Re: [Clamav-users] Unofficial Phishing Signatures

Wed, 01 Feb 2006 02:45:32 -0800 

On Tue, 24 Jan 2006, Steve Basford wrote:

> From: Steve Basford <[EMAIL PROTECTED]>
> To: clamav-users@lists.clamav.net
> Date: Tue, 24 Jan 2006 20:49:03 +0000
> Subject: [Clamav-users] Unofficial Phishing Signatures
> 
> There are already a number of great phishing signatures in ClamAV
> but the Official ClamAV signature makers are obviously very busy
> taking care of the higher priority Virus/Trojan signatures.
>
> As, I've seen a number of new phishing attempts get past the
> Official ClamAV signatures, I thought I'd try to produce my own
> signatures, to see if some of these newer phishing attempts could
> be stopped.

...

Very useful.  I started using these signatures on this University's
mail servers on Monday.  Appended below are the stats on the
incoming crap they stopped yesterday (Tuesday).

Virus                                               Count
-----                                               -----
Html.Phishing.Bank.Sanesecurity.06012200              169
Html.Phishing.Pay.Sanesecurity.05082900                38
Html.Phishing.Bank.Sanesecurity.06012600               19
Html.Phishing.Bank.Sanesecurity.06013001.rock          19
Html.Phishing.Bank.Sanesecurity.06012000               15
Html.Phishing.Auction.Gen004.Sanesecurity.06012903     12
Html.Phishing.Bank.Sanesecurity.06012500               11
Html.Phishing.Auction.Gen002.Sanesecurity.06012901      3
Html.Phishing.Pay.Gen001.Sanesecurity.06012700          3
Html.Phishing.Pay.Sanesecurity.06010901                 3
Html.Phishing.Bank.Sanesecurity.05101900                2
Html.Phishing.Pay.Gen002.Sanesecurity.06012700          2
Html.Phishing.Pay.Gen003.Sanesecurity.06012700          2
Html.Phishing.Auction.Gen005.Sanesecurity.06012904      1
Html.Phishing.Azon.Sanesecurity.06011000                1
Html.Phishing.Bank.Sanesecurity.05118103                1
Html.Phishing.Bank.Sanesecurity.05120800                1
Html.Phishing.Bank.Sanesecurity.06011002                1
Html.Phishing.Bank.Sanesecurity.06012601                1
Html.Phishing.Pay.Sanesecurity.05100500                 1
Html.Phishing.Pay.Sanesecurity.05120802                 1
Html.Phishing.Pay.Sanesecurity.06011103                 1
Html.Phishing.Pay.Sanesecurity.06012201                 1
                                                   ------
Total                                                 308

The total incoming virus count for yesterday was 512[1].  So these
signatures account for some 60% of what was detected.

[1] I'm blocking on several RBLs and using other methods for
    reducing incoming rubbish.  These may well be preventing a lot
    of viruses even reaching the scanning stage.
-- 
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
[EMAIL PROTECTED]               Phone: +44 1225 386101
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html

Reply via email to