> > Sites were hot at the time the messages were received, so either my concept > > of how ClamAV blocks phishing is wrong or the detection method is not as > > generic as I would have thought. > > > Generic fishing signature can be done... but... they are very difficult > to get right, without any false positives.
That might be right, but the creator of the Phihsing signatures (Sven) is pretty serious about what he is doing. So far I only have recognised one FalsePostive, which was blocking a specific kind of spam with a Phishing signature. I submitted a few FP examples and, I think it was less than a day later, the problem was resolved. > > Also, I would add that I have submitted a few of these phishes to ClamAV's > > virus submission and they all seem to get discarded without comment. > > Very bad, I had the same problem, so at one step I decided to send the creator of the Phishing sigantures a private message with a link to all my undetected Phishings and he looked at it and two days later he did a pretty big update adding signatues for almost all my signatures and cleaning house with a lot of old submissions. I am not sure how the process is working, but if you submit samples, you can chose "Phishing" and I guess in the first place we will only look at those mails. I am not sure how to decide which sigantues will be added in the first place. I also had a lot of positive experiences as some actual Phishings were added within hours to the signatures. I am getting access to a big archive of Phishing mails today and I will check them and see, which still aren't detected by ClamAV and submit them. > Basically, ClamAV is there to project you from viruses, Trojans and then > fishing attempts (roughly in that order). Signature makers are very > busy doing virus signatures... after all, I'd much prefer to have a > virus stopped than a fishing attempt. There is a signature maker, that si only doing Phishing signatures, so that's not true, that he is busy doing virus signatures, but the virus siagnture makers also don't care a lot about old viruses anymore. ClamAV still doesn't ctach all variants of a Parite.B viruses and a lot of other stuff. I got hundreds of unblocked viruses, worms and variants etc, which are detectec by commerical products and those are files, that are available from public VX sources. > Having said that, I've come up with my own un-official signatures, > designed to catch fishing attempts that ClamAV official signatures let > through. Not everyone will want to use them... after all, do you trust > me to do signatures? I do trust you to do signatures, I even gave you a lot of mails, but I think you should really remove the signatures of the mails, that ClamAV already detects and you should also submit your undetected mails to ClamAV or Sven directly. _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
