... mad about email, sane about security ...
Phishing and Scam Signatures for ClamAV
Home News Blog UsageDownloads Statistics User Quotes Documents Thanks Feedback Donate

Here's some brief documentation:

Signature making method used: method.pdf based on ClamAV signature docs

Signature making Example (using ClamAV Extended Database Format .NDB):
HTML.Phishing.Auction.SaneSecurity.06010701:3:*:
656261792073656e742074686973206d65737361676521		  
   
HTML.Phishing.Auction.SaneSecurity. Unofficial SaneSecurity Header
060107 Date Found
YYMMDD
01 Item No
:3

:FileType:

0=All
3=Html
:* Anywhere in file
:656261792073656e742074686973206d65737361676521

Hex of the
Text/Html in the Phishing email,
to match:

Eg: ebay_sent this message!

Current SaneSecurity signature meanings:

SaneSecurity Signature meanings (phish.ndb.gz)

Html.Phishing.Rdi.Gen

 Html based redirects (generic)
Html.Phishing.Slw.Gen Html based (generic)
Html.Phishing.Jsc.Gen Html based (generic)
Html.Phishing.Onf.Gen Html based (generic)
Html.Phishing.Hex.Gen Html based links contain hex (generic)
Html.Phishing.Ivt.Gen Html based invalid tags (generic)
Html.Phishing.Cur.Gen Html based (generic)
Html.Phishing.Dca.Gen Html based doubleclick revenue link (generic)
Html.Phishing.Nam.Gen Html based common fake html editor (generic)
Html.Phishing.Auction.Gen Html based eBay (generic)
Html.Phishing.Azon.Gen Html based Amazon (generic)
Html.Phishing.Bank. Html based for most banks (static)
Html.Phishing.Bank.Gen Html based for most banks (generic)
Html.Phishing.Card. Html based
Html.Phishing.Pay.Gen Html based for PayPal (generic)
Html.Phishing.Pay. Html based for PayPal (static)
Html.Phishing.Fake. Other Html based fakes
Html.Malware. Html based files with links to malware or malware sites
Html.Phishing.Pay.Gen202u Html based for PayPal (generic)."u" character indicates a url technique

SaneSecurity Signature meanings (scam.ndb.gz)

Email.ScamL.Gen

 Mail/Text based Lottery Scams (generic)
Html.ScamL.Gen Html based Lottery Scams (generic)
Email.ScamS.Gen Mail/Text based (generic)
Html.ScamS.Gen Html based (generic)
Email.Scam4.Gen Mail/Text based 419 Scams (generic)
Html.Scam4.Gen Html based 419 Scams (generic)
Email.Spam.Gen Mail/Text based general high hit spam rubbish (generic)
Email.Loan.Gen Mail/Text based Loan scams (generic)
Email.Stk.Gen Mail/Text based Stock scams (generic)
Email.Job.Gen Mail/Text based Job scams (generic)
Email.Dipl.Gen Mail/Text based Diploma scams (generic)
Html.Dipl.Gen Html based Diploma scams (generic)
Email.Img.Gen Mail/Text based Image scams/spam (generic)
Html.Img.Gen Html based Image scams/spam (generic)
Email.ImgO.Gen Mail/Textbased OEM Image scams/spam (generic)


HOME | NEWS | BLOG | USAGE | DOWNLOADS | STATISTICS | QUOTES | DOCUMENTS | THANKS | FEEDBACK
© sanesecurity.com. All Rights Reserved. Legal Notice ClamAV is a registered trademark of Sourcefire, Inc.