On 2007-03-05 20:07, Dennis Peterson wrote: > Paul Bijnens wrote: > >> >> Be careful about using clamav with the MSRBL image-spams database!! >> >> It seems to me like detecting the image spams with clamav signatures >> are not really an improvement. In fact, it is probably dangerous! >> >> The programs generating these spams make unique images with >> variations with speckles, lines, color, size, etc making the image >> signature unique for each mail sent. I still have to catch the >> first real spam using the MSRBL-Image clamav signtures. >> I did caught some false positives on the other hand... > > How did you determine they were false positives? Their website does not > provide a context so you can't know if what you are seeing is a web > beacon image or a spacer.
Yes it is a spacer, and not a beacon image. I downloaded and investigated the image. E.g. you flagged 36 times the "MSRBL-Images/0-IYC" spam image. You can download the offending image from: http://store.msrbl.com/0-IYC and then you can see it is a: 0-IYC: GIF image data, version 89a, 2 x 1 I even opened it in gimp, and verified there is no useful information in these 2 pixels, having a transparant color (or what is the term?). I even went as far as hexdumping the file, and verifying it does not contain any spurious information. I couldn't find anything (but I'm not the export in gifs -- anybody may correct me). If you can find anything harmful/spammy in it, then please educate me. > I determine false positives very simply - If neither the sender nor the > intended recipient do not communicate with me that a message was > blocked, it is spam. I've never been contacted because of a message > blocked using Sanesecurity or MSRBL lists. Well, my users did contact me on several occasions and asked me to investigate it. It could become a different thing if the mail was composed of many such tiny images, each carefully positioned, so that the total result would be a spam message. How long before the spammers implement that method? But still in the above case, the 2 transparant pixels should not be triggering such an event. The presence of this particular gif in a mail should not flag it as spam, just as the presence of the letters a,g,i,r,v should not flag a text message as spam. I leave it up to you to verify the rest of the false positives (in my opinion, they are). >> I removed the msrbl-image database from my system, reducing the >> number signatures clamav has to watch to 1/3th. >> And no more false positives either as benefit. > > We're having very different experiences. Indeed. -- Paul Bijnens, xplanation Technology Services Tel +32 16 397.511 Technologielaan 21 bus 2, B-3001 Leuven, BELGIUM Fax +32 16 397.512 http://www.xplanation.com/ email: [EMAIL PROTECTED] *********************************************************************** * I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, ^^, * * F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, * * stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, * * PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, * * init 0, kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... * * ... "Are you sure?" ... YES ... Phew ... I'm out * *********************************************************************** _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
