Re: [Clamav-users] test for SafeBrowsing?
>From: Török Edwin [mailto:edwinto...@gmail.com] >>> Try using for the URL. >>> >> Is that a requirement? If so we should get the spammers on board because >some of >> them may not know this :). > >No, there are more places from where URLs can be extracted, but "href" is one that must work. With modern email clients "helpfully" presenting text that looks like a URL as a real URL at the client end, SafeBrowsing really ought to check the plain text, not just within html tags. http://pastebin.com/m13232c54 may be just plain text when transmitted and scanned, but it's an "" by the time I read it: underlined, blue, and turns my cursor to a pointy finger with a pop-up box saying "Click to follow link". It was also in wide character encoding when I read it. I'm not sure if that it how it was transmitted, or if that was done by the client: 0001d60: 7400 2900 0d00 0a00 0d00 0a00 6800 7400 t.).h.t. 0001d70: 7400 7000 3a00 2f00 2f00 7000 6100 7300 t.p.:././.p.a.s. 0001d80: 7400 6500 6200 6900 6e00 2e00 6300 6f00 t.e.b.i.n...c.o. 0001d90: 6d00 2f00 6d00 3100 3300 3200 3300 3200 m./.m.1.3.2.3.2. 0001da0: 6300 3500 3400 0d00 0a00 0d00 0a00 4300 c.5.4.C. 0001db0: 6800 6500 6500 7200 7300 2c00 0d00 0a00 h.e.e.r.s.,. 0001dc0: 0d00 0a00 5300 7400 6500 7600 6500 0d00 S.t.e.v.e... Either way, switching encoding would be another way for spammers to try to avoid a scan. Moray. "To err is human. To purr, feline" ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] test for SafeBrowsing?
Moray Henderson (ICT) wrote: >> From: Török Edwin [mailto:edwinto...@gmail.com] Try using for the URL. >>> Is that a requirement? If so we should get the spammers on board because >> some of >>> them may not know this :). >> No, there are more places from where URLs can be extracted, but "> href" is one that must work. > > With modern email clients "helpfully" presenting text that looks like a URL > as a real URL at the client end, SafeBrowsing really ought to check the plain > text, not just within html tags. http://pastebin.com/m13232c54 may be just > plain text when transmitted and scanned, but it's an "" by the time I > read it: underlined, blue, and turns my cursor to a pointy finger with a > pop-up box saying "Click to follow link". I don't imagine the world's premier spammers are sitting at their laptop in their shorts sending out thousands of spams with Thunderbird. There are purpose built products for this and can format the mail any way they wish. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Problems builing in solaris related to unrar libraries
Dennis Peterson said the following, On 03/17/2009 03:29 PM: > George R. Kasica wrote: > If you run the crle command with no options it will report the current global > library search path. It will also present a command line example of how to > recreate this path. Use can use that example and add any additional paths > needed. I find it easiest to deal with this at compile time. If you set LDFLAGS and include the -R and -L (--library-path -rpath for linux) arguments before you run configure the runtime linker will know where to find the needed libraries. You then won't need to drag around LD_LIBRARY_PATH or LD_RUN_PATH anymore to make that binary function. You can also minimize the paths searched by crle (ld.so.conf linux) which are global for all binaries. CC=gcc CFLAGS="-O2 -pipe" LDFLAGS="-L/usr/local/lib -R/usr/local/lib" \ ./configure -- steve ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] test for SafeBrowsing?
On Wed, Mar 18, 2009 at 01:55:14PM CET, Dennis Peterson said: > Moray Henderson (ICT) wrote: > >> From: Török Edwin [mailto:edwinto...@gmail.com] > Try using for the URL. > > >>> Is that a requirement? If so we should get the spammers on board because > >> some of > >>> them may not know this :). > >> No, there are more places from where URLs can be extracted, but " >> href" is one that must work. > > > > With modern email clients "helpfully" presenting text that looks like a URL > > as a real URL at the client end, SafeBrowsing really ought to check the > > plain text, not just within html tags. http://pastebin.com/m13232c54 may > > be just plain text when transmitted and scanned, but it's an "" by > > the time I read it: underlined, blue, and turns my cursor to a pointy > > finger with a pop-up box saying "Click to follow link". > > I don't imagine the world's premier spammers are sitting at their laptop in > their shorts sending out thousands of spams with Thunderbird. There are > purpose > built products for this and can format the mail any way they wish. > What was said is that many MUA, *receiving* a mail with an URL in the text will automatically create a link from it. It has bothing to do with the sending software. -- Erwan ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] test for SafeBrowsing?
On Wed, Mar 18, 2009 at 05:55, Dennis Peterson wrote: > Moray Henderson (ICT) wrote: >>> From: Török Edwin [mailto:edwinto...@gmail.com] > Try using for the URL. > Is that a requirement? If so we should get the spammers on board because >>> some of them may not know this :). >>> No, there are more places from where URLs can be extracted, but ">> href" is one that must work. >> >> With modern email clients "helpfully" presenting text that looks like a URL >> as a real URL at the client end, SafeBrowsing really ought to check the >> plain text, not just within html tags. http://pastebin.com/m13232c54 may be >> just plain text when transmitted and scanned, but it's an "" by the >> time I read it: underlined, blue, and turns my cursor to a pointy finger >> with a pop-up box saying "Click to follow link". > > I don't imagine the world's premier spammers are sitting at their laptop in > their shorts sending out thousands of spams with Thunderbird. There are > purpose > built products for this and can format the mail any way they wish. > Whether or not they're sending using Thunderbird isn't relevant. What's relevant is whether or not they know that the receiving mail clients will try to turn plain text URL's into clickable links. I'm pretty sure that, no matter what sending tool they're using, they're aware of this feature of modern mail clients. And I'm also very sure, from having seen it in the wild, that they exploit it. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] test for SafeBrowsing?
Erwan David wrote: > On Wed, Mar 18, 2009 at 01:55:14PM CET, Dennis Peterson > said: >> Moray Henderson (ICT) wrote: From: Török Edwin [mailto:edwinto...@gmail.com] >> Try using for the URL. >> > Is that a requirement? If so we should get the spammers on board because some of > them may not know this :). No, there are more places from where URLs can be extracted, but ">>> href" is one that must work. >>> With modern email clients "helpfully" presenting text that looks like a URL >>> as a real URL at the client end, SafeBrowsing really ought to check the >>> plain text, not just within html tags. http://pastebin.com/m13232c54 may >>> be just plain text when transmitted and scanned, but it's an "" by >>> the time I read it: underlined, blue, and turns my cursor to a pointy >>> finger with a pop-up box saying "Click to follow link". >> I don't imagine the world's premier spammers are sitting at their laptop in >> their shorts sending out thousands of spams with Thunderbird. There are >> purpose >> built products for this and can format the mail any way they wish. >> > > What was said is that many MUA, *receiving* a mail with an URL in the > text will automatically create a link from it. It has bothing to do > with the sending software. > > I see - I think we're all recommending that ClamAV detect URL's regardless of how they're presented in the message. And that will certainly include encoded URL's and all the HTML tricks that can be used to disguise them from scanning software. I would not suggest they go so far as to build in a JavaScript engine to find those URL's that are intended to be constructed in the browser or MUA at rendering time, but it may come to that at some point. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] Extracting information from the new clamav-milter
I have started testing the new clamav-milter. We had been doing some specialized procvessing with the old one, and I am trying to see if we can do this with the new one. We reject (5xx) viruses in the initial connection. We use the postmaster notify feature, and feed those message to a script that logs To, From, Subject, and Date in an SQL database. This way our users or support can check later to see if a mail was rejected and why. I have not seen any easy way to extract this information from the logs the milter makes, even with verbose logging on. Is their an existing option that will let me extract this information ? == Chris Candreva -- ch...@westnet.com -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] test for SafeBrowsing?
At 7:20 AM -0700 3/18/09, Dennis Peterson wrote: >Erwan David wrote: >> On Wed, Mar 18, 2009 at 01:55:14PM CET, Dennis >>Peterson said: >>> Moray Henderson (ICT) wrote: > From: Török Edwin [mailto:edwinto...@gmail.com] >>> Try using for the URL. >>> >> Is that a requirement? If so we should get the spammers on board because > some of >> them may not know this :). > No, there are more places from where URLs can be extracted, but " href" is one that must work. With modern email clients "helpfully" presenting text that looks like a URL as a real URL at the client end, SafeBrowsing really ought to check the plain text, not just within html tags. http://pastebin.com/m13232c54 may be just plain text when transmitted and scanned, but it's an "" by the time I read it: underlined, blue, and turns my cursor to a pointy finger with a pop-up box saying "Click to follow link". >>> I don't imagine the world's premier spammers are sitting at their laptop in >>> their shorts sending out thousands of spams >>>with Thunderbird. There are purpose >>> built products for this and can format the mail any way they wish. >>> >> >> What was said is that many MUA, *receiving* a mail with an URL in the >> text will automatically create a link from it. It has bothing to do >> with the sending software. >> >> > >I see - I think we're all recommending that ClamAV detect URL's regardless of >how they're presented in the message. And that will certainly include encoded >URL's and all the HTML tricks that can be used to disguise them from scanning >software. I would not suggest they go so far as >to build in a JavaScript engine >to find those URL's that are intended to be >constructed in the browser or MUA at >rendering time, but it may come to that at some point. And deal with character encodings prior to rule application ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] ClamAV and VirusTotal
On 17 Mar 2009 at 21:22, Tomasz Kojm wrote: > out of the box windows support is planned for ClamAV 0.96; in general > we don't distribute any binaries but we may consider doing this for > windows when the support is mature enough Thanks for the update. paul ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Failed milter upgrade to .95rc2
On Tue, 17 Mar 2009 19:50:20 -0700 Ed Kasky wrote: > Does the required entry in sendmail.mc change at all? > > INPUT_MAIL_FILTER(`clamav', > `S=local:/var/run/clamav/clmilter.sock, F=, T=S:4m;R:4m')dnl > define(`confINPUT_MAIL_FILTERS', `spf-milter,clamav')dnl > > Ed I'm running with a couple extra timeous defined... INPUT_MAIL_FILTER(`clamav',`S=local:/var/run/clamav/clmilter.sock, F=, T=S:4m;R:4m;C:30s;E:10m')dnl but the real work is getting the milter running from the config file, and separate from the clamd stuff. I've been running from svn for a while ( the last stable release proving unstable on my VPS-based implementation - which by design has no swap ), and it's been solid as a rock. Steve -- Steve Holdoway http://www.greengecko.co.nz ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Failed milter upgrade to .95rc2
At 09:00 PM Wednesday, 3/18/2009, Steve Holdoway wrote -=> >On Tue, 17 Mar 2009 19:50:20 -0700 >Ed Kasky wrote: > > > Does the required entry in sendmail.mc change at all? > > > > INPUT_MAIL_FILTER(`clamav', > > `S=local:/var/run/clamav/clmilter.sock, F=, T=S:4m;R:4m')dnl > > define(`confINPUT_MAIL_FILTERS', `spf-milter,clamav')dnl > > > > Ed >I'm running with a couple extra timeous defined... > >INPUT_MAIL_FILTER(`clamav',`S=local:/var/run/clamav/clmilter.sock, >F=, T=S:4m;R:4m;C:30s;E:10m')dnl > >but the real work is getting the milter running from the config >file, and separate from the clamd stuff. > >I've been running from svn for a while ( the last stable release >proving unstable on my VPS-based implementation - which by design >has no swap ), and it's been solid as a rock. > >Steve Thanks. I will give it a shot over the weekend. I went through the config file pretty carefully but know there are always one or two things that will pop up when I do an upgrade such as this one. I'll let you know how it goes... Ed ... Randomly Generated Quote (712 of 1520): I'd rather see a sermon than hear one any day; I'd rather one should walk with me than merely tell the way. -Edgar Guest, poet (1881-1959) ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
