On 4/23/2019 6:18 AM, Brent Clark wrote:
> Just want to pick the communities brain for a second.
>
> Does anyone use Mail::SpamAssassin::Plugin::GoogleSafeBrowsing or
> better enable 'SafeBrowsing Yes' to freshclams configuration file?
>
> I see SafeBrowsing is a blacklist service provided by Google that
> provides lists of URLs for web sites that contain malware or phishing
> content.
>
> What was your experience with mail containing malware or phishing
> content. 


Well, my experience over the past month has been pretty bad.  ClamAV lit
some signatures for Phishtank and it pretty much killed performance. 
See the ClamAV mailing list for more info.

Additionally, I just on the 18th started looking at this ClamAV
feature.  For those who aren't aware:

ClamAV 0.95 introduced support for Google Safe Browsing database.

The Safebrowsing database is packed inside a CVD file and distributed
through our mirror network. This feature is disabled by default on all
installations and should be enabled with extreme care.

All signatures provided by Google Safe Browsing Database will be
prefixed with the Safebrowsing tag. If ClamAV reports
Safebrowsing.<something> FOUND, it means that the advisory was provided
by Google and not by ClamAV Virus database.

Please note that such reports DO NOT necessarily mean that the data
scanned contains some malware. You should treat such data as a potential
risk, that is a suspicious source of malware.

If you want to know more about the potentially dangerous data matched by
the signature, you should visit http://www.antiphishing.org (for
phishing warnings) or http://www.stopbadware.org (for malware warnings).

In order to enable this feature, you must add SafeBrowsing Yes to
freshclam.conf.

There is no option in clamd.conf. If the engine finds Google Safe
Browsing files in the database directory, ClamAV will enable safe
browsing. To turn it off you need to update freshclam.conf and remove
the safebrowsing files from the database directory before restarting clamd.


Anyway, I was going to try and run a second daemon or look at hits for
Safebrowsing.<something> as a method for scoring, not blocking.  The
listing and delisting policies are unclear to me and I think there is a
good potential for FPs.


Regards,
KAM


Reply via email to