On Fri, 20 May 2016, Dianne Skoll wrote:
On Fri, 20 May 2016 09:31:48 +0300
Emin Akbulut <eminakbu...@gmail.com> wrote:
What do you suggest to fight these spams?
ClamAV is basically useless.
We do it the hard way. We list the contents of attached archives
(using "lsar") and have filename-extension rules that block .js
inside .zip files. While this can lead to some FPs, which we handle
with selective whitelisting, it's very effective at catching the
latest crop of cryptolocker-style attacks.
But isn't this exactly what the "foxhole_all.cdb"
(http://sanesecurity.com/foxhole-databases/) signatures do?
(or am I missing something?).
I see that they have a "high" risk of FPs but if you are using them as a
scoring component within SA you should be able to "temper" those results
with other SA rules such as selective use of whitelist_auth.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
