I'll take a stab. I'm the author of Qmail-Scanner, so I could naturally create a script that feeds such data back to you guys
Glad to hear you were already doing this - it did seem obvious. I bet you're main problem is not having enough staff to actually check the new stuff? (downside to open source ;-) Jason On 31/05/12 12:59, Matt Watchinski wrote: > We have spamtraps and tons of other collection mechanisms, which bring > in a little over 100k samples a day. While obviously not perfect, as > pointed out in the beginning of this thread, is pretty good. If > anyone is interested in automating up sample submission of stuff we > missed like Jason is suggesting, please feel free to contact me > offlist and I'll provide automated ways for sending us samples. > > Cheers, > -matt > > On Wed, May 30, 2012 at 7:29 PM, Jason Haar <jason_h...@trimble.com> wrote: >> On 30/05/12 23:17, G.W. Haywood wrote: >>>> Wouldn't more spamtraps that feed virus samples directly to AV >>>> analysts help? >>> Are you new to this? :) Just think about the numbers involved. >> I think you're been a bit harsh there. I read it as saying that antispam >> systems catch a lot of malware (because the same infected hosts used to >> send malware are also used to send spam). Cedrich asked why doesn't >> clamav use antispam traps as a mechanism to pick up binaries that will >> 99.99% of the time be malware. That way it's a "free" input source of >> new malware to be tracked >> >> Sounds like a good idea to me - I know most AV companies do just that so >> I'm sort of surprised that ClamAV isn't (is that true?) >> >> Tell you what - could this be turned into a "community" project? What if >> instead of ClamAV staff running spampots, all of us out there running >> edge mail protection ran (hourly) cronjobs to parse our quarantines for >> spam that contained Window binaries, run clamav over it (probably for a >> 2nd time) just in case it's already been picked up - and then feed new >> files back to Clamav.net for further analysis? Really quite doable at >> the "client" end - but could cause some serious load on Clamav.net if it >> was popular... We'd have to have individual accounts so that dickheads >> uploading notepad.exe can be tracked and blocked, maybe a "must be seen >> by >10 clients" rule needs to be in place to reduce the FPs too, but of >> course they'd need to be reviewed by someone eventually. Could we even >> cross-check checksums against (say) virustotal.com in an automated >> fashion so that only files marked as malware by another product end up >> in the final human-facing queue? >> >> I'm sure ClamAV staff would like a "too large" corpus of malware than >> "too little"? >> >> >> -- >> Cheers >> >> Jason Haar >> Information Security Manager, Trimble Navigation Ltd. >> Phone: +1 408 481 8171 >> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 >> >> _______________________________________________ >> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net >> http://www.clamav.net/support/ml > > -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
