On 6 Sep 2011, at 11:05, Matus UHLAR - fantomas wrote:
>> On 5 Sep 2011, at 15:18, Matus UHLAR - fantomas wrote:
>>> I'm trying to distinguish between phishing and other signatures on a mail
>>> server - phishing reports should be passed to our abuse@ account, but not
>>> elsewhere.
>>>
> >> Therefore, it's not possible to play with options to disable
>>> phishing signatures detection ClamAV or use multiple clamav daemons - I
>>> just need to distinguish them from viruses and possibly other unwanted
>>> content.
>>>
>>> Do you have an idea how should I detect if a mail is a phish, or any other
>>> content (which?) that should our abuse@ teram know about?
>
> On 06.09.11 09:08, Ian Eiloart wrote:
>> You can use an ACL to set a message variable, which will probably use
>> something vaguely like this untested
>
>> warn
>> malware = *
>> set acl_m_phish = true
>> condition = eq{${substr{0}{15}{$malware_name}}{Email.Phishing.}
>
>> Then, in your subsequent ACLs, you can exempt this email from rejection
>
> You have apparently missed out that I am NOT trying to solve HOW to reject or
> allow the content, but HOW to differ between Phishing and other content,
Yes, and that's exactly what I show you - how to distinguish phishing.
> or, WHAT content to pass to abuse@ addresses but reject when send everywhere
> else.
Ah, well there I've misunderstood your question. I thought you were asking how
to redirect all phishing attempts to your abuse@ address. Our abuse@ address is
simply exempt from all filtering.
> You have only provided an example for "Email.Phishing."
>
Yes, I didn't have any advice to offer here.
> Note there are also many "HTML.Phishing." signatures and there is also one
> "E-Mail.Phishing." and "PDF.Phishing" and also many "Email." "HTML." and
> whatever.
Yes, and you can check the clamav docs, or ask on clamav lists for assistance
with the possible types.
> I guess the main problem is that whils clamav supports Phishing detection,
> and maybe it can differ between phishing, virus, whatever signatures, but the
> FOUND message does not tell the type of signature, only its name.
The name is hierarchically typed.
>
> BTW, while I have completely no idea where to configfure what you provided
> above, but since it's not what I've asked for, it does not matter.
In your DATA ACL. That's the only place that it can go. It's also where you'll
find your current clam configuration.
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
--
Ian Eiloart
Postmaster, University of Sussex
+44 (0) 1273 87-3148
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
