ClamAV - Unofficial Phishing Signatures

	... mad about email, sane about security ...
	Phishing and Scam Signatures for ClamAV

Home News Blog Usage Downloads Statistics User Quotes Documents Thanks Feedback Donate

Brief bits 'n' bobs of news:

05.06.08

Updated the phishbar database.

26.05.08

Added a a new experimental project Bounce, while will help block backstatter/bounce messages, when you are suffering from a JoeJob/domain attack.

17.02.08

Two new mirrors added, kindly provided by Veneration
Stats page updated
Donation page added

10.09.07

Firstly, some quite amazing news, on Wednesday, 5th September 9pm, I was lucky enough to have a 30 minute phone chat with Dean Drako, CEO of Barracuda Networks.
Dean confirmed that Barracuda are using my signatures as part of their multi-layer of defence. Dean also confirmed that Barracuda are now a SaneSecurity signature mirror and Sanesecurity even get a mention here too.

Secondly, a new experimental project PhishBar, which you can read more about here,
but please read the big red flashing led warning bits before using.

In a nutshell, It's a way of seeing if any of your users have phishing sites stored in their home directories/user space on your servers.

19.08.07

SaneSecurity signatures mentioned in a post by TechRepublic

16.08.07

Pipex and Virtual Names now using SaneSecurity signatures (see quotes page) plus added a whole raft of new quotes from various people and organisations.

07.08.07

Amazing news sent to me by someone: Barracuda seem to be using my signatures!

31.07.07

Well after hitting 25 gig of bandwidth again this month, it's time to force people to move over to the latest round-robin urls. So, if your using an old script then you will no longer be receiving the Sanesecurity signatures, as the phish and scam databases at the old download locations have now been blanked.

use the updated scripts from the usage page;

round-robin urls:

http://www.sanesecurity.com/clamav/phishsigs/phish.ndb.gz
http://www.sanesecurity.com/clamav/scamsigs/scam.ndb.gz

22.07.07

Thanks to Aluminium Feron GmbH & Co. KG we now have another mirror :)
and as a result, I've removed the Tiscali mirror until I can contact someone there
and get them change their update scripts.

Other quick updates are mainly in the blog but please be aware that the old download locations will shortly be made obsolete, so make sure you're using the round-robin urls, as I cannot support the bandwidth use on my non-round-robin urls for much longer.

01.07.07

Please could everyone:

a) check their scripts are downloading no less than hourly and only on changes;
b) use the updated scripts from the usage page;
c) use the following urls only:

http://www.sanesecurity.com/clamav/phishsigs/phish.ndb.gz
http://www.sanesecurity.com/clamav/scamsigs/scam.ndb.gz

Even though the new mirroring system is in place, 22 gig of bandwidth was used last month on my site, which is the highest it's even been. Some of this was due to users downloading the sigs every minute, some due to users downloading the same files, every hour regardless of changes.

Please double check. Thank You.

22.05.07

Thanks to Internet Solutions we now have another mirror, live from South Africa!

20.05.07

Thanks to FreeForm Technologies we now have another mirror!

15.05.07

It's been a busy couple of weeks, not only does there seem to have been a huge increase in the number of new phishing emails but also an increase in the number of problem scams. It's been hard to keep up at times!

The main news is the new download urls, which are:

http://www.sanesecurity.com/clamav/phishsigs/phish.ndb.gz
http://www.sanesecurity.com/clamav/scamsigs/scam.ndb.gz

The above two links will now re-direct, round-robin style, to the new mirrors that people have "donated" in order to help the project. A huge thanks to the mirror providers, Christopher X. Candreva for the .htaccess code/idea and tbb (Nico) for pointing me torward the round-robin script...in order to make this all work. Thanks guys!

The download page/usage scripts have now been pretty much updated to use the above two urls (or the .co.uk version of the above).

Thanks to Geekeffect there is now another download mirror

03.05.07

Thanks to dotsrc.org and Tiscali.nl, there are now two new download mirrors.

As these are mirrored from the main site hourly, this should mean quicker
update times, once you've updated your download scripts <hint>

New users are now enabled again <phew>

30.04.07

Well, for the moment I've had to suspend any new users from downloading sigs/scripts.
I've only got 20 gig hosting currently and this month, I've hit over 15 gig... so playing it safe, new users are suspened until I sort something out.

Please could everyone check that their scripts are downloading using the HEAD command i.e. only grabbing the downloads when they have changed.

Some users have been downloading the sigs regardless of changes and it's not really helping, while only users have made mistakes and are trying to download every minute :(

28.04.07

2blog or not 2blog that is the question: http://sanesecurity.blogspot.com/

27.04.07

junkemailfilter.com are now providing SaneSecurity.com with a live phishing/419 feed from their servers. This should mean an improvement in the detection rates speeds, as new 419/phishing attempts are put out. Thanks to Marc Perkel!

Also added a section for quotes/comments I've received from people using the sigs.

11.04.07

UK ISP, Plusnet are using the phishing and scam signatures. Thanks to Bob Pullen at PlusNet, for the information

Just found a bit time to look at daily stats: for April, it's about 8,000 visitors and
510 meg of bandwidth a day :)

10.04.07

Added a quotes section showing comments/feedback/press from users/organisations using the sanesecurity signatures.

21.02.07

UK ISP, Zen Internet are now testing the phishing and scam signatures. Thanks to Jerry Nicholls at Zen, for the positive feedback.

09.02.07

Interesting news: tiscali.nl seem to have a mirror of my phish.ndb.gz and scam.ndb.gz files, which they keep up to date every hour (roughly):

http://ftp.tiscali.nl/sanesecurity/phish.ndb.gz
http://ftp.tiscali.nl/sanesecurity/scam.ndb.gz

Might save me a bit of bandwidth ;)

31.01.07

Woah... has it been that long... okay... quick news rundown... I'm now doing phishing sigs for the ClamAV team, not part of the team yet but.... whoo!

Firstly, my sigs are still going to be around... as the ClamAV team and myself work to slightly different methods when it comes to phishing and how to produce signatures but basically, everyone will benefit and that's the main thing :)

Secondly... the scam sigs are doing really well, which I'm really pleased about :)

30.12.06

Well, as the year draws to a close, I'd just like to thank everyone who has supported this project, either by sending samples or just saying thanks... it means a lot!

Finally, the uncompressed phish.ndb file has now been made blank...to conserve bandwidth. Users should have been using the gzipped phish.ndb.gz database since around May time. The phish.ndb file will be removed in a another month or so. CopFilter users will need to upgrade to the latest beta version.

13.12.06

Well, after a whole load of testing I've finally come up with some sigs to trap some of the pain-in-the-ass image spam. It won't get all of it but fingers crossed it'll help, just a little. The new signatures are Email.Img.Gen016 and Email.Img.Gen017

11.12.06

Just in case people are wondering why IP's sometimes get banned from
downloading the signatures, here's some quick stats:

Apr 2006: Unique visitors: 3613, Bandwidth: 1.84 GB
May 2006:Unique visitors: 11204, Bandwidth: 3.15 GB
Jun 2006: Unique visitors: 13240, Bandwidth: 2.93 GB
Jul 2006: Unique visitors: 16089, Bandwidth: 3.35 GB
Aug 2006: Unique visitors: 18865, Bandwidth: 4.37 GB
Sep 2006: Unique visitors: 20864, Bandwidth: 4.79 GB
Oct 2006: Unique visitors: 23016, Bandwidth: 6.44 GB
Nov 2006: Unique visitors: 24774, Bandwidth: 8.75 GB

Currently I'm on a 20 Gig a month hosting package, email me if you do get an
IP address ban and once you've fixed your download script, you'll be re-enabled :)

04.12.06

Added a signature test, similar to the eircar test in the usage section.
Tidied up the stats page a little and added a new site

21.11.06

Added some new sig types to the scam database:

Email.Img, to help catch one or two types of those damn image spam emails that are driving me mad and Email.Stk, to help grab some of those text stock "alerts".

Older news

Added two new installers; for Nigel's win32 port of ClamAV. You can download both the phish and scam database installers from the download page (look for the w32 clamav installer).

Uploaded the new signature download script from Gerald

If anyone wonders what the Email.Doc.Genxxx.Sanesecurity signature is, well, it's to catch some of those annoying word document spam. Now really phishing I know, but thought it'd be useful to catch them.

Internet Defence Phishery is certainly sending a few new missed samples my way.

Internet Defence Phishery are now using a "lite" version of the SaneSecurity phishing signatures, to feed their phishery. This is great news, as it now means that any phishing emails found by my signatures but missed by the official ClamAV signatures, will now be passed over to the ClamAV sig making team :)