On Nov 15, 2004, at 11:14 AM, jef moskot wrote:
On Mon, 15 Nov 2004, Bart Silverstrim wrote:I'd say leave it to the antispammers to hammer out, and to the people who focus on bayes filters...
In my case, if Clam has a chance to see the phishing e-mail, the anti-spam
tactics have already failed. So, from my point of view, this is extra
protection which would not otherwise have been offered.
In your case, sure....but it is supposed to be a flexible solution for a myriad of implementation methods.
I'm not going to comment on the technical aspects of blocking these messages, except to say that I've always found the ClamAV team to be incredibly competent, and if they've chosen to take up this task, then they probably think they can do it effectively.
They have been, yes, very competent and Clam is wonderful. One of my points has been that it is working very well, so if you're going to start moving it into another direction, it may be best to fork that and leave the original recipe alone until the new direction, off-focus from the original intent, can be shown to work well...as well as or better than the current incarnation.
May be doing them a disservice if the signature mismatch a legit mail, though.
This is true of any pattern-matching system.
Yes. Definitely...and currently, I can tune my settings through SpamAssassin and Amavisd-New as to how to handle things and how I'd like it reported. That's the modular aspect of these programs...they focus on doing a particular task very well. Clam is excellent against viruses. Spam...if it were that easy to tackle through signatures, they'd probably have done it by now. Social engineering...good luck finding sigs against all those. Will these efforts water down or bog down the virus scanner or make Clam lose focus?
Bolting more functions to a program, extending it beyond the original
design, is a good way to start introducing problems and losing focus of
the project.
I agree, but I think the basic usage of ClamAV is as a mailscanner, so
this is hardly a stretch. For the same reason, I think your argument
about scanning Word docs for phishiness being a waste is not really that
persuasive.
It's popularly used as a mail scanner, I agree. But one of the components that comes with it is clamscan for scanning home directories on shared folders, and I use it for analyzing things as they come in. Some mail scanners can also be configured to run clamscan on files. It's not a stretch. Some messages talk about using "real time scanning" on file access...would that have use of scanning for phishing attacks on home directory contents?
Also, in the big picture here, it looks like they're only adding very
prevalent phishing schemes. This doesn't seem to be a proposed anti-spam
solution or even a method for stamping out all phish traffic. The
"slippery slope" argument is something to keep in mind, but it also
shouldn't prevent simple no-brainer solutions to easily solved problems
from being made available.
I'm not trying to rain on people's ideas...just point out some counter-arguments that maybe people didn't think of. Personally I don't like the idea of protecting users from their own stupidity when tackling that kind of message...something that could so easily reject messages accidentally...is outside the original focus of Clam. Right now I have at my site, as I'm sure many other admins have, a setup I like at the moment for filtering. It's adequately divided that I can search for messages and diagnose where a breakdown occurred. If it's in the spam rules that a message is "lost", I know where it would have happened. I don't want to have to diagnose whether it's in spam quarantine or virus quarantine when it wasn't a virus problem, and I don't need to determine if there's a problem with the virus scanner that uncle phil's message was lost because he put too much of that rich text HTML crap in his message and it match a signature for some other message.
The work that would be added in trying to get clam to stop spam is already being done in other projects...maybe their efforts are worth contributing to instead of changing the focus of Clam. Just something I was throwing out there for people to mull over... :-)
_______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
