BTW, if you are running ClamAV, and want to take full advantage of it's
phish catching capabilities, you might was to take a look at adding the
phish signature file that Steve Basford put together (see the attached
e-mail for details). I have been running them for a few weeks, and they are
quite awesome. Steve periodically updates the phish signatures, as well, so
check regularly for an updated file.
Bill
----- Original Message -----
From: "Scott Fisher" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Tuesday, February 21, 2006 10:14 AM
Subject: Re: [Declude.JunkMail] Banks (and Ebay) Phising Filters
Aaarrgg.
Good catch Bill.
----- Original Message -----
From: "Bill Landry" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Tuesday, February 21, 2006 12:03 PM
Subject: Re: [Declude.JunkMail] Banks (and Ebay) Phising Filters
----- Original Message -----
From: "Scott Fisher" <[EMAIL PROTECTED]>
You do need the Pro version to run more than one scanner.
It's the best thing about Virus Pro...
Also nice if you get a set of bad definitions or a scanner stops
working, the other scanners will cover.
With PRESCAN ON, Mcafee Virusscan catches some phish.
Clamav catches most phish.
Actually, you would need to have "PRESCAN OFF" in order to catch most
phish e-mails with Declude. Otherwise, Declude Virus PRESCANs all
messages and finds that most phish messages contain nothing worth
scanning and thus bypasses the virus scanners.
Bill
---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
--- Begin Message ---
Can someone please tell me how ClamAV goes about phishing detection? I presume
it has something to do with libcurl going out to a web site and some checks
being performed on whatever is returned.
Not normally... most fishing detection is done by matching text/html
that is common, looks odd or bad spelling in the email.
We have had several phishes get through -- most appear to be Google, About, or
Ebay redirects, such as:
href="http://www.google.com/url?sa=U&q=http://81.196.204.130:82/webscr/index.php";
(A PayPal phish.)
Well, the above is just using Google to re-direct to the phishing site.
I think they could on the people hovering the mouse over the link,
seeing Google and then trusting the site, which you normally wouldn't do.
Sites were hot at the time the messages were received, so either my concept of
how ClamAV blocks phishing is wrong or the detection method is not as generic
as I would have thought.
Generic fishing signature can be done... but... they are very difficult
to get right, without any false positives.
Also, I would add that I have submitted a few of these phishes to ClamAV's
virus submission and they all seem to get discarded without comment.
Basically, ClamAV is there to project you from viruses, Trojans and then
fishing attempts (roughly in that order). Signature makers are very
busy doing virus signatures... after all, I'd much prefer to have a
virus stopped than a fishing attempt.
Having said that, I've come up with my own un-official signatures,
designed to catch fishing attempts that ClamAV official signatures let
through. Not everyone will want to use them... after all, do you trust
me to do signatures?
(Just in case this helps... I've been part of the Windows SpamPal
Anti-Spam support team for the last two or three years,
see: http://www.spampal.org/credits.html)
Anyway, to grab the un-official signatures, go the the site here and
download the phish.ndb file and place in the same directory as your
daily.cvd file: http://www.sanesecurity.com/clamav/
There's also a pdf file there, showing how I put a signature together.
For what it's worth, I would certainly still submit your fishing emails
to the ClamAV team and I would also suggest submitting the emails to
this "fishing tracker" site: http://www.dslreports.com/phishtrack
Cheers,
Steve
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
--- End Message ---
