Karsten Bräckelmann schrieb: > On Sun, 2008-10-26 at 10:22 +0100, Robert Schetterer wrote: >> Karsten Bräckelmann schrieb: >>> Recent flood of (German only?) Trojan.Agent malware, partly slipping by >>> ClamAV. So I now am submitting samples where I spot 'em... >>> >>> By doing so, two questions came up: > > [ Yet unanswered sample submission best-practice questions snipped. ] > >> Hi Karsten, >> just for may interest, i dont see >> a significant grow of german maleware in mail, >> i use clamav-milter with >> http://www.sanesecurity.com/clamav/ >> and i dont know something slipping through >> ( investigated the quarantaine dir ) >> on 5 realy big mailserver with over hundert domains ( mostly german ) >> an over 3000 mailboxes, > > OK, here's a rough sketch, no hard numbers. Also, please note that I am > NOT a mail admin with a lot of users. The numbers below represent pretty > much me, and me only. :) > > This started Fri and seems to have ceased by today already. I received > like 40 of these a day, with half of them slipping by ClamAV on Fri. > Usually I don't even get anything near 40 malware mails a *week*. That's > why I believe the term "flood" is justified. > > (Talking about malware, attached archives containing Windows > executables, mind you. This does not include the bulk of pestering > phishes. And yes, I do use the SaneSecurity phish sigs.) > > >> after all it would only be evil if real viri bypass >> but as its some kind of spam ( pishing etc ) its >> checked from spamassassin and marked too in my setups >> perhaps you should tune up antispam features in your mailserver > > SpamAssassin is tuned rather well, thanks. :) In fact, you probably > should know me from the SA mailing list, Robert. ;) > > And indeed, all of them scored around 15+, none slipped by SA. This > however is a consequence of using the same botnet. ClamAV still didn't > recognize the malware. > > > I didn't complain. And my post was not about ClamAV not catching them, > either. I asked about sample submission best-practices and avoiding > unnecessary workload -- which remains unanswered. > > >> in general to block incoming bots before getting to clamav-antivir stage >> that should raise down the maleware rate in any case > > I don't block at SMTP stage for various reasons. One being, that I need > the spam corpus. > > Anyway, while this gets slightly off-topic, most of these did hit > Spamhaus XBL (sic) or at least PBL. That might explain why you didn't > see them. > > >> so where do your info come from ? > > Straight from my mail in-stream. :) Plus some general knowledge about > botnets and their specific, identifying patterns, regarding some of the > statements above. > > thats how life plays, everyone has its own spam, so your personal targetted i was just wondering about some new viri/spam flood which didnt pass to me *g
-- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
