On Sep 14, 2010, at 7:00 AM, Alex wrote: > Hi, > >> In addition, there a brilliant Third-Party signature decoder here, which >> will easily show you the content of the Third-Party signature, >> just cut/paste or type in the signature name and it'll decode it: >> >> http://www.sanesecurity.com/clamav/decodesigs.htm > > Great info, thanks. > > Turns out that it matches underconstruction.networksolutions.com. Is > it possible to make these signatures score a few points instead of > being a poison pill, and killing the email entirely?
Most of us weight the results in our mailserver/proxies/miltners and score the weights in SA/ASSP/etc However, the signature was the IP 205.178.189.13 and not the host name. That IP hosts a lont more than a reverse DNS would lead you to believe. When it was listed contained a zeus bot and was infected also with a iframe attack hosted on that IP. See http://malware.im/network-solutions-and-wordpress-security-flaw/ Given the above I am not sure I would deweight the signatures. In fact, I have to wonder what kind of email would contain that IP in a url. Youu do whitelist accounts that discuss viruses/malware/etc don't you? _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
