On Sun, 2008-10-26 at 10:22 +0100, Robert Schetterer wrote: > Karsten Bräckelmann schrieb: > > Recent flood of (German only?) Trojan.Agent malware, partly slipping by > > ClamAV. So I now am submitting samples where I spot 'em... > > > > By doing so, two questions came up:
[ Yet unanswered sample submission best-practice questions snipped. ] > Hi Karsten, > just for may interest, i dont see > a significant grow of german maleware in mail, > i use clamav-milter with > http://www.sanesecurity.com/clamav/ > and i dont know something slipping through > ( investigated the quarantaine dir ) > on 5 realy big mailserver with over hundert domains ( mostly german ) > an over 3000 mailboxes, OK, here's a rough sketch, no hard numbers. Also, please note that I am NOT a mail admin with a lot of users. The numbers below represent pretty much me, and me only. :) This started Fri and seems to have ceased by today already. I received like 40 of these a day, with half of them slipping by ClamAV on Fri. Usually I don't even get anything near 40 malware mails a *week*. That's why I believe the term "flood" is justified. (Talking about malware, attached archives containing Windows executables, mind you. This does not include the bulk of pestering phishes. And yes, I do use the SaneSecurity phish sigs.) > after all it would only be evil if real viri bypass > but as its some kind of spam ( pishing etc ) its > checked from spamassassin and marked too in my setups > perhaps you should tune up antispam features in your mailserver SpamAssassin is tuned rather well, thanks. :) In fact, you probably should know me from the SA mailing list, Robert. ;) And indeed, all of them scored around 15+, none slipped by SA. This however is a consequence of using the same botnet. ClamAV still didn't recognize the malware. I didn't complain. And my post was not about ClamAV not catching them, either. I asked about sample submission best-practices and avoiding unnecessary workload -- which remains unanswered. > in general to block incoming bots before getting to clamav-antivir stage > that should raise down the maleware rate in any case I don't block at SMTP stage for various reasons. One being, that I need the spam corpus. Anyway, while this gets slightly off-topic, most of these did hit Spamhaus XBL (sic) or at least PBL. That might explain why you didn't see them. > so where do your info come from ? Straight from my mail in-stream. :) Plus some general knowledge about botnets and their specific, identifying patterns, regarding some of the statements above. -- char *t="[EMAIL PROTECTED]"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1: (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
