A few months ago, SpamOnion started a new procedure to improve upon its ability to detect and block email based phishing attacks and various scams. The results have been fantastic. In the past 30 days, we have blocked over 500,000 phishing attacks, scams and image based scams.

SpamOnion already makes use of the ClamAV anti-virus software to detect and block known viruses and other malware. Recently, the good people at SaneSecurity (unaffiliated with SaNE, Inc) started providing signatures that detect known phishing attacks and other scams... In January 2007 we put them into full production and so far have had zero false positives. Besides stopping many malicious phishing attacks, we have also increased our ability to block many image based attacks which are notoriously hard to detect.

Our company has been using your signatures on our Gateway for a little over a week now. Wow Man, Bravo! Perfect solution to the PDF Spam Nightmare. If you would like to be mentioned on our site, please say so,
I will be happy to add you. We will also be donating to you in the near future. Keep up the good work!

This morning we had everything but the kitchen sink thrown at us. Those sanesecurity definitions blocked several hundred messages in 14 minutes, and most of them were .pdf image spam messages. Without those definitions I'm sure most, if not all of them would have made it through.

This, together with the addition of the SaneSecurity signatures for ClamAV,
has made a huge difference to the amount of spam now entering our mailboxes

We have increased the effectiveness of the spam filtering system by adding the SaneSecurity ClamAV Phishing and Scam signatures. This also blocks much of the PDF spam that has recently become so prevalent. We are keeping an eye on this to ensure there are no false positives, but the results so far are very encouraging.

I have to mention how pleased we are with the sanesecurity clamav tool. We
have always used spamassassin with many custom rule sets, dcc and rbls, with clamd for virus scanning.

We have been getting a large number (~4,500 per day) of these PDF and other
attachment spams making it through SA, even with PDFinfo and everything else
we could throw at them. After adding the sanesecurity sigs to clamd last
week not one PDF has made it through. And since clamd unpacks and examines
every attachment anyway it is no additional load. In fact, due to the
messages not hitting SA it probably reduced load slightly.

I just installed them yesterday. Had been meaning to for a while, but things have been too busy to get the script written to update them. So, in less than 24 hours, hit over 1800 spam messages here-- about 1/3 of our spam volume.

I just installed it and it's catching about one spam a second. I highly recommend this

jI discovered your ClamAV signatures a week or two ago, and I just had to write to you to tell you they're the best thing
I've found in a long time. They've cut my spam load by 90%. Thank you for the work you put into maintaining them!

MailWash has incorporated the phish / scam signature sets from Sane Security which provide real time checking of thousands of known active phishing / scam sites.

The Sane Security signature sets incorporate user contributed active phishing sites as well as verified sites from phishery.internetdefence.net. The inclusion of these signature sets ensures even more effective protection against malicous content emails from ending up in your mailbox or corporate network.

The real success story here has been to use Sanesecurity's anti-phishing and anti-scam databases with the ClamAV virus checker.

Works really well. For example, one of my mail relays reports the following top hits for yesterday:

Virus Count
----- -----
Email.Img.Gen001.Sanesecurity.06161101 ClamAV 616
Email.Stk.Gen082.Sanesecurity.06120631 ClamAV 532
Email.Img.Gen001.Sanesecurity.06111101 ClamAV 237
Email.Stk.Gen038.Sanesecurity.06113000 ClamAV 150
Email.Stk.Gen008.Sanesecurity.06111702 ClamAV 110
Email.Loan.Gen006.Sanesecurity.06120200 ClamAV 75
Html.Img.Gen013.Sanesecurity.06162900 ClamAV 66

Thanks so much for your signatures, they have cut down phishing/scam
emails tremendously

In addition to (or maybe even instead of) FuzzyOCR, you should also consider using some of the add-on clamav spam/phish signature databases.

In particular I have found the sanesecurity lists to be extremely effective.

It also shows that Steve's lists from Sane Security are continuing to kick some serious butt. Thanks again, Steve!

233 Email.Img.Gen021.Sanesecurity.06126001
1182 Email.Img.Gen018.Sanesecurity.06122000
1053 Email.Img.Gen016.Sanesecurity.06121201
812 Email.Hdr.Sanesecurity.07012400
659 Email.Img.Gen001.Sanesecurity.06111101
283 Html.Img.Gen013.Sanesecurity.06112900
197 Email.Stk.Gen298.Sanesecurity.07021504
196 Email.Stk.Gen294.Sanesecurity.07021500
191 Email.Stk.Gen299.Sanesecurity.07021505
180 Email.Stk.Gen297.Sanesecurity.07021503
175 Email.Stk.Gen295.Sanesecurity.07021501
173 Email.Stk.Gen300.Sanesecurity.07021506
169 Email.Stk.Gen296.Sanesecurity.07021502
140 Email.Spam.Gen253.Sanesecurity.07022303
139 Email.Img.Gen040.Sanesecurity.07010600
120 Email.Img.Gen064.Sanesecurity.07022301
116 Email.Spam.Gen103.Sanesecurity.07011703
89 Email.Img.Gen031.Sanesecurity.07010100
51 Email.Stk.Gen301.Sanesecurity.07021507
45 Html.Dipl.Gen003.Sanesecurity.07010300
39 Worm.Stration.pac
36 MSRBL-Images/0-IYC
35 MSRBL-Images/0-OUI
35 MSRBL-Images/0-Iwd
33 MSRBL-Images/0-O3Y
33 Html.Img.Gen037.Sanesecurity.07010501
29 Html.Phishing.RockGen11.Sanesecurity.07021701
26 Html.Phishing.Rock.Sanesecurity.06080102
24 Email.Stk.Gen205.Sanesecurity.07012204
24 Email.ImgO.Gen010.Sanesecurity.07022100
22 MSRBL-SPAM.BounceBack.2504
22 Html.Phishing.Bank.Gen818u.Sanesecurity.06062707
18 MSRBL-Images/0-OwI
18 Email.Stk.Gen193.Sanesecurity.07011706
17 MSRBL-Images/0-OO1
16 MSRBL-SPAM.Meds.2660
16 Html.Phishing.Pay.Gen017.Sanesecurity.06022800
15 MSRBL-Images/0-OR9
15 MSRBL-Images/0-IYu
15 Email.Hdr.Sanesecurity.07022100
14 MSRBL-SPAM.SpamBlowBack.1150
14 MSRBL-SPAM.Bounce.URL.914
14 Html.Phishing.Pay.Gen001.Sanesecurity.06012700
14 Html.Phishing.Azon.Gen034.Sanesecurity.06112900
13 MSRBL-Images/0-OSE
12 Worm.Somefool.AR
12 HTML.Phishing.Bank-362
12 ClamAV-Test-File
11 Html.Phishing.RockGen6.Sanesecurity.06122300
11 Html.Phishing.Rock.Sanesecurity.06050500
10 MSRBL-Images/0-Ihq
10 Html.Img.Gen034.Sanesecurity.07010302.

Thanks again for an excellent resource.

..Your signatures have made a great number of our clients extremely happy..We aren’t looking for thanks or advertising, just to ensure you keep doing what you are doing, as it greatly benefits our servers and users, it is amazing watching the tracking scripts tell us what you filter out so easily