Rick Cooper schrieb:
-----Original Message-----
From: Matthias Haegele [mailto:[EMAIL PROTECTED]
Sent: Monday, May 14, 2007 8:30 AM
To: SpamAssassin
Subject: Re: Does anyone catch this....
Dennis Davis schrieb:
On Mon, 14 May 2007, Duncan Hill wrote:
From: Duncan Hill <[EMAIL PROTECTED]>
To: users@spamassassin.apache.org
Date: Mon, 14 May 2007 11:41:24 +0100 (BST)
Subject: Re: Does anyone catch this....
On Mon, May 14, 2007 11:32, Matt Hampton wrote:
http://www.coders.co.uk/slipped.through.txt
It has sailed through both a SA3.1.8 and SA3.2.0
(3.2.0-pre2-r512851)
running on recent versions of MailScanner
The ClamAV engine tends to work well on a large number of that
type of phish. Local testing shows DCC hitting it, but that's
about it. Doesn't help that Halifax don't publish SPF records.
In particular the Sanesecurity additions to ClamAV detect this as:
Html.Phishing.Bank.Sanesecurity.06030604
We've detected (and rejected) over 1300 copies of this particular
phishing scam over the last couple of weeks or so.
Link:
http://sanesecurity.co.uk/clamav/usage.htm
For Debian the example script (Example 1) had to be fixed (paths dont
match),
dont know if you need to fix it for other distris too ...
For testing use the sample fishing attachment.
I just sent Steve an updated script that accommodates the trailing back
slash the debian adds to the clam db dir in the debug output and add -m 1 to
the grep so it short circuits finding the clam db dir (so it now takes less
than a second), and I added rsync for the MSRBL-* files since that site not
only supports it but prefers it be handled that way. I would imagine Steve
will have it up sometime today, I have been testing it since he made the
last change to the mirroring methods last week.
Ralf Hildebrandt Blog contains a download link to the (working) script:
http://www.amazon.com/gp/blog/A1XJVH38GHOSHB
thx, again for it good work...
Rick
--
GrĂ¼sse/Greetings
MH
Dont send mail to: [EMAIL PROTECTED]
--
