phishing attempts as opposed to spamassassin catching them? Whats really the issue here? You just dont believe clamav is the right tool for that job, but is there REALLY a problem? I doubt it. If my car is broken usually I take it to a mechanic. But if a friend of mine who happens to be a plumber can fix it also, does it really matter if I bring it to him instead? No. (This is directed more at Trog than anyone...) So if one were to submit phishing attempts, what do you need? I don't think the virus submission page will allow one to submit something without an attachment? Do you need headers? Do you need the email saved as an attachment and uploaded? Sorry to have so many questions. Also to Damian: I understand what you are saying, but tend to agree more with Jim. What does it matter who catches it as long as it's caught? (Plus I haven't gotten a chance to set up spamassassin yet. :) Sam ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 2005-01-27 at 09:45 -0600, Sam wrote: (This is directed more at Trog than anyone...) So if one were to submit phishing attempts, what do you need? I don't think the virus submission page will allow one to submit something without an attachment? Do you need headers? Do you need the email saved as an attachment and uploaded? The raw email, with headers please. -trog signature.asc Description: This is a digitally signed message part ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Jan 27, 2005, at 10:33 AM, Tomasz Kojm wrote: No problem. As a bonus we will create a signature for your domain name ;-) Just kidding! Honest! I'd NEVER think of having Windows thought of as a virus... :-) ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 27 Jan 2005 11:27:00 -0500 Adam Tauno Williams [EMAIL PROTECTED] wrote: Just my two cents - I agree with the other guy. CLAM should blocks virii and worms, and leave SPAM to something else. Just think of the Phishing IS NOT spam! Is that really so hard to understand? -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Jan 27 17:26:42 CET 2005 pgpDQmyb4Zsa0.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 27 Jan 2005 17:29:05 +0100 Tomasz Kojm [EMAIL PROTECTED] wrote: On Thu, 27 Jan 2005 11:27:00 -0500 Adam Tauno Williams [EMAIL PROTECTED] wrote: Just my two cents - I agree with the other guy. CLAM should blocks virii and worms, and leave SPAM to something else. Just think of the Phishing IS NOT spam! Is that really so hard to understand? Can you give me a pointer to how Phishing is defined and detected in the context of ClamAV ? I would like to convey the correct notion in my presentation at the Chemnitzer Linuxtag in March :-) Bye Racke -- LinuXia Systems = http://www.linuxia.de/ Expert Interchange Consulting and System Administration ICDEVGROUP = http://www.icdevgroup.org/ Interchange Development Team ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 27 Jan 2005 17:40:25 +0100 Stefan Hornburg [EMAIL PROTECTED] wrote: Can you give me a pointer to how Phishing is defined and detected in the context of ClamAV ? See http://www.antiphishing.org/ What is Phishing? Phishing attacks use 'spoofed' e-mails and fraudulent websites designed to fool recipients into divulging personal financial data such as credit card numbers, account usernames and passwords, social security numbers, etc. By hijacking the trusted brands of well-known banks, online retailers and credit card companies, phishers are able to convince up to 5% of recipients to respond to them. ClamAV contains special mechanisms (such as a HTML normalisator) that help to catch them. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Jan 27 17:53:13 CET 2005 pgpxMZzYkcEbN.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 27 Jan 2005, Tomasz Kojm wrote: Phishing IS NOT spam! Is that really so hard to understand? Phishing IS NOT a virus! Is that really so hard to understand? Damian Menscher -- -=#| Physics Grad Student SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| [EMAIL PROTECTED] www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
Tomasz Kojm wrote: On Thu, 27 Jan 2005 11:27:00 -0500 Adam Tauno Williams [EMAIL PROTECTED] wrote: Just my two cents - I agree with the other guy. CLAM should blocks virii and worms, and leave SPAM to something else. Just think of the Phishing IS NOT spam! Is that really so hard to understand? By definition, both phishing and email viruses are spam... http://www.spamhaus.org/definition.html http://www.monkeys.com/spam-defined/ Internet spam is one or more unsolicited messages, sent or posted as part of a larger collection of messages, all having substantially identical content. Perhaps it might be better to think of phishing and viruses as spam with malicious or evil intent? Regards, Mike Lambert ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 27 Jan 2005 10:57:27 -0600 (CST) Damian Menscher [EMAIL PROTECTED] wrote: On Thu, 27 Jan 2005, Tomasz Kojm wrote: Phishing IS NOT spam! Is that really so hard to understand? Phishing IS NOT a virus! Is that really so hard to understand? 95% of internet worms are not viruses as well. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Jan 27 18:00:27 CET 2005 pgpwVy4G3sCxU.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Jan 27, 2005, at 11:29 AM, Tomasz Kojm wrote: On Thu, 27 Jan 2005 11:27:00 -0500 Adam Tauno Williams [EMAIL PROTECTED] wrote: Just my two cents - I agree with the other guy. CLAM should blocks virii and worms, and leave SPAM to something else. Just think of the Phishing IS NOT spam! Is that really so hard to understand? As I understand it it doesn't execute code on the computer or spread to other systems without intervention either. This entire thread is degenerating...it was hashed and rehashed already. The ultimate decision goes to the Clam developers, and I believe they already decided it. Everything that's bad would be blocked, so end users could live with it or use a different product. Our Windows computers are slowly being migrated to static images using Deep Freeze, and if users decide to hand out their bank account info without stopping to think that maybe they shouldn't give out sensitive information we couldn't really stop them. I would have thought it would be more of a burden eventually to keep up with HTML messages going out to people asking for info along with the binary executables containing viruses so the scanner could catch them both, but oh well. Maybe the UNIX-ish philosophy of specialized applications working together to accomplish goals is giving way to the more common Windows throw-everything-together mindset. Maybe it's overlapping jobs. This is certainly the way commercial AV's go about it now. I've seen all sorts of hits on crap from the web cache on Windows machines...why? Because the AV is hitting stuff the latest update to Spybot is hitting now. And Ad-Aware/Spybot/etc. are hitting some mail viruses. But it doesn't matter. The Clam people made their decision, and the end user benefits from it, even if it does overlap with other systems in place for guarding against phishing/spam. If a developer really resents it, they could fork the project. Personally, I see having three programs doing the same thing as just bloat; phishing is annoying, hit delete or configure the spam filter to get it. Others see it as having three systems increasing the chances of catching new crap as it comes out. I'm tired of fighting with it and tired of the administrators who never turn off their collateral damage-causing you sent me a virus! notifications. End users don't see any difference though, so companies pander to this mindset of protecting people from all that's potentially bad, period. Regardless, If the developers wish to get input from users on the issue and are considering it one way or the other, then maybe a thread like this would be useful. As it stands, discussing it again accomplishes nothing, and will inevitably lead to flames and arguments that still...accomplish...nothing. Except sarcastic comments like mine about submitting win.com as a signature. If all this crap has evolved to the point where spyware/trojans/phishing/spam are now one thing (magical MalWare! Software that's just *bad!*), then maybe someone should come up with a new email network that can truly work so we don't get this junk anymore, period. Email was never meant for the five meg look at the pictures! attachments. It wasn't meant for emailing programs to one another. Does it really need to be a proxy for web pages by emailing people all this html-formatted crap that makes dancing images appear while compromising Explorer? We can't even get people to stop with top posting or formatting email in a way that makes it easy to read, without twenty embedded sigs or munged headers. We even have these sigs saying that the contents of the message are confidential meant only for the named recipient and if you get it in error...huh? I already read the message! What good is that?! It's not even been tested in the courts as binding! Why are you wasting ten lines of space at the end of every message telling me this?? It's the EULA of email...no one even reads them anymore. Start an email network that uses clients with embedded encryption. Voila', no more accidental reading. Even makes it safer in transit. Whew...I'm going to go lay down before I have an aneurism. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
Damian Menscher wrote: On Thu, 27 Jan 2005, Tomasz Kojm wrote: Phishing IS NOT spam! Is that really so hard to understand? Phishing IS NOT a virus! Is that really so hard to understand? Ok, so its not a virus, and its not spam. So neither product should detect it your saying? How about both products detect it, we have overlap, and users are happy cause they dont have to deal with this crap in their inbox. -Jim ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 27 Jan 2005, Tomasz Kojm wrote: On Thu, 27 Jan 2005 Damian Menscher [EMAIL PROTECTED] wrote: On Thu, 27 Jan 2005, Tomasz Kojm wrote: Phishing IS NOT spam! Is that really so hard to understand? Phishing IS NOT a virus! Is that really so hard to understand? 95% of internet worms are not viruses as well. ...which is why, in my original email, I referred to things that propagate automatically without intervention from their author. Damian Menscher -- -=#| Physics Grad Student SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| [EMAIL PROTECTED] www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
Ok, so its not a virus, and its not spam. So neither product should detect it your saying? How about both products detect it, we have overlap, and users are happy cause they dont have to deal with this crap in their inbox. Personally, I'd love to have it as a config option in clamd.conf. Make it catch phishes by default out-of-the-box, but being able to disable that would be nice. I am working on a spam research project and ClamAV skews my results slightly because it nabs the phishes. But I'm absolutely OK with that, because ClamAV works so damned well. Thanks, ClamAV developers. :) Benny -- I'm on the Zoloft to keep from killing y'all. -- Mike Tyson ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 27 Jan 2005, Jim Maul wrote: Is it causing you (or anyone for that matter) a problem by clamav catching some phishing attempts as opposed to spamassassin catching them? Whats really the issue here? You just dont believe clamav is the right tool for that job, but is there REALLY a problem? I doubt it. Virus signatures typically rely on some binary attachment. Phishing signatures rely on plaintext. Therefore the probability of a false positive goes way up. For those who drop/reject viruses, this is an unacceptable (and unnecessary) risk. If my car is broken usually I take it to a mechanic. But if a friend of mine who happens to be a plumber can fix it also, does it really matter if I bring it to him instead? No. Great analogy. What if you have two friends, one who happens to be a plumber, and one who happens to be a mechanic? If it's free either way, who would you take it to? Me, I'd take it to the mechanic. Sure, the plumber can probably fix it. But what if his solution to that fuel-line clog is a gallon of Drano? Is it really worth the risk? Damian Menscher -- -=#| Physics Grad Student SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| [EMAIL PROTECTED] www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
Damian Menscher wrote: On Thu, 27 Jan 2005, Jim Maul wrote: Is it causing you (or anyone for that matter) a problem by clamav catching some phishing attempts as opposed to spamassassin catching them? Whats really the issue here? You just dont believe clamav is the right tool for that job, but is there REALLY a problem? I doubt it. Virus signatures typically rely on some binary attachment. Phishing signatures rely on plaintext. Therefore the probability of a false positive goes way up. For those who drop/reject viruses, this is an unacceptable (and unnecessary) risk. This is probably the best (and possibly only) reason i have heard to not detect them. In a case where some people want the option and others dont, perhaps a way to turn off detection of these messages if you so choose is the best option. If my car is broken usually I take it to a mechanic. But if a friend of mine who happens to be a plumber can fix it also, does it really matter if I bring it to him instead? No. Great analogy. What if you have two friends, one who happens to be a plumber, and one who happens to be a mechanic? If it's free either way, who would you take it to? Me, I'd take it to the mechanic. Sure, the plumber can probably fix it. But what if his solution to that fuel-line clog is a gallon of Drano? Is it really worth the risk? What if the plumber and the mechanic work on it together? ;) -Jim ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 27 Jan 2005 11:08:12 -0600 (CST) Damian Menscher [EMAIL PROTECTED] wrote: ...which is why, in my original email, I referred to things that propagate automatically without intervention from their author. OK, so what about the trojans? ;-) -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Jan 27 18:21:16 CET 2005 pgpYrTqQzWE14.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
Sam said: Also to Damian: I understand what you are saying, but tend to agree more with Jim. What does it matter who catches it as long as it's caught? The answer to this is simple: my policy for dealing with spam is quite different than my policy for dealing with viruses. Spam is annoying, phishing is annoying, viruses are a real time danger. We do a lot of on-line commerce. We cannot tolerate many false positives. Phishing exploits are something we deal with through education first, and filtering second. As phishers become more sophisticated and numerous false positives will rise leaving education as the final solution. I prefer using my filter processes for defending against them as I can fine tune them to our needs. dp ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 27 Jan 2005, Tomasz Kojm wrote: On Thu, 27 Jan 2005 Damian Menscher [EMAIL PROTECTED] wrote: ...which is why, in my original email, I referred to things that propagate automatically without intervention from their author. OK, so what about the trojans? ;-) I take the somewhat-unusual position that trojans which will propagate after infecting a machine should be caught, and those that do NOT propagate should be allowed through (to possibly be caught by anti-spam or anti-spyware software). But I'm fairly certain that's just me... it'd be difficult to find anyone who would agree. Damian Menscher -- -=#| Physics Grad Student SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| [EMAIL PROTECTED] www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 27 Jan 2005 11:27:48 -0600 (CST) Damian Menscher [EMAIL PROTECTED] wrote: On Thu, 27 Jan 2005, Tomasz Kojm wrote: On Thu, 27 Jan 2005 Damian Menscher [EMAIL PROTECTED] wrote: ...which is why, in my original email, I referred to things that propagate automatically without intervention from their author. OK, so what about the trojans? ;-) I take the somewhat-unusual position that trojans which will propagate after infecting a machine should be caught, and those that do NOT Then they're rather worms than trojans. propagate should be allowed through (to possibly be caught by anti-spam or anti-spyware software). But I'm fairly certain that's just me... it'd be difficult to find anyone who would agree. Ouch... -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Jan 27 18:31:39 CET 2005 pgpbZ6FSZODnK.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
Jim Maul wrote: snip If my car is broken usually I take it to a mechanic. But if a friend of mine who happens to be a plumber can fix it also, does it really matter if I bring it to him instead? No. -Jim Ok, I took part in the previous discussion and I accept the developers decision. But I just. can't. let this. go. If my car is broken and I have a mechanic available, do I have my plumber fix the car while I have water leaking out of my pipes? ;^) The issue I believe was never who the best developers were, it was not that no one had confidence that the Clamav developers are capable mechanics, or whether Clamav would do a good job. The argument was a discussion of efficent resource useage. Clamav catches Phishing content, the developers made the choice, and it is their project. Lets move on. DAve -- Systems Administrator http://www.tls.net Get rid of Unwanted Emails...get TLS Spam Blocker! ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
You know, this gets old real quick! Back when this debate first started (around November or so) I never thought it would stop. In November I decided to do 2 things 1 log what virus's were being caught, where they were going, and what virus was detected. Out of 446 detected viruses, 167 were phishing attempts. How can stopping 167 attempts to defraud be looked at as a bad thing regardless of what stopped it. ClamAV detects them, and I for one am very happy that it does. Keep up the great work guys!! ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
From: http://www.infoworld.com/article/05/01/21/04FEphishing_1.html?source=NLC-WS2005-01-26 Phishers are employing increasingly sophisticated techniques, such as malicious code buried in images, keystroke-logging applications that download as soon as an e-mail is opened, and spoofed Web sites that look totally legitimate right down to the security padlock in the browser. So I think that malicious code or keystroke-logging applications falls into the realm of clamav ... For a good read ... http://www.antiphishing.org/ -- Ken Jones ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 2005-01-27 at 09:25 -0800, Dennis Peterson wrote: We do a lot of on-line commerce. We cannot tolerate many false positives. Phishing exploits are something we deal with through education first, and filtering second. As phishers become more sophisticated and numerous false positives will rise leaving education as the final solution. I prefer using my filter processes for defending against them as I can fine tune them to our needs. And how many Phishing false positives have you had exactly? -trog signature.asc Description: This is a digitally signed message part ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 27 Jan 2005, Trog wrote: On Thu, 2005-01-27 at 09:25 -0800, Dennis Peterson wrote: We do a lot of on-line commerce. We cannot tolerate many false positives. Phishing exploits are something we deal with through education first, and filtering second. As phishers become more sophisticated and numerous false positives will rise leaving education as the final solution. I prefer using my filter processes for defending against them as I can fine tune them to our needs. And how many Phishing false positives have you had exactly? All of them. ;) Seriously, that's an unfair question. When you're deleting people's email, how would they find out if there was a false positive? With spam, it's standard practice to review a junk-mail box for false positives regularly. Viruses are treated differently; nobody checks them for false positives. That's why this is such a concern for those of us who depend on email. Damian Menscher -- -=#| Physics Grad Student SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| [EMAIL PROTECTED] www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 2005-01-27 at 11:14 -0600, Damian Menscher wrote: On Thu, 27 Jan 2005, Jim Maul wrote: Is it causing you (or anyone for that matter) a problem by clamav catching some phishing attempts as opposed to spamassassin catching them? Whats really the issue here? You just dont believe clamav is the right tool for that job, but is there REALLY a problem? I doubt it. Virus signatures typically rely on some binary attachment. Phishing signatures rely on plaintext. Therefore the probability of a false positive goes way up. For those who drop/reject viruses, this is an unacceptable (and unnecessary) risk. The opposite is, in fact, true. (your initial assumptions are incorrect, and so are your conclusions) -trog signature.asc Description: This is a digitally signed message part ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 2005-01-27 at 12:32 -0600, Damian Menscher wrote: And how many Phishing false positives have you had exactly? All of them. ;) Seriously, that's an unfair question. When you're deleting people's email, how would they find out if there was a false positive? With spam, it's standard practice to review a junk-mail box for false positives regularly. Viruses are treated differently; nobody checks them for false positives. That's why this is such a concern for those of us who depend on email. You describe SPAM, not Phishing. And thats the difference you are missing. I've written a complete SPAM tagging application from scratch, I know the issues involved. Perhaps you should check your viruses for false positives. Ever had a Parite virus deleted? With some commercial scanners, there's probably about a 20% chance it's a false positive. -trog signature.asc Description: This is a digitally signed message part ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
Damian Menscher wrote: On Thu, 27 Jan 2005, Trog wrote: On Thu, 2005-01-27 at 09:25 -0800, Dennis Peterson wrote: We do a lot of on-line commerce. We cannot tolerate many false positives. Phishing exploits are something we deal with through education first, and filtering second. As phishers become more sophisticated and numerous false positives will rise leaving education as the final solution. I prefer using my filter processes for defending against them as I can fine tune them to our needs. And how many Phishing false positives have you had exactly? All of them. ;) Seriously, that's an unfair question. When you're deleting people's email, how would they find out if there was a false positive? With spam, it's standard practice to review a junk-mail box for false positives regularly. Viruses are treated differently; nobody checks them for false positives. That's why this is such a concern for those of us who depend on email. We quarantine viruses, not delete. Perhaps you should do the same. A false positive on a virus is also likely, but you dont seem to have any problems deleting those. We run NAV corp on about 200 workstations. Just this morning i got a notification that 98 of them were infected with w32.randex.gen. Being that these machines dont have web access (only email) and this virus is not spread through email, i found this highly unlikely. Turns out symantecs newly distributed virus database had a false positive in it. Long story short, false positives do happen and you probably shouldnt be deleting ANY mail without first looking over it. I realize that for large setups this is not likely possible due to lack of time and a large number of messages to review, but how can you honestly say you're worried about false positives in phishing attempts but delete virus infected mail without even looking back? -Jim ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] Phishing Questions
The more tools that you have the likelihood of filtering it out increases. Just because I run ClamAv on the mail exchanger does not mean I do not run AV on our Exchange server and all of our desktop machines. Firewalls can do IDS functions, AV applications for the desktop are now including Anti Spam functions, by default outlook now has Junk Mail options. My point is that most people layer these things together to provide a comprehensive solution. If ClamAv processes the message first and kills it before passing it on the anti spam application. Why would this be a bad thing? John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of BitFuzzy Sent: Thursday, January 27, 2005 9:36 AM To: ClamAV users ML Subject: Re: [Clamav-users] Phishing Questions You know, this gets old real quick! Back when this debate first started (around November or so) I never thought it would stop. In November I decided to do 2 things 1 log what virus's were being caught, where they were going, and what virus was detected. Out of 446 detected viruses, 167 were phishing attempts. How can stopping 167 attempts to defraud be looked at as a bad thing regardless of what stopped it. ClamAV detects them, and I for one am very happy that it does. Keep up the great work guys!! ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 27 Jan 2005, Trog wrote: On Thu, 2005-01-27 at 12:32 -0600, Damian Menscher wrote: Seriously, that's an unfair question. When you're deleting people's email, how would they find out if there was a false positive? With spam, it's standard practice to review a junk-mail box for false positives regularly. Viruses are treated differently; nobody checks them for false positives. That's why this is such a concern for those of us who depend on email. You describe SPAM, not Phishing. And thats the difference you are missing. I described the standard practice of how most admins handle spam filtering and virus filtering. I did not mention phishing. It will be difficult to have an intelligent discussion if you insist on making random assertions. Another is your assertion that my initial assumptions were incorrect when I suggested that phishing signatures were more likely to create false positives as a result of being more likely to be matching plaintext. Which initial assumptions were incorrect? Can you back your assertion up with anything? Damian Menscher -- -=#| Physics Grad Student SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| [EMAIL PROTECTED] www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 27 Jan 2005, Jim Maul wrote: What if the plumber and the mechanic work on it together? ;) What if the electrician goes to night school to learn ornithology? ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 2005-01-27 at 12:45 -0600, Damian Menscher wrote: Another is your assertion that my initial assumptions were incorrect when I suggested that phishing signatures were more likely to create false positives as a result of being more likely to be matching plaintext. Which initial assumptions were incorrect? Can you back your assertion up with anything? Yes. Of the 126 Phishing signatures, 120 will only match in HTML documents, and 1 will only match in email messages - they aren't plaintext. -trog signature.asc Description: This is a digitally signed message part ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 27 Jan 2005, Trog wrote: On Thu, 2005-01-27 at 12:45 -0600, Damian Menscher wrote: Another is your assertion that my initial assumptions were incorrect when I suggested that phishing signatures were more likely to create false positives as a result of being more likely to be matching plaintext. Which initial assumptions were incorrect? Can you back your assertion up with anything? Yes. Of the 126 Phishing signatures, 120 will only match in HTML documents, and 1 will only match in email messages - they aren't plaintext. Oh, ok. Apparently we have a different definition of plaintext. I generally take anything using only the lower 7 bits (ASCII table) to mean plaintext, and things that use the 8th bit to mean binary. Regardless of your definition of plaintext, it would seem that my conclusion that phishing signatures that rely exclusively on 7-bit ascii are more likely to have a false positive than binary signatures that use the full 8 bits is correct. Damian Menscher -- -=#| Physics Grad Student SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| [EMAIL PROTECTED] www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 2005-01-27 at 13:05 -0600, Damian Menscher wrote: Oh, ok. Apparently we have a different definition of plaintext. I generally take anything using only the lower 7 bits (ASCII table) to mean plaintext, and things that use the 8th bit to mean binary. Regardless of your definition of plaintext, it would seem that my conclusion that phishing signatures that rely exclusively on 7-bit ascii are more likely to have a false positive than binary signatures that use the full 8 bits is correct. Even with your definition of plaintext you are still wrong :-) Why? Because the structure of language in plaintext files is much richer than that used in the binaries of computer programs. An aside: HTML is actually Universal Character Set (UCS), or to quote the standard: The ASCII character set is not sufficient for a global information system such as the Web, so HTML uses the much more complete character set called the Universal Character Set (UCS), defined in [ISO10646]. This standard defines a repertoire of thousands of characters used by communities all over the world. and When HTML text is transmitted in UTF-16 (charset=UTF-16), text data should be transmitted in network byte order (big-endian, high-order byte first) in accordance with [ISO10646], Section 6.3 and [UNICODE], clause C3, page 3-1. Furthermore, to maximize chances of proper interpretation, it is recommended that documents transmitted as UTF-16 always begin with a ZERO-WIDTH NON-BREAKING SPACE character (hexadecimal FEFF, also called Byte Order Mark (BOM)) which, when byte-reversed, becomes hexadecimal FFFE, a character guaranteed never to be assigned. Thus, a user-agent receiving a hexadecimal FFFE as the first bytes of a text would know that bytes have to be reversed for the remainder of the text. -trog signature.asc Description: This is a digitally signed message part ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 27 Jan 2005 13:54:22 -0500 (EST) in [EMAIL PROTECTED] jef moskot [EMAIL PROTECTED] wrote: On Thu, 27 Jan 2005, Jim Maul wrote: What if the plumber and the mechanic work on it together? ;) What if the electrician goes to night school to learn ornithology? Electrified owls? -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 27 Jan 2005, Trog wrote: On Thu, 2005-01-27 at 13:05 -0600, Damian Menscher wrote: Oh, ok. Apparently we have a different definition of plaintext. I generally take anything using only the lower 7 bits (ASCII table) to mean plaintext, and things that use the 8th bit to mean binary. Regardless of your definition of plaintext, it would seem that my conclusion that phishing signatures that rely exclusively on 7-bit ascii are more likely to have a false positive than binary signatures that use the full 8 bits is correct. Even with your definition of plaintext you are still wrong :-) Why? Because the structure of language in plaintext files is much richer than that used in the binaries of computer programs. I don't believe you, but at least now we're down to something that can be tested. I've heard, for example, that English has about 3 bits of entropy per word. Ao, assuming a word is 5 characters (typical assumption from speed-typing tests) then a 5-byte signature would provide 3 bits of entropy, if it was matching something designed for humans to read. Anyone care to guess how many bits of entropy are in 5 bytes of machine code? I'm guessing it's larger, but I suppose I could be wrong. The simple test is to assume that bzip2 is an ideal compression program. As such, it will compress data down to a size roughly equal to its level of entropy. So, compress 10K of human-readable text (be it HTML, or whatever) and 10K of a machine-readable binary (say, from a virus). Which compresses down to something smaller? I'll leave this as an exercise to the reader... I'm fairly confident that I already know the answer. Damian Menscher -- -=#| Physics Grad Student SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| [EMAIL PROTECTED] www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 2005-01-27 at 09:25 -0800, Dennis Peterson wrote: =20 We do a lot of on-line commerce. We cannot tolerate many false positives. Phishing exploits are something we deal with through education first, and filtering second. As phishers become more sophisticated and numerous fals= e positives will rise leaving education as the final solution. I prefer using my filter processes for defending against them as I can fine tune them to our needs. =20 And how many Phishing false positives have you had exactly? -trog Quite a few in my own filtering. I add x-headers rather than block them so it is possible to keep track. If clamav is blocking them then I have no idea as we don't quarantine. How many are needed for it to be a bad idea? Can it even happen with Clamav? I don't know and I can't risk it. dp ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
I don't understand what the fuss is. clamAV (like all other AVs) produces a report stating what the malware is. In the case of Phishing, clamAV tags them as *.Phishing.*. So, change your blocking agents to ignore such matches Don't be surprised if they don't have the option, but if you use an Open Source Content Filter like Qmail-Scanner or Amavis, then you can change the code. ClamAV's ability to block Phishing attacks makes it EXTREMELY attractive IMHO. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Fri, 28 Jan 2005, Jason Haar wrote: clamAV (like all other AVs) produces a report stating what the malware is. In the case of Phishing, clamAV tags them as *.Phishing.*. So, change your blocking agents to ignore such matches Don't be surprised if they don't have the option, but if you use an Open Source Content Filter like Qmail-Scanner or Amavis, then you can change the code. Easier said than done. First problem is the lack of a consistent naming scheme, making it hard to identify exactly which signatures refer to auto-propagating code, and which don't. More difficult is the problem that ClamAV only reports the *first* match it finds. So a mail that matched both a phishing signature and a virus signature might be reported to be a phishing scheme, and therefore allowed through. The simplest solution seems to be to write a wrapper around freshclam. After downloading the databases, you need to unpack them, grep out the phishing schemes, and then move only the unpacked versions into your signatures directory. If a reliable naming scheme could be agreed upon, I expect there are several of us on this list who would be willing to write/share such a wrapper. Damian Menscher -- -=#| Physics Grad Student SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| [EMAIL PROTECTED] www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 27 Jan 2005 14:29:06 -0600 (CST) Damian Menscher [EMAIL PROTECTED] wrote: The simplest solution seems to be to write a wrapper around freshclam. You can patch ClamAV to filter out all *Phishing* sigs in libclamav/readdb.c. It should be simpler and more reliable solution. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Jan 27 21:29:42 CET 2005 pgpW5DuHxdLRh.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 27 Jan 2005 21:30:56 +0100 in [EMAIL PROTECTED] Tomasz Kojm [EMAIL PROTECTED] wrote: On Thu, 27 Jan 2005 14:29:06 -0600 (CST) Damian Menscher [EMAIL PROTECTED] wrote: The simplest solution seems to be to write a wrapper around freshclam. You can patch ClamAV to filter out all *Phishing* sigs in libclamav/readdb.c. It should be simpler and more reliable solution. My goodness, there's something about providing this source code stuff after all isn't there? -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
Since ClamAV already has a naming scheme in place (Worm, Phishing, etc), why not just add a config file option to disable each classification (with all of them enabled by default)? Voila! Admins who want to block everything can do so. Admin who only want to block worms can do so. Admins who don't want to block anything, can do so. Make ClamAV the best everything scanner out there, but give the users the ability to turn it into the best everything-1 scanner. :) -- Freddie Cash, CCNT CCLPHelpdesk / Network Support Tech. School District 73 (250) 377-HELP [377-4357] [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
