You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Lists <li...@rheel.co.nz> on 2008/12/03 21:49:23 UTC
installing sanesecurity
Hi all,
I am wanting to implement the sanesecurity addins to clamav but i am a
bit lost.
I am running CentOS5 MailScanner Spamassassin ClamAV
Do I download the download scripts from
http://www.sanesecurity.com/clamav/usage.htm
or do I go to the downloads page? (they seem to be different)
Once I have downloaded them I rename them to .sh then I run it and it
installs itself including the cron job?
Is this correct - I feel I may be missing a few things.
Thanks
Kate
Re: installing sanesecurity
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
> Thank you for the information I will attempt to get it up an running,
> have had a huge increase in spam last week or so and just trying to get
> it under control.
What type of *spam* are you referring to that you want to kill by
throwing anti-virus signatures at them? Are all of them phishing or
scam?
Hey, you said spam. We might be back on-topic, however gray! ;)
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: installing sanesecurity
Posted by Lists <li...@rheel.co.nz>.
Karsten Bräckelmann wrote:
>> I am wanting to implement the sanesecurity addins to clamav but i am a
>> bit lost.
>> I am running CentOS5 MailScanner Spamassassin ClamAV
>>
>
> Kate, this is the wrong mailing list. The ClamAV users list comes
> closest for third-party ClamAV (sic) signatures without a list of their
> own.
>
Ok, sorry about that
>
>> Do I download the download scripts from
>> http://www.sanesecurity.com/clamav/usage.htm
>> or do I go to the downloads page? (they seem to be different)
>>
>
> The downloads page offers the latest sig files themselfs -- just in case
> one needs a snapshot. That page is *not* suitable for periodically
> updates.
>
> You need to follow the *usage* instructions and get a script that
> performs the actual download, usually run by cron. Details (how to call
> the update script and how to configure it to your needs) can be found
> alongside the respective scripts.
>
>
>> Once I have downloaded them I rename them to .sh then I run it and it
>> installs itself including the cron job?
>>
>
> No, the scripts will download the latest signatures -- you need to take
> care about the cron job.
>
> The reason these need to be re-named to .sh most likely is, so you can
> conveniently read them in your browser as text/plain. Try it, click one
> of the scripts' links you like...
>
>
>
Thank you for the information I will attempt to get it up an running,
have had a huge increase in spam last week or so and just trying to get
it under control.
Cheers for the help
Kate
Re: installing sanesecurity
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
> I am wanting to implement the sanesecurity addins to clamav but i am a
> bit lost.
> I am running CentOS5 MailScanner Spamassassin ClamAV
Kate, this is the wrong mailing list. The ClamAV users list comes
closest for third-party ClamAV (sic) signatures without a list of their
own.
> Do I download the download scripts from
> http://www.sanesecurity.com/clamav/usage.htm
> or do I go to the downloads page? (they seem to be different)
The downloads page offers the latest sig files themselfs -- just in case
one needs a snapshot. That page is *not* suitable for periodically
updates.
You need to follow the *usage* instructions and get a script that
performs the actual download, usually run by cron. Details (how to call
the update script and how to configure it to your needs) can be found
alongside the respective scripts.
> Once I have downloaded them I rename them to .sh then I run it and it
> installs itself including the cron job?
No, the scripts will download the latest signatures -- you need to take
care about the cron job.
The reason these need to be re-named to .sh most likely is, so you can
conveniently read them in your browser as text/plain. Try it, click one
of the scripts' links you like...
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: installing sanesecurity
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Thu, 2008-12-04 at 02:26 +0100, Karsten Bräckelmann wrote:
> On Thu, 2008-12-04 at 13:48 +1300, Kate wrote:
> > Yeah have been getting lots of variations of:
> > http://www.pastebin.ca/1275436
> > Quite a lot are getting caught but in saying that alot are still getting
> > through.
>
> That one example smells like pure spam to me. Not phish, definitely not
> a scam (though I didn't investigate much).
>
> Funnily enough, the Sanesecurity.Spam.9216 found in the *scam* sigs [1]
> does match. However, it translates to the RE
> m~http://cid-.{0,30}\.spaces\.live\.com/blog/cns~
>
> This topic has been beaten to death recently...
More on-topic. More beating dead horses. :) We've discussed this very
spam type recently. Scores around 10+ here...
They usually hit at least RCVD_IN_XBL, if not a few more.
They hit any custom rule for the live spaces URI, including the one
above as per SaneSecurity scam sigs, Daryls, and a custom one I am
running locally, targeting the alphanumeric alternation.
They all are direct MUA to MX transmissions, no relay.
That spample (like most of these I have seen) hit RCVD_IN_BRBL (which
has been discussed a few times recently, too) and also hits the DNSBL
RCVD_IN_NIXSPAM, which can be found as an *additional* info on the
iXhash plugin pages [2]. It does not use that hash but sending IPs,
though.
Oh, yeah, also all of those I have seen do hit a rather cute rule of
mine, which can be found in my sandbox.
rawbody __PQRTW_4_A m,<a name="\#[pqrtw]{4}">\s*</a>,
rawbody __PQRTW_4_SPAN m,<span name="\#[pqrtw]{4}">\s*</span>,
meta PQRTW_4 __PQRTW_4_A || __PQRTW_4_SPAN
score PQRTW_4 1.0
That score is rather conservative, FWIW. And I sure hope the spammers
stopped reading this thread like 10 posts ago... I love that rule. :-)
guenther
[1] Which I coincidentally just this evening started to look into for an
entirely unrelated reason.
[2] http://ixhash.net/
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: installing sanesecurity
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
On 03/12/2008 9:06 PM, Karsten Bräckelmann wrote:
>>> Darly posted a very similar rule to this a while ago, triggering on the
>>> strange cid- prefix in the live spaces URI. You can use that just as
>>> well.
>> Thanks I will give that rule a shot and check out the earlier post by Darly.
>
> Whoops. :) Daryl C. W. O'Shea I mean... Sorry Daryl. Would that be ok
> as a pet-name? ;)
Sorry, a high school science teacher of mine (Phil Stoesser... Physics
with Phil) beat you to that one a long time ago.
Daryl
Re: installing sanesecurity
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
> > Darly posted a very similar rule to this a while ago, triggering on the
> > strange cid- prefix in the live spaces URI. You can use that just as
> > well.
>
> Thanks I will give that rule a shot and check out the earlier post by Darly.
Whoops. :) Daryl C. W. O'Shea I mean... Sorry Daryl. Would that be ok
as a pet-name? ;)
> I appreciate your assitance and your patience.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: installing sanesecurity
Posted by Lists <li...@rheel.co.nz>.
Karsten Bräckelmann wrote:
> On Thu, 2008-12-04 at 13:48 +1300, Lists wrote:
>
>> Karsten Bräckelmann wrote:
>>
>
>
>>> What type of *spam* are you referring to that you want to kill by
>>> throwing anti-virus signatures at them? Are all of them phishing or
>>> scam?
>>>
>>> Hey, you said spam. We might be back on-topic, however gray! ;)
>>>
>> Yeah have been getting lots of variations of:
>> http://www.pastebin.ca/1275436
>> Quite a lot are getting caught but in saying that alot are still getting
>> through.
>>
>
> That one example smells like pure spam to me. Not phish, definitely not
> a scam (though I didn't investigate much).
>
> Funnily enough, the Sanesecurity.Spam.9216 found in the *scam* sigs [1]
> does match. However, it translates to the RE
> m~http://cid-.{0,30}\.spaces\.live\.com/blog/cns~
>
> This topic has been beaten to death recently...
>
>
>
>> Sorry for the 'idiot' questions its just that I am a very windows based
>> person who is now looking after a linux system and I struggle at times
>> to get my head around some of the concepts.
>>
>
> No problem, as long as we're staying on-topic. ;) Anyway, something
> most new-ish users tend to get wrong is asking the right questions. Why
> didn't you just ask how to catch these providing in example in the first
> place, rather than asking something strange you *guessed* might help...
>
Yeah I had done a bit of googling and reading on the list and it seemed
the sanesecurity for clamav was a good option to try.
I think I will still look into using it at some stage.
> I you want to get your ClamAV on steroids -- sure, go ahead. If you want
> to catch that spam, a trivial SA rule will do.
>
>
> Back to that spam. I assume they are all quite similar in design, text,
> and the spaces.live.com URI?
>
> You can *easily* get the result of that SaneSecurity scam sig in SA.
>
> uri SANESEC_9216 m~http://cid-.{0,30}\.spaces\.live
> \.com/blog/cns~
> score SANESEC_9216 5.0
> describe SANESEC_9216 SaneSecurity.Spam.9216
>
> There you go. Including a kill-level score for that rule, just like the
> ClamAV third-party sig would have resulted in. Note though that I don't
> advice to use that high a score. (Didn't --lint check the rule either,
> mind you. ;)
>
>
> Darly posted a very similar rule to this a while ago, triggering on the
> strange cid- prefix in the live spaces URI. You can use that just as
> well.
>
Thanks I will give that rule a shot and check out the earlier post by Darly.
I appreciate your assitance and your patience.
Kate
>
>
>> Nope didn't mean to send it to you before sorry.
>>
>
> I asked, because I would have forwarded (parts) to the list anyway. :)
>
>
>
Re: installing sanesecurity
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Thu, 2008-12-04 at 13:48 +1300, Lists wrote:
> Karsten Bräckelmann wrote:
> > What type of *spam* are you referring to that you want to kill by
> > throwing anti-virus signatures at them? Are all of them phishing or
> > scam?
> >
> > Hey, you said spam. We might be back on-topic, however gray! ;)
>
> Yeah have been getting lots of variations of:
> http://www.pastebin.ca/1275436
> Quite a lot are getting caught but in saying that alot are still getting
> through.
That one example smells like pure spam to me. Not phish, definitely not
a scam (though I didn't investigate much).
Funnily enough, the Sanesecurity.Spam.9216 found in the *scam* sigs [1]
does match. However, it translates to the RE
m~http://cid-.{0,30}\.spaces\.live\.com/blog/cns~
This topic has been beaten to death recently...
> Sorry for the 'idiot' questions its just that I am a very windows based
> person who is now looking after a linux system and I struggle at times
> to get my head around some of the concepts.
No problem, as long as we're staying on-topic. ;) Anyway, something
most new-ish users tend to get wrong is asking the right questions. Why
didn't you just ask how to catch these providing in example in the first
place, rather than asking something strange you *guessed* might help...
I you want to get your ClamAV on steroids -- sure, go ahead. If you want
to catch that spam, a trivial SA rule will do.
Back to that spam. I assume they are all quite similar in design, text,
and the spaces.live.com URI?
You can *easily* get the result of that SaneSecurity scam sig in SA.
uri SANESEC_9216 m~http://cid-.{0,30}\.spaces\.live
\.com/blog/cns~
score SANESEC_9216 5.0
describe SANESEC_9216 SaneSecurity.Spam.9216
There you go. Including a kill-level score for that rule, just like the
ClamAV third-party sig would have resulted in. Note though that I don't
advice to use that high a score. (Didn't --lint check the rule either,
mind you. ;)
Darly posted a very similar rule to this a while ago, triggering on the
strange cid- prefix in the live spaces URI. You can use that just as
well.
> Nope didn't mean to send it to you before sorry.
I asked, because I would have forwarded (parts) to the list anyway. :)
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: installing sanesecurity
Posted by mouss <mo...@netoyen.net>.
Lists a écrit :
> mouss wrote:
>> Lists a écrit :
>>
>>> Karsten Bräckelmann wrote:
>>>
>>>>> Thank you for the information I will attempt to get it up an running,
>>>>> have had a huge increase in spam last week or so and just trying to
>>>>> get it under control.
>>>>>
>>>> What type of *spam* are you referring to that you want to kill by
>>>> throwing anti-virus signatures at them? Are all of them phishing or
>>>> scam?
>>>>
>>>> Hey, you said spam. We might be back on-topic, however gray! ;)
>>>>
>>>>
>>> Yeah have been getting lots of variations of:
>>> http://www.pastebin.ca/1275436
>>> Quite a lot are getting caught but in saying that alot are still getting
>>> through.
>>>
>>>
>>
>> in your postfix, add
>> reject_rbl_client zen.spamhaus.org
>> to your smtpd_recipient_restrictions (after reject_unauth_destination).
>>
> Thanks, I have added this - does this look up zen.spamhaus.org and match
> against a list there?
>
this will block mail coming from IPs listed on spamhaus during the smtp
transaction.
$ host 161.69.79.84.zen.spamhaus.org
161.69.79.84.zen.spamhaus.org has address 127.0.0.4
so this IP is in the XBL (it's actually in th CBL, so the host maybe
compromised...).
PS. sorry, I forgot to say: check spamhaus site and read their policy.
while I find zen safe (and a lot of people do), you may have a different
opinion or policy. but it definitely blocks a lot of junk.
Re: installing sanesecurity
Posted by Lists <li...@rheel.co.nz>.
mouss wrote:
> Lists a écrit :
>
>> Karsten Bräckelmann wrote:
>>
>>>> Thank you for the information I will attempt to get it up an running,
>>>> have had a huge increase in spam last week or so and just trying to
>>>> get it under control.
>>>>
>>>>
>>> What type of *spam* are you referring to that you want to kill by
>>> throwing anti-virus signatures at them? Are all of them phishing or
>>> scam?
>>>
>>> Hey, you said spam. We might be back on-topic, however gray! ;)
>>>
>>>
>>>
>> Yeah have been getting lots of variations of:
>> http://www.pastebin.ca/1275436
>> Quite a lot are getting caught but in saying that alot are still getting
>> through.
>>
>>
>
> in your postfix, add
> reject_rbl_client zen.spamhaus.org
> to your smtpd_recipient_restrictions (after reject_unauth_destination).
>
>
Thanks, I have added this - does this look up zen.spamhaus.org and match
against a list there?
Re: installing sanesecurity
Posted by mouss <mo...@netoyen.net>.
Lists a écrit :
> Karsten Bräckelmann wrote:
>>> Thank you for the information I will attempt to get it up an running,
>>> have had a huge increase in spam last week or so and just trying to
>>> get it under control.
>>>
>>
>> What type of *spam* are you referring to that you want to kill by
>> throwing anti-virus signatures at them? Are all of them phishing or
>> scam?
>>
>> Hey, you said spam. We might be back on-topic, however gray! ;)
>>
>>
> Yeah have been getting lots of variations of:
> http://www.pastebin.ca/1275436
> Quite a lot are getting caught but in saying that alot are still getting
> through.
>
in your postfix, add
reject_rbl_client zen.spamhaus.org
to your smtpd_recipient_restrictions (after reject_unauth_destination).
> Sorry for the 'idiot' questions its just that I am a very windows based
> person who is now looking after a linux system and I struggle at times
> to get my head around some of the concepts.
>
> Thanks for you help
> Kate
>
> Nope didn't mean to send it to you before sorry.
Re: installing sanesecurity
Posted by Lists <li...@rheel.co.nz>.
Karsten Bräckelmann wrote:
>> Thank you for the information I will attempt to get it up an running,
>> have had a huge increase in spam last week or so and just trying to
>> get it under control.
>>
>
> What type of *spam* are you referring to that you want to kill by
> throwing anti-virus signatures at them? Are all of them phishing or
> scam?
>
> Hey, you said spam. We might be back on-topic, however gray! ;)
>
>
Yeah have been getting lots of variations of:
http://www.pastebin.ca/1275436
Quite a lot are getting caught but in saying that alot are still getting
through.
Sorry for the 'idiot' questions its just that I am a very windows based
person who is now looking after a linux system and I struggle at times
to get my head around some of the concepts.
Thanks for you help
Kate
Nope didn't mean to send it to you before sorry.
Re: installing sanesecurity
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Thu, 2008-12-04 at 12:43 +1300, Lists wrote:
> Arthur Dent wrote:
> > The best thing to do is to download the script, put it somewhere where
> > the user that will run it (possibly "clamav") has read + execute access,
> > (I created a /home/clamav/ directory) and then try running it manually
> > first. If it works it will download the extra files need by Clamav for
> > the spam and phishing sigs.
>
> So if the manual run works it will download everything needed and clam
> will know its there and to use it?
Depends. Come on, Kate, have a look at the scripts. As I briefly
mentioned before, they are intended to be read (at least those I ever
had a look at include their own full docs) and *configured*.
The latter is important. If it isn't configured according to *your*
ClamAV setup, it can't possibly do anything. If and how the script or
your cron job will have to poke clamd (you're running that, aren't you?)
again, depends.
> Also will it add info to the headers of the email so that I can check
> which emails are being hit by the plugin?
No, "it" doesn't.
It's third-party signatures. ClamAV uses them, if configured properly.
Whatever adds headers *now* will do so for third-party sigs just as
well.
Wait -- what "plugin" are you talking about?
/me mumbles something about "wrong list" and "should have included TM
hints" according to some recent post on that other list...
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: installing sanesecurity
Posted by Lists <li...@rheel.co.nz>.
Arthur Dent wrote:
> On Thu, Dec 04, 2008 at 09:49:23AM +1300, Lists wrote:
>
>> Hi all,
>>
>> I am wanting to implement the sanesecurity addins to clamav but i am a
>> bit lost.
>> I am running CentOS5 MailScanner Spamassassin ClamAV
>>
>> Do I download the download scripts from
>> http://www.sanesecurity.com/clamav/usage.htm
>> or do I go to the downloads page? (they seem to be different)
>>
>> Once I have downloaded them I rename them to .sh then I run it and it
>> installs itself including the cron job?
>>
>> Is this correct - I feel I may be missing a few things.
>>
>> Thanks
>> Kate
>>
>
> The best thing to do is to download the script, put it somewhere where
> the user that will run it (possibly "clamav") has read + execute access,
> (I created a /home/clamav/ directory) and then try running it manually
> first. If it works it will download the extra files need by Clamav for
> the spam and phishing sigs.
>
So if the manual run works it will download everything needed and clam
will know its there and to use it?
Also will it add info to the headers of the email so that I can check
which emails are being hit by the plugin?
> If the manual run works without errors, then add it to your (root's)
> crontab (unless you want to put in cron.daily).
>
> # crontab -e
> [puts you into your default editor - in my case vim - if you have vim
> too do the following - otherwise you'll have to find out how your editor
> works]
> i
> [to go into insert mode]
> 17 2 * * * /home/clamav/update_sanesecurity.sh
> [this creates a cron job that will run at 17 minutes past 2 every night]
> press Escape and then
> :wq
> [ie colon then w(rite) and q(uit) - this saves the crontab file]
>
> You should now be all set to receive daily SaneSecurity updates...
>
> HTH
>
> AD
>
>
Thanks am looking foward to getting this up and running.
Kate
Re: installing sanesecurity
Posted by Arthur Dent <mi...@blueyonder.co.uk>.
On Thu, Dec 04, 2008 at 09:49:23AM +1300, Lists wrote:
> Hi all,
>
> I am wanting to implement the sanesecurity addins to clamav but i am a
> bit lost.
> I am running CentOS5 MailScanner Spamassassin ClamAV
>
> Do I download the download scripts from
> http://www.sanesecurity.com/clamav/usage.htm
> or do I go to the downloads page? (they seem to be different)
>
> Once I have downloaded them I rename them to .sh then I run it and it
> installs itself including the cron job?
>
> Is this correct - I feel I may be missing a few things.
>
> Thanks
> Kate
The best thing to do is to download the script, put it somewhere where
the user that will run it (possibly "clamav") has read + execute access,
(I created a /home/clamav/ directory) and then try running it manually
first. If it works it will download the extra files need by Clamav for
the spam and phishing sigs.
If the manual run works without errors, then add it to your (root's)
crontab (unless you want to put in cron.daily).
# crontab -e
[puts you into your default editor - in my case vim - if you have vim
too do the following - otherwise you'll have to find out how your editor
works]
i
[to go into insert mode]
17 2 * * * /home/clamav/update_sanesecurity.sh
[this creates a cron job that will run at 17 minutes past 2 every night]
press Escape and then
:wq
[ie colon then w(rite) and q(uit) - this saves the crontab file]
You should now be all set to receive daily SaneSecurity updates...
HTH
AD