... mad about email, sane about security ...
Phishing and Scam Signatures for ClamAV

French German Italian Portuguese Spanish Japanese Korean Chinese Simplified Russia Polish Arabic
Home News Blog UsageDownloads Statistics User Quotes Documents Thanks Feedback Donate

Here's some brief documentation:

Signature making method used: method.pdf based on ClamAV signature docs

Signature making Example (using ClamAV Extended Database Format .NDB):
SaneSecurity.Phishing.Auction.2099:3:*:
656261792073656e742074686973206d65737361676521		  
SaneSecurity.Phishing.Auction SaneSecurity Header
.2099 Database Line number 
:3

:FileType:

0 = any file
3 = HTML (normalised)
4 = Mail file
7 = ASCII text file (normalised)

:* Anywhere in file
:656261792073656e742074686973206d65737361676521

Hex of the Phishing email,
to match:

Eg: ebay_sent this message!

Current SaneSecurity signature meanings:

SaneSecurity Signature meanings (phish.ndb.gz)

Sanesecurity.Phishing.Rd

 Html based redirects
Sanesecurity.Phishing.Slw Html based
Sanesecurity.Phishing.Jsc Html based
Sanesecurity.Phishing.Onf Html based
Sanesecurity.Phishing.Hex Simple Heuristics based hex urls
Sanesecurity.Phishing.Ivt Html based invalid tags
Sanesecurity.Phishing.Cur Simple Heuristics based on urls or headers
Sanesecurity.Phishing.Dca Html based doubleclick revenue link
Sanesecurity.Phishing.Nam Html based common fake html editor
Sanesecurity.Phishing.Auction eBay phishing attempts
Sanesecurity.Phishing.Azon Amazon phishing attempts
Sanesecurity.Phishing.Bank Phishing attempts for banks
Sanesecurity.Phishing.Card Ecard phishing attempts
Sanesecurity.Phishing.Pay PayPal phishing attempts
Sanesecurity.Phishing.Fake Fake phishing attempts
Sanesecurity.Malware Malware, containing malware links or attachments

SaneSecurity Signature meanings (scam.ndb.gz)
Sanesecurity.Spam General high hit spam rubbish

Sanesecurity.ScamL

 Lottery Scams
Sanesecurity.Scam4 419 Scams
Sanesecurity.Loan Loan scams
Sanesecurity.Stk Stock scams
Sanesecurity.Job Job scams
Sanesecurity.Dipl Diploma scams
Sanesecurity.Img Image scams/spam
Sanesecurity.ImgO OEM Image scams/spam
Sanesecurity.Hdr Unique known "bad" headers or header based spam

SaneSecurity Signature meanings (junk.ndb.gz)
Sanesecurity.Junk General high hitting junk (autogenerated)

SaneSecurity Signature meanings (rogue.ndb.gz)
Sanesecurity.Rogue Rogue anti-virus software
Sanesecurity.Trojan Fake codecs or other malware




HOME | NEWS | BLOG | USAGE | DOWNLOADS | STATISTICS | QUOTES | DOCUMENTS | THANKS | FEEDBACK
© sanesecurity.com. All Rights Reserved. Legal Notice ClamAV is a registered trademark of Sourcefire, Inc.