> -----Original Message----- > From: Matthias Haegele [mailto:[EMAIL PROTECTED] > Sent: Monday, May 14, 2007 8:30 AM > To: SpamAssassin > Subject: Re: Does anyone catch this.... > > Dennis Davis schrieb: > > On Mon, 14 May 2007, Duncan Hill wrote: > > > >> From: Duncan Hill <[EMAIL PROTECTED]> > >> To: users@spamassassin.apache.org > >> Date: Mon, 14 May 2007 11:41:24 +0100 (BST) > >> Subject: Re: Does anyone catch this.... > >> > >> On Mon, May 14, 2007 11:32, Matt Hampton wrote: > >>> http://www.coders.co.uk/slipped.through.txt > >>> > >>> > >>> It has sailed through both a SA3.1.8 and SA3.2.0 > (3.2.0-pre2-r512851) > >>> running on recent versions of MailScanner > >> The ClamAV engine tends to work well on a large number of that > >> type of phish. Local testing shows DCC hitting it, but that's > >> about it. Doesn't help that Halifax don't publish SPF records. > > > > In particular the Sanesecurity additions to ClamAV detect this as: > > > > Html.Phishing.Bank.Sanesecurity.06030604 > > > > We've detected (and rejected) over 1300 copies of this particular > > phishing scam over the last couple of weeks or so. > > Link: > > > http://sanesecurity.co.uk/clamav/usage.htm > > For Debian the example script (Example 1) had to be fixed (paths dont > match), > dont know if you need to fix it for other distris too ... > > For testing use the sample fishing attachment.
I just sent Steve an updated script that accommodates the trailing back slash the debian adds to the clam db dir in the debug output and add -m 1 to the grep so it short circuits finding the clam db dir (so it now takes less than a second), and I added rsync for the MSRBL-* files since that site not only supports it but prefers it be handled that way. I would imagine Steve will have it up sometime today, I have been testing it since he made the last change to the mirroring methods last week. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
