Re: [clamav-users] ClamAV+exim: scanner finds not a single malware

G.W. Haywood Sat, 28 May 2016 10:20:42 -0700

Hello Joel,

On Sat, 28 May 2016, Joel Esler wrote:

So our recent improvements and detection have not produced any
different result in the field?


If you're asking me, I think you're asking the wrong person.  As I
explained in my October 2014 message, I filter out the vast majority
of the cr@p before clamd gets a chance to look at it.  For example the
server log extract below shows that of the just under 210,000 message
attempts processed in sixteen months (more than 90% of which would be
unwanted), only 42 got as far as being looked at and flagged by clamd.

If what I've shown here is representative (and I've no way of knowing
if it is), then in the last year or so the mix seems to have changed
somewhat.  The detections also seem to bunch, so it looks like there
are distinct 'campaigns'.  I probably nail the campaigns manually (a
TARPIT rule or something :) if and when I spot them in the logs, and
the statistics aren't very good with such small numbers anyway.

mail5:/var/log/system_logs# >>> find 201[56] -name 'mail.info.*' | xargs grep 
NOQUEUE | wc -l
209327

mail5:/var/log/system_logs# >>> find 201[56] -name 'mail.info.*' | sort | xargs 
grep FOUND
2015/2015.01/mail.info.1:Jan  9 19:01:33 mail5 clamd[25353]: fd[10]: 
SecuriteInfo.com.Spammer.bilder-upload.eu.UNOFFICIAL FOUND
2015/2015.01/mail.info.1:Jan 11 05:37:18 mail5 clamd[25353]: fd[10]: 
SecuriteInfo.com.Spammer.dreamhostps.com.UNOFFICIAL FOUND
2015/2015.01/mail.info.1:Jan 11 10:09:33 mail5 clamd[25353]: fd[10]: 
SecuriteInfo.com.Spammer.dreamhostps.com.UNOFFICIAL FOUND
2015/2015.01/mail.info.1:Jan 13 19:01:22 mail5 clamd[25353]: fd[10]: 
SecuriteInfo.com.Spammer.bilder-upload.eu.UNOFFICIAL FOUND
2015/2015.02/mail.info.1:Feb  7 12:01:22 mail5 clamd[25353]: fd[10]: 
Sanesecurity.Porn.7849.UNOFFICIAL FOUND
2015/2015.02/mail.info.1:Feb  7 18:09:22 mail5 clamd[25353]: fd[10]: 
Sanesecurity.Scam4.1455.UNOFFICIAL FOUND
2015/2015.02/mail.info.1:Feb 11 18:43:01 mail5 clamd[25353]: fd[10]: 
Heuristics.Phishing.Email.SpoofedDomain FOUND
2015/2015.02/mail.info.1:Feb 19 02:29:35 mail5 clamd[25353]: fd[10]: 
Heuristics.Encrypted.PDF FOUND
2015/2015.03/mail.info.1:Mar  3 22:05:28 mail5 clamd[25353]: fd[10]: 
Sanesecurity.Junk.37650.UNOFFICIAL FOUND
2015/2015.03/mail.info.1:Mar 16 15:17:25 mail5 clamd[25353]: fd[10]: 
Sanesecurity.Scam4.1604.UNOFFICIAL FOUND
2015/2015.03/mail.info.1:Mar 24 07:30:00 mail5 clamd[25353]: fd[10]: 
Sanesecurity.Junk.28723.UNOFFICIAL FOUND
2015/2015.04/mail.info.1:Apr  7 04:51:38 mail5 clamd[25353]: fd[10]: 
SecuriteInfo.com.Spammer.elasticemail.com.UNOFFICIAL FOUND
2015/2015.04/mail.info.1:Apr  7 08:51:08 mail5 clamd[25353]: fd[10]: 
SecuriteInfo.com.Spammer.elasticemail.com.UNOFFICIAL FOUND
2015/2015.05/mail.info.1:May 14 18:45:38 mail5 clamd[25353]: fd[10]: 
Heuristics.Phishing.Email.SpoofedDomain FOUND
2015/2015.06/mail.info.1:Jun 19 19:01:32 mail5 clamd[25353]: fd[10]: 
ScamNailer.Phish.user_AT_email.com.UNOFFICIAL FOUND
2015/2015.07/mail.info.1:Jul 30 08:46:12 mail5 clamd[27435]: fd[10]: 
Heuristics.Encrypted.PDF FOUND
2015/2015.08/mail.info.1:Aug 14 18:43:35 mail5 clamd[27435]: fd[10]: 
Heuristics.Phishing.Email.SpoofedDomain FOUND
2015/2015.09/mail.info.1:Sep 25 14:44:32 mail5 clamd[27435]: fd[10]: 
Heuristics.Encrypted.PDF FOUND
2015/2015.10/mail.info.1:Oct  2 09:35:40 mail5 clamd[27435]: fd[10]: 
Heuristics.Encrypted.PDF FOUND
2015/2015.10/mail.info.1:Oct 29 16:40:39 mail5 clamd[27435]: fd[10]: 
Heuristics.Encrypted.PDF FOUND
2015/2015.11/mail.info.1:Nov 13 18:41:19 mail5 clamd[27435]: fd[10]: 
Heuristics.Phishing.Email.SpoofedDomain FOUND
2015/2015.11/mail.info.1:Nov 18 02:27:08 mail5 clamd[27435]: fd[10]: 
Heuristics.Encrypted.PDF FOUND
2015/2015.12/mail.info.1:Dec  8 02:34:53 mail5 clamd[27435]: fd[10]: 
Heuristics.Encrypted.PDF FOUND
2015/2015.12/mail.info.1:Dec  9 09:24:25 mail5 clamd[27435]: fd[10]: 
Heuristics.Encrypted.PDF FOUND
2016/2016.01/mail.info.1:Jan 12 03:17:22 mail5 clamd[27435]: fd[10]: 
Heuristics.Encrypted.PDF FOUND
2016/2016.01/mail.info.1:Jan 25 23:28:40 mail5 clamd[27435]: fd[10]: 
Sanesecurity.Malware.25445.JsHeur.UNOFFICIAL FOUND
2016/2016.01/mail.info.1:Jan 26 11:43:37 mail5 clamd[27435]: fd[10]: 
ScamNailer.Phish.account_AT_gmail.com.UNOFFICIAL FOUND
2016/2016.01/mail.info.1:Jan 26 23:16:15 mail5 clamd[27435]: fd[10]: 
Heuristics.Encrypted.PDF FOUND
2016/2016.02/mail.info.1:Feb  1 16:48:37 mail5 clamd[27435]: fd[10]: 
Heuristics.Encrypted.PDF FOUND
2016/2016.02/mail.info.1:Feb  1 22:05:17 mail5 clamd[27435]: fd[10]: 
Sanesecurity.Junk.51851.UNOFFICIAL FOUND
2016/2016.02/mail.info.1:Feb  7 07:46:07 mail5 clamd[27435]: fd[10]: 
Sanesecurity.Junk.51838.UNOFFICIAL FOUND
2016/2016.02/mail.info.1:Feb  8 08:06:51 mail5 clamd[27435]: fd[10]: 
Sanesecurity.Junk.50759.UNOFFICIAL FOUND
2016/2016.02/mail.info.1:Feb 12 18:37:21 mail5 clamd[27435]: fd[10]: 
Heuristics.Phishing.Email.SpoofedDomain FOUND
2016/2016.03/mail.info.1:Mar 15 13:26:03 mail5 clamd[27435]: fd[10]: 
Heuristics.Encrypted.PDF FOUND
2016/2016.03/mail.info.1:Mar 18 16:43:43 mail5 clamd[27435]: fd[10]: 
Heuristics.Encrypted.PDF FOUND
2016/2016.03/mail.info.1:Mar 29 18:15:44 mail5 clamd[27435]: fd[10]: 
Sanesecurity.Jurlbl.773dc6.UNOFFICIAL FOUND
2016/2016.03/mail.info.1:Mar 29 18:15:44 mail5 clamd[27435]: fd[10]: 
Sanesecurity.Jurlbl.773dc6.UNOFFICIAL FOUND
2016/2016.03/mail.info.1:Mar 29 18:15:45 mail5 clamd[27435]: fd[10]: 
Sanesecurity.Jurlbl.773dc6.UNOFFICIAL FOUND
2016/2016.03/mail.info.1:Mar 31 08:45:15 mail5 clamd[27435]: fd[10]: 
Heuristics.Encrypted.PDF FOUND
2016/2016.04/mail.info.1:Apr 20 08:21:54 mail5 clamd[15188]: fd[10]: 
Heuristics.Encrypted.PDF FOUND
2016/2016.04/mail.info.1:Apr 28 01:05:36 mail5 clamd[15188]: fd[10]: 
Sanesecurity.Malware.25690.ZipHeur.UNOFFICIAL FOUND
2016/2016.04/mail.info.1:Apr 29 02:30:59 mail5 clamd[15188]: fd[10]: 
Heuristics.Encrypted.PDF FOUND

As you can see below the number of messages quarantined by MIMEDefang
(the last milter in the chain) has dropped drastically in the last few
years - note that 2016 is only four months long so far, but even so it
points to big changes in the threat landscape:

mail5:/var/spool/MD-Quarantine# >>> for i in 2013 2014 2015 2016 ; do  ls -l 
--full-time | grep $i- | wc -l ; done
318
101
90
6

HTH

--

73,
Ged.
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV+exim: scanner finds not a single malware

Reply via email to