Re: Does anyone catch this....
Matt Hampton wrote: http://www.coders.co.uk/slipped.through.txt It has sailed through both a SA3.1.8 and SA3.2.0 (3.2.0-pre2-r512851) running on recent versions of MailScanner cheers Matt Thanks to everyone who replied - I'll look and the Clam signatures matt
Does anyone catch this....
http://www.coders.co.uk/slipped.through.txt It has sailed through both a SA3.1.8 and SA3.2.0 (3.2.0-pre2-r512851) running on recent versions of MailScanner cheers Matt
Re: Does anyone catch this....
On Mon, May 14, 2007 11:32, Matt Hampton wrote: http://www.coders.co.uk/slipped.through.txt It has sailed through both a SA3.1.8 and SA3.2.0 (3.2.0-pre2-r512851) running on recent versions of MailScanner The ClamAV engine tends to work well on a large number of that type of phish. Local testing shows DCC hitting it, but that's about it. Doesn't help that Halifax don't publish SPF records.
Re: Does anyone catch this....
On Mon, 14 May 2007, Duncan Hill wrote: From: Duncan Hill [EMAIL PROTECTED] To: users@spamassassin.apache.org Date: Mon, 14 May 2007 11:41:24 +0100 (BST) Subject: Re: Does anyone catch this On Mon, May 14, 2007 11:32, Matt Hampton wrote: http://www.coders.co.uk/slipped.through.txt It has sailed through both a SA3.1.8 and SA3.2.0 (3.2.0-pre2-r512851) running on recent versions of MailScanner The ClamAV engine tends to work well on a large number of that type of phish. Local testing shows DCC hitting it, but that's about it. Doesn't help that Halifax don't publish SPF records. In particular the Sanesecurity additions to ClamAV detect this as: Html.Phishing.Bank.Sanesecurity.06030604 We've detected (and rejected) over 1300 copies of this particular phishing scam over the last couple of weeks or so. -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK [EMAIL PROTECTED] Phone: +44 1225 386101
Re: Does anyone catch this....
Dennis Davis schrieb: On Mon, 14 May 2007, Duncan Hill wrote: From: Duncan Hill [EMAIL PROTECTED] To: users@spamassassin.apache.org Date: Mon, 14 May 2007 11:41:24 +0100 (BST) Subject: Re: Does anyone catch this On Mon, May 14, 2007 11:32, Matt Hampton wrote: http://www.coders.co.uk/slipped.through.txt It has sailed through both a SA3.1.8 and SA3.2.0 (3.2.0-pre2-r512851) running on recent versions of MailScanner The ClamAV engine tends to work well on a large number of that type of phish. Local testing shows DCC hitting it, but that's about it. Doesn't help that Halifax don't publish SPF records. In particular the Sanesecurity additions to ClamAV detect this as: Html.Phishing.Bank.Sanesecurity.06030604 We've detected (and rejected) over 1300 copies of this particular phishing scam over the last couple of weeks or so. Link: http://sanesecurity.co.uk/clamav/usage.htm For Debian the example script (Example 1) had to be fixed (paths dont match), dont know if you need to fix it for other distris too ... For testing use the sample fishing attachment. -- hth MH Dont send mail to: [EMAIL PROTECTED] --
RE: Does anyone catch this....
-Original Message- From: Matthias Haegele [mailto:[EMAIL PROTECTED] Sent: Monday, May 14, 2007 8:30 AM To: SpamAssassin Subject: Re: Does anyone catch this Dennis Davis schrieb: On Mon, 14 May 2007, Duncan Hill wrote: From: Duncan Hill [EMAIL PROTECTED] To: users@spamassassin.apache.org Date: Mon, 14 May 2007 11:41:24 +0100 (BST) Subject: Re: Does anyone catch this On Mon, May 14, 2007 11:32, Matt Hampton wrote: http://www.coders.co.uk/slipped.through.txt It has sailed through both a SA3.1.8 and SA3.2.0 (3.2.0-pre2-r512851) running on recent versions of MailScanner The ClamAV engine tends to work well on a large number of that type of phish. Local testing shows DCC hitting it, but that's about it. Doesn't help that Halifax don't publish SPF records. In particular the Sanesecurity additions to ClamAV detect this as: Html.Phishing.Bank.Sanesecurity.06030604 We've detected (and rejected) over 1300 copies of this particular phishing scam over the last couple of weeks or so. Link: http://sanesecurity.co.uk/clamav/usage.htm For Debian the example script (Example 1) had to be fixed (paths dont match), dont know if you need to fix it for other distris too ... For testing use the sample fishing attachment. I just sent Steve an updated script that accommodates the trailing back slash the debian adds to the clam db dir in the debug output and add -m 1 to the grep so it short circuits finding the clam db dir (so it now takes less than a second), and I added rsync for the MSRBL-* files since that site not only supports it but prefers it be handled that way. I would imagine Steve will have it up sometime today, I have been testing it since he made the last change to the mirroring methods last week. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: Does anyone catch this....
Rick Cooper schrieb: -Original Message- From: Matthias Haegele [mailto:[EMAIL PROTECTED] Sent: Monday, May 14, 2007 8:30 AM To: SpamAssassin Subject: Re: Does anyone catch this Dennis Davis schrieb: On Mon, 14 May 2007, Duncan Hill wrote: From: Duncan Hill [EMAIL PROTECTED] To: users@spamassassin.apache.org Date: Mon, 14 May 2007 11:41:24 +0100 (BST) Subject: Re: Does anyone catch this On Mon, May 14, 2007 11:32, Matt Hampton wrote: http://www.coders.co.uk/slipped.through.txt It has sailed through both a SA3.1.8 and SA3.2.0 (3.2.0-pre2-r512851) running on recent versions of MailScanner The ClamAV engine tends to work well on a large number of that type of phish. Local testing shows DCC hitting it, but that's about it. Doesn't help that Halifax don't publish SPF records. In particular the Sanesecurity additions to ClamAV detect this as: Html.Phishing.Bank.Sanesecurity.06030604 We've detected (and rejected) over 1300 copies of this particular phishing scam over the last couple of weeks or so. Link: http://sanesecurity.co.uk/clamav/usage.htm For Debian the example script (Example 1) had to be fixed (paths dont match), dont know if you need to fix it for other distris too ... For testing use the sample fishing attachment. I just sent Steve an updated script that accommodates the trailing back slash the debian adds to the clam db dir in the debug output and add -m 1 to the grep so it short circuits finding the clam db dir (so it now takes less than a second), and I added rsync for the MSRBL-* files since that site not only supports it but prefers it be handled that way. I would imagine Steve will have it up sometime today, I have been testing it since he made the last change to the mirroring methods last week. Ralf Hildebrandt Blog contains a download link to the (working) script: http://www.amazon.com/gp/blog/A1XJVH38GHOSHB thx, again for it good work... Rick -- GrĂ¼sse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
RE: Does anyone catch this....
On Mon, 14 May 2007, Rick Cooper wrote: From: Rick Cooper [EMAIL PROTECTED] To: 'SpamAssassin' users@spamassassin.apache.org Date: Mon, 14 May 2007 09:04:57 -0400 Subject: RE: Does anyone catch this ... I just sent Steve an updated script that accommodates the trailing back slash the debian adds to the clam db dir in the debug output and add -m 1 to the grep so it short circuits finding the clam db dir (so it now takes less than a second), and I added rsync for the MSRBL-* files since that site not only supports it but prefers it be handled that way. I would imagine Steve will have it up sometime today, I have been testing it since he made the last change to the mirroring methods last week. [Posted to both the [EMAIL PROTECTED] and users@spamassassin.apache.org mailing lists. Please followup appropriately.] Steve tells me he has just updated the download script on the main site (www.sanesecurity.com). Blog additions are coming, but might not make it until tomorrow. -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK [EMAIL PROTECTED] Phone: +44 1225 386101
