On Nov 15, 2004, at 2:41 PM, Ken Jones wrote:
Phising poses a threat to your users. The line between malware and virus'
is a very grey one.
Phishing is a threat if they supply information. How do you stop people from voluntarily giving information over? Scan every mail for text or formatting that may look like it's asking for you to click a link and visit a site for inputting information?
that sounds like what SA does. The phishing email doesn't do anything, doesn't carry an attachment that is dangerous, and doesn't carry a payload. It's asking a user to do something foolish or takes advantage of their ignorance. If I get an email from my friend asking for my credit card number and I email it to him and he spends a lot of my money, whose fault is it? Or if I mail it and it bounce to an admin at a different site...whose fault is it when the information leaks?
Knowing two "freinds" that have responded to phising emails and what it
took afterwards to correct the problem ..... they would beg you to remove
the possability of this threat.
I would hope they now know not to trust these messages. I've tried telling users not to do things before and some will anyway. I can't guarantee anything about blocking it, only that I will try to keep SA updated enough to catch them.
The key here is not whether or not we should block these messages. The discussion was about Clam having this added. Philosophically, there are those who want it and those who don't. You want more spam checking, alter your spam checker with SA to use all the rules and bayes the heck out of mail servers. Use SPF. Use reverse mapping. Personally, I want Clam to fight viruses. Focus on those, focus on doing it well. if people want to improve fighting spam, contribute to SA and various rule sets that are out there, and not duplicate efforts.
Having cross-over of functionality can / is in many cases a good thing.
Then that is a philosophical difference...I'd rather not duplicate efforts on the same system. Otherwise there's no reason to pretend it is a virus scanner...it's some mutant spirus scanner or malware detector. Then there comes the slippery slope of what it should and shouldn't detect. I'd rather just filter and rewrite every message to plain text and then we wouldn't need to worry about the viruses or malware, would we? We'd make it more work for the users to go through the hassle of getting themselves into trouble.
The other day, a virus made it by clamav. It made it past McAfee on the
users machine. By the time they opened the mail and it started spamming
the network with email, clamav had updated their defs and it was stopped.
It took a few more hours before McAfee had a new defs file out. In this
case, multiple virus scanners was a good thing.
Multiple fronts are fine. BUT you are running multiple virus scanners. Run multiple spam slammers if that's your prerogative. But I'd rather have a virus scanner that scans for viruses and a spam filter that filters for spam without needing to overlap the two. A virus scanner for viruses, a spam filter for spams; if it works well, keep it. If it doesn't, yank that module/program and put in another. I am looking for a good virus scanner, not a good virus scanner that is also a mediocre spam blocker and may or may not complicate the flow of mail by adding different headers or putting it into a different quarantine folder when users ask where a message from "x" went because it was incorrect. You have the sig for a particular spam? Send it to the SA team.
Please don't think I am saying I want clamav to become a spam filter as well, but adding in the sigs for items like the phising mail I think is great.
I think it's heading down a road that leads to losing focus for the team. Ultimately though it's their call :-)
-Bart
_______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
