On 4/23/2019 11:07 AM, Kevin A. McGrail wrote:
I was going to try and run a second daemon or look at hits for
Safebrowsing.<something> as a method for scoring, not blocking. The
listing and delisting policies are unclear to me and I think there is a
good potential for FPs.
Probably a nice scoring option - So like Kevin, I'd caution against
using this for blocking or high scoring. Why? Because in recent years
there has been an epidemic of the following two things:
(1) website compromised - hacker installed malicious content
(2) email account on the mail server compromised - spammer is sending
email from that server
HOWEVER - MOST of the time ONLY 1 of these things happened, NOT both.
But the Safebrowsing database is mainly focused on the website being
compromised. Therefore, this rule is likely fantastic when it comes to
hits on content in the body of the message, particularly URLs linking to
malicious content on hijacked websites. But if/when this instead has
hits on things like ONLY domain name (in the FROM address or elsewhere)
- then it might cause a significant number of FPs if/when it hits stuff
like that.
I'm not very familiar with how this works when implemented in ClamAv -
so, for example, if this only has hits on entire URLs going all the way
to the malicious content (not merely referencing the domain or home
page) - then my FP concerns are likely overstated and this really isn't
going to cause many FPs.
So I'm just mentioning this so others will be aware and know what to
look for when testing this.
--
Rob McEwen
