Re: [clamav-users] How to distinguish phiching signatures?

Tue, 06 Sep 2011 04:23:50 -0700 

On 5 Sep 2011, at 15:18, Matus UHLAR - fantomas wrote:
I'm trying to distinguish between phishing and other signatures on a mail server - phishing reports should be passed to our abuse@ account, but not elsewhere. 


On 06.09.11 09:08, Ian Eiloart wrote:

warn
        malware = *
        set acl_m_phish = true
        condition = eq{${substr{0}{15}{$malware_name}}{Email.Phishing.}



On 6 Sep 2011, at 11:05, Matus UHLAR - fantomas wrote:

You have apparently missed out that I am NOT trying to solve HOW to 
reject or allow the content, but HOW to differ between Phishing and 
other content,


On 06.09.11 10:54, Ian Eiloart wrote:

Yes, and that's exactly what I show you - how to distinguish phishing.



No, you did not. At least not better than I already did. Even worse, 
because there were more phishing signatures than "Email.Phishing." and 
you showed only this one. And, you showed it to me as configuration 
element for a program unknown to me.



or, WHAT content to pass to abuse@ addresses but reject when send everywhere 
else.



Ah, well there I've misunderstood your question. I thought you were 
asking how to redirect all phishing attempts to your abuse@ address.  
Our abuse@ address is simply exempt from all filtering.



Luckily I have (nearly) it the same way, but for now I'm trying not to 
exempt it from filtering viruses.



I guess the main problem is that whils clamav supports Phishing 
detection, and maybe it can differ between phishing, virus, whatever 
signatures, but the FOUND message does not tell the type of 
signature, only its name.


The name is hierarchically typed.



It's not, because of the reasons I have shown above. Luckily aCaB 
promised to look at it...



BTW, while I have completely no idea where to configfure what you 
provided above, but since it's not what I've asked for, it does not 
matter.


In your DATA ACL. That's the only place that it can go. It's also where you'll 
find your current clam configuration.



I do not have DATA ACL. Do you assume I am running a kind of MTA or 
scanner? Please only assume I'm using clamav, since this is a 
clamav-users list :-)


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.

    One OS to rule them all, One OS to find them, 
One OS to bring them all and into darkness bind them 
_______________________________________________

Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml






















					Reply via email to