Re: [clamav-users] How to distinguish phiching signatures?

Tue, 06 Sep 2011 03:06:05 -0700 

On 5 Sep 2011, at 15:18, Matus UHLAR - fantomas wrote:
I'm trying to distinguish between phishing and other signatures on a mail server - phishing reports should be passed to our abuse@ account, but not elsewhere. 


  >> Therefore, it's not possible to play with options to disable 

phishing signatures detection ClamAV or use multiple clamav daemons 
- I just need to distinguish them from viruses and possibly other 
unwanted content.



Do you have an idea how should I detect if a mail is a phish, or any 
other content (which?) that should our abuse@ teram know about?


On 06.09.11 09:08, Ian Eiloart wrote:

You can use an ACL to set a message variable, which will probably use 
something vaguely like this untested



warn
        malware = *
        set acl_m_phish = true
        condition = eq{${substr{0}{15}{$malware_name}}{Email.Phishing.}



Then, in your subsequent ACLs, you can exempt this email from 
rejection 



You have apparently missed out that I am NOT trying to solve HOW to 
reject or allow the content, but HOW to differ between Phishing and 
other content, or, WHAT content to pass to abuse@ addresses but reject 
when send everywhere else.


You have only provided an example for "Email.Phishing."


Note there are also many "HTML.Phishing." signatures and there is also 
one "E-Mail.Phishing." and "PDF.Phishing" and also many "Email." 
"HTML." and whatever. 

I guess the main problem is that whils clamav supports Phishing 
detection, and maybe it can differ between phishing, virus, whatever 
signatures, but the FOUND message  does not tell the type of signature, 
only its name.




BTW, while I have completely no idea where to configfure what you 
provided above, but since it's not what I've asked for, it does not 
matter.
 
--

Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml






















					Reply via email to