... mad about email, sane about security ...
Phishing and Scam Signatures for ClamAV

SaneSecurity signatures are a culmination of hard work and commitment to providing
Third-Party signatures to the web community that are of professional quality.

If you feel that you would like to give a donation for your use of these signatures,
or just because you want to support us, please consider making a donation.


Please could Linux flavoured users try and use the provided scripts where possible... and make sure that you double-check the cron job scheduling, as neither myself or the mirrors will appreciate signatures being downloaded, every second.

If you are using your own scripts, please could users also:

* download signatures only when there have been changes
* download the signatures no more frequently than hourly
* only download from the following main round-robin urls:

http://www.sanesecurity.com/clamav/phishsigs/phish.ndb.gz
http://www.sanesecurity.com/clamav/scamsigs/scam.ndb.gz

Linux (aka non-windows) Download Scripts (rename to .sh)
Download
Author/Details
Last Updated
Author: Norbert Buchmuller: downloads the Phish and Scam databases. Also downloads the Third Party MSRBL databases via Rsync (based on download script 1b)

Note: this script will sleep for 30secs-10minutes in order to reduce strain on the server
22.12.07

Author: Rick Cooper: downloads the Phish and Scam databases. Also downloads the Third Party MSRBL databases via Rsync

Note: this script will sleep for 30secs-10minutes in order to reduce strain on the server
14.08.07
Author: Bill Landry: downloads the SaneSecurity Phish/Scam databases and the MSRBL databases and SecuriteInfo's Unofficial malware database (last version)
25.09.07
Author: Gerard Seibert: downloads the Phish and Scam databases. Also downloads the Third Party MSRBL databases (via Rsync) and SecuriteInfo's Unofficial malware database
10.12.07
Author: Dan Larsson: downloads the Phish and Scam databases. Also downloads the Third Party MSRBL databases (via Rsync) and SecuriteInfo's Unofficial malware database
25.08.07
Windows Download Scripts
Download
Author/Details
Last Updated
Author: tBB: downloads the Phish and Scam databases. Also downloads the Third Party MSRBL databases via Rsync

Note: For Win2k(3) and XP systems only
17.05.07

The unzipped databases are placed in the normal ClamAV database directories, for example:

Linux: /var/lib/clamav/
Linux: /usr/local/share/clamav/

Tbb Builds: C:\clamav\data
w32 ClamAV Build: C:\Program Files\clamAV\data
ClamWin Build: C:\Documents and Settings\All Users\.clamwin\db\

Signature Problems

Note: Some of the download scripts also download other Third-Party signatures and are therefore not under the control of SaneSecurity.

If you have problems with a signature, please check the signature names:

Sanesecurity: contact Sanesecurity
MSRBL-Images or MSRBL-SPAM: contact MSRBL

MBL: contact Malware Block List
-SecuriteInfo.com: contact SecuriteInfo

Signature Testing

In order to make sure you are getting the best out of the Sanesecurity signatures,
you should follow the following three email tests and make sure that your email setup "passed" all three tests:


TEST 1: Html.Sanesecurity.TestSig_Type3_Bdy

Send a HTML formatted email to yourself with this text in the BODY of the email:

body_rrg63uhj2ucyeccrux7d83a4qd5ua5vnlgwjp6b6fmpzpobzjabftehuhraxfbyzzzzz


TEST 2: Email.Sanesecurity.TestSig_Type4_Hdr

Send an email to yourself with this text in the SUBJECT of the email:

rrg63Uhj2UCyECcruX7D83A4qd5UA5vnlgwJp6b6fmPZpObZJAbftehuhRAXFby

TEST 3: Email.Sanesecurity.TestSig_Type4_Bdy

Send an email to yourself with this text in the BODY of the email:

body_rrg63Uhj2UCyECcruX7D83A4qd5UA5vnlgwJp6b6fmPZ0ajdjkwjnSSDfsdfsdfnwerd


Results


TEST 1: Html.Sanesecurity.TestSig_Type3_Bdy FOUND
TEST 2: Email.Sanesecurity.TestSig_Type4_Hdr FOUND
TEST 3: Email.Sanesecurity.TestSig_Type4_Bdy FOUND

TEST 2 is an important one to pass, as a lot of the newer signatures use the message headers of an email. If you fail this test, it's usually due to you email system not passing the complete RAW/Whole message to be scanned by ClamAV.

For example: in amavisd-new settings:

Use key 'MAIL' in @keep_decoded_original_maps, e.g.:

@keep_decoded_original_maps = (new_RE(
qr'^MAIL$', # retain full original message for virus checking
qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables
qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
));

You may find that you already have a '^MAIL$' token in there, but commented out by default. Uncomment it, restart amavisd-maia, and the full, undecoded body of the email will be scanned in addition to the attachments.

For more information on the above, see this thread



Disclaimer:

Whilst every effort has been made by Sanesecurity to ensure that the signatures don't lead to false positives, we make no warranty that the signatures will meet your requirements, be uninterrupted, complete, timely, secure or error free. You must therefore use them at your own risk.

HOME | NEWS | BLOG | USAGE | DOWNLOADS | STATISTICS | QUOTES | DOCUMENTS | THANKS | FEEDBACK
© sanesecurity.com. All Rights Reserved. Legal Notice ClamAV is a registered trademark of Sourcefire, Inc.