On Sunday 26 Feb 2006 14:01, Steve Basford wrote:
> Hi,
>
> You'll all be glad to hear I don't intend to post here every time I do
> an update of the sigs,
> but as I've added a few sigs today and updated the main website a
> little, I thought post to the list:
>
> http://www.sanesecurity.com/clama
Steve Basford wrote:
Hi,
You'll all be glad to hear I don't intend to post here every time I do
an update of the sigs,
but as I've added a few sigs today and updated the main website a
little, I thought post to the list:
Thanks for your work Steve.
I yet don't use your signatures but I still
Hi,
You'll all be glad to hear I don't intend to post here every time I do
an update of the sigs,
but as I've added a few sigs today and updated the main website a
little, I thought post to the list:
http://www.sanesecurity.com/clamav/
For those interested, here are some stats from a couple
On Thu, 2 Feb 2006, George R. Kasica wrote:
> From: George R. Kasica <[EMAIL PROTECTED]>
> To: ClamAV users ML
> Date: Thu, 02 Feb 2006 15:40:41 -0600
> Subject: Re: [Clamav-users] Unofficial Phishing Signatures
> Reply-To: ClamAV users ML
>
> >On Thu, 02 Feb
Dennis Peterson wrote:
I can verify it blocks legitimate mail from Ebay (outbidnotice and endofitem).
I cannot provide samples for obvious reasons.
Thanks to all for the reports... the signature was faulty and I've now
disabled it.I've re-uploaded, with it removed.
Sorry for all this
>
>
> > I'm getting false positives with
> > Html.Phishing.Auction.Gen009.Sanesecurity.06020102
> >
> > Marking legit eBay communications as Phish; bid confirmations, outbid
> > notices, "you won" notices.
> >
> Okay, I've disabled this sig and re-uploaded... that should fix it until
> i can fi
I'm getting false positives with
Html.Phishing.Auction.Gen009.Sanesecurity.06020102
Marking legit eBay communications as Phish; bid confirmations, outbid
notices, "you won" notices.
Okay, I've disabled this sig and re-uploaded... that should fix it until
i can find sample email.
One thing
On Thu, 2 Feb 2006, Steve Basford wrote:
> Could you give me the signature names that match the false positives
> please.
Oh, duh. Of course.
Looks like 2 completely different kinds of eBay communications both
matched: Html.Phishing.Auction.Gen009.Sanesecurity.06020102
Thanks.
Jeffrey Moskot
At 03:43 PM 2/2/2006, Steve Basford wrote:
jef moskot wrote:
The latest batch seems to include a number of false
positives, so I had to
revert. I don't want to submit private user data, but an
example is the
apparently legit report from eBay entitled "Changes to
eBay User Agreement
and Pri
jef moskot wrote:
The latest batch seems to include a number of false positives, so I had to
revert. I don't want to submit private user data, but an example is the
apparently legit report from eBay entitled "Changes to eBay User Agreement
and Privacy Policy".
Other issues include apparently
>On Thu, 02 Feb 2006 19:40:17 +, you wrote:
>
>Dennis Davis wrote:
>> Very useful. I started using these signatures on this University's
>> mail servers on Monday. Appended below are the stats on the
>> incoming crap they stopped yesterday (Tuesday).
>>
>> Virus
The latest batch seems to include a number of false positives, so I had to
revert. I don't want to submit private user data, but an example is the
apparently legit report from eBay entitled "Changes to eBay User Agreement
and Privacy Policy".
Other issues include apparently legitimate communicati
Mark Twells wrote:
Apologies for wibbling in the group, but I don't appear to have the root
message of this thread.
Where might I obtain these unofficial signatures?
From Steve Basford on 1/24/06:
http://www.sanesecurity.com/clamav/
___
http://lurk
Mark Twells wrote:
Where might I obtain these unofficial signatures?
http://www.sanesecurity.com/clamav/
Cheers,
Steve
___
http://lurker.clamav.net/list/clamav-users.html
e, 24 Jan 2006 20:49:03 +0000
>>Subject: [Clamav-users] Unofficial Phishing Signatures
>>
>>There are already a number of great phishing signatures in ClamAV
___
http://lurker.clamav.net/list/clamav-users.html
Dennis Davis wrote:
Very useful. I started using these signatures on this University's
mail servers on Monday. Appended below are the stats on the
incoming crap they stopped yesterday (Tuesday).
Virus Count
-
> I feel that it's going to be quite difficult for me to go though 500-odd
> ClamAV phishing signatures and
> compare them, with an editor to my 100-ish signatures and find out what
> bits are duplicated. I really
> need some samples.
>
> If possible, to save a whole load of time... could you:
On Tue, 24 Jan 2006, Steve Basford wrote:
> From: Steve Basford <[EMAIL PROTECTED]>
> To: clamav-users@lists.clamav.net
> Date: Tue, 24 Jan 2006 20:49:03 +0000
> Subject: [Clamav-users] Unofficial Phishing Signatures
>
> There are already a number of great phishing signat
Webmaster wrote:
Your signatures are based on HTML (Filetype = 3).
Shouldn't it be based on Mail (Filetype = 4) ?
Interesting... I'll do some tests later today changing the type.
The interesting thing though, is that when you go to the online database
search site http://clamav-du.securesi
Hello Steve,
Le Mardi 24 Janvier 2006 21:49, Steve Basford a écrit :
> As, I've seen a number of new phishing attempts get past the Official
> ClamAV signatures, I thought I'd try to produce my own signatures, to
> see if some of these newer phishing attempts could be stopped.
>
> They are here to
Oliver Stöneberg wrote:
You should really cleanup your signatures. I have a Phishing set of
512 Phishing of which 23 are not recognised by ClamAV. From those
only 4 are captured by your signatures, which are the following:
Firstly, thanks for the feedback. Although I must say, I'm
disappo
Dennis Peterson wrote:
It's worth repeating the question I asked over a week ago - what
methodology is used in collecting these so that dupes are avoided?
Nobody answered, unfortunately, so now we see we have dupes.
Sorry for the delay... apart from being more than a little busy... I
must a
Oliver Stöneberg wrote:
So these are Phishing mails, that are not recognised by ClamAV, but
by your signatures.
If I scan the complete set with your signatures a lot of mails
already recognised by ClamAV are actually recognised by your
signatures, so there are quite some duplicates in your s
You should really cleanup your signatures. I have a Phishing set of
512 Phishing of which 23 are not recognised by ClamAV. From those
only 4 are captured by your signatures, which are the following:
d:\_ham-mails\_scan/phishing.070:
Html.Phishing.Bank.Sanesecurity.05080100 FOUND
d:\_ham-mails\_
On 1/29/06, Steve Basford <[EMAIL PROTECTED]> wrote:
> Hi,
>
> Firstly, I've done an update to the Unofficial Phishing Signatures.
>
> Secondly... will whoever is using ip address 216.35.188.119, please sort
> out their wget config file:
A quick WhoIS check says it's mail.mrball.net (POC todd mrb
Hi,
Firstly, I've done an update to the Unofficial Phishing Signatures.
Secondly... will whoever is using ip address 216.35.188.119, please sort
out their wget config file:
216.35.188.119 - - [29/Jan/2006:20:36:01 +] "HEAD /clamav/phish.ndb
HTTP/1.0" 200 0 "-" "Wget/1.10.2"
216.35.188.11
On Thu, Jan 26, 2006 at 10:32:22PM +, Steve Basford said:
>
>
> Mike Robinson wrote:
> >The first question is, does clamd automatically detect changes to .ndb
> >files?
> Sorry for the late reply...
>
> I did a quick test and it seems to only get "re-loaded", after running
> freshclam,
c
On Thu, 26 Jan 2006 22:32:22 +
Steve Basford <[EMAIL PROTECTED]> wrote:
> Mike Robinson wrote:
> > The first question is, does clamd automatically detect changes to .ndb
> > files?
> Sorry for the late reply...
>
> I did a quick test and it seems to only get "re-loaded", after running
> fr
On Wednesday 25 January 2006 10:24 am, Mike Robinson wrote:
> Jason Haar wrote:
> > Dennis Peterson wrote:
> >> What methodology are you using to create these? It looks
> >> like an opportunity for collaboration if there's a way
> >> to avoid dupes.
> >
> > If signature development is truly getting
Mike Robinson wrote:
The first question is, does clamd automatically detect changes to .ndb
files?
Sorry for the late reply...
I did a quick test and it seems to only get "re-loaded", after running
freshclam,
ie: like this:
1) example phish.ndb has two sigs
2) clamd is running
3) you o
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Wed, Jan 25, 2006 at 06:40:37PM +, Steve Basford wrote:
>If you look at Section 3.3 (Basic Signature format) you'll see that
>these databases are .db format, which
>doesn't have a html type, it looks for matches in ALL file types, which
>I th
Todd Lyons wrote:
Any reason to call it phish.ndb instead of phish.db? Just a way to make
automating it easier?
Hi Todd,
If you look at the current signature pdf docs here:
http://www.clamav.net/doc/0.88/signatures.pdf
If you look at Section 3.3 (Basic Signature format) you'll see that
the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Tue, Jan 24, 2006 at 08:49:03PM +, Steve Basford wrote:
>Note 2: Use the unofficial phish.ndb at your own risk.
Any reason to call it phish.ndb instead of phish.db? Just a way to make
automating it easier?
- --
Regards... Todd
w
Jason Haar wrote:
> Dennis Peterson wrote:
>
>> What methodology are you using to create these? It looks
>> like an opportunity for collaboration if there's a way
>> to avoid dupes.
>>
>>
> If signature development is truly getting bogged down, perhaps more
> official people are needed?
Dennis Peterson wrote:
> What methodology are you using to create these? It looks
> like an opportunity for collaboration if there's a way
> to avoid dupes.
>
If signature development is truly getting bogged down, perhaps more
official people are needed? I guess we'd hear a call for volunteers i
>
> They are here to download, if anyone is interested:
> http://www.sanesecurity.com/clamav/
>
What methodology are you using to create these? It looks
like an opportunity for collaboration if there's a way
to avoid dupes.
dp
___
http://lurker.clama
There are already a number of great phishing signatures in ClamAV but
the Official ClamAV signature makers are obviously very busy taking care
of the higher priority Virus/Trojan signatures.
As, I've seen a number of new phishing attempts get past the Official
ClamAV signatures, I thought I'd
37 matches
Mail list logo
