> ClamAV is designed to protect against viruses. While their
> anti-phishing function works well, phishes and spam are not
> viruses. They probably felt the need to do something because
> the phishing threat is pretty serious, or can be if people
> get tricked by them, but we've had a SURBL phishing list for
> about a year:
> SURBLs are designed to check message body URIs, which is what
> spammers and phishers are usually trying to direct victims
> with, therefore our tool is a much better fit for the problem
> than a virus tool, IMO.
Whatever works most reliably is the best. (And that may be a
combination.)
In ClamAV's case, they have designed it to catch some proportion
of phish and an appeal to "ClamAV is designed..." to restrict it
to some limited category just doesn't past muster -- it does what
it was designed to do -- catch (most) virus and catch many phish.
Also, with a simple blacklist you don't have logic built in for
things like people mentioning the URIBL on a list like this so
recourse to whitelists, and the program logic of SpamAssassin or
some other "meta evaulation" method.
Presumably -- now you have me interested so I am going to check
-- ClamAV does more than a naive pattern match on the URI and
apparently they even have (had) endless debates in the ClamAV
newsgroups/lists on this subject.
It's sort of like Tastes Great -- Less Filling. Silly argument
when what we really want is great taste without getting fat.
<grin> (Or pick one: revolvers vs. automatics, Macs vs. PCs,
blonds vs. redheads, etc....)
Whatever works -- works.
And by the way: I REALLY appreciate your SURBL lists and hard
work even if I think other tools supplement and help make your
stuff even better.
My security principles include (but are not limited to):
1) Stop as much as possible at the outer perimeter
(earlier the better)
2) Defense in depth
For us, the virus scanning happens before the Spam tests;
early is good.
--
Herb Martin
