LinuxSecurity.com - Latest News all headlines
Filtering
PDF-/XLS-/Image-Spam With ClamAV (And ISPConfig) On
Debian/Ubuntu
LinuxSecurity.com: In our never-ending battle against
spam, our opponents have decided to play the espionage route and disguise
themselves as .pdf and .xls files. This shady tactic has become a trend of its
own, resulting in all the recent postings of spam battling notes. This most
recent article provides a how-to on setting up ClamAv to counter these new spam
signatures. Get this before THEY come running wild on YOU!
7/25/2007 7:16 AM
Read more | Open in
browser
http://www.linuxsecurity.com/content/view/128853?rdf Source:
HowtoForge - Posted by Eckie Silapaswang
In our
never-ending battle against spam, our opponents have decided to play the
espionage route and disguise themselves as .pdf and .xls files. This shady
tactic has become a trend of its own, resulting in all the recent postings of
spam battling notes. This most recent article provides a how-to on setting up
ClamAv to counter these new spam signatures. Get this before THEY come running
wild on YOU!
Read this full article at HowtoForge
Filtering PDF-/XLS-/Image-Spam With ClamAV (And ISPConfig) On Debian/Ubuntu
Version 1.0
Author: Till Brehm <t [dot] brehm [at] projektfarm [dot]
com>
Last edited 07/23/2007
There is currently a lot of spam where the spam "information" is attached
as .pdf or .xls files, sometime also hidden inside a .zip file. While these spam
mails are not easy to catch with e.g. SpamAssassin or a Bayes filter, the ClamAV
virus scanner can catch them easily when it is fed with the correct signatures
as ClamAV is built to scan mail attachments.
The website Sanesecurity (
http://sanesecurity.co.uk) provides up to
date signatures for these types of emails including image spam. The following
guide will show you how to install the spam, phising, scam and image signatures
from
sanesecurity.co.uk and MSRBL into your ISPConfig ClamAV installation under
Debian or Ubuntu Linux.
If you want to use the Sanesecurity signatures without ISPConfig, have a
look at the explanations at the end of the tutorial.
Install Some Prerequisites
apt-get install gzip curl rsync
Now we run the update script to check if the download works:
./sanesecurity_update.sh
The result should look similar to this:
-----------------------------------------------------------------------------
=================================
SaneSecurity
SCAM Database Update
=================================
% Total % Received % Xferd Average Speed Time Time Time Current
Dload
Upload Total Spent Left Speed
100 116k 100 116k 0 0 65448 0 0:00:01 0:00:01
--:--:-- 139k
==================================
SaneSecurity PHISH Database
Update
==================================
% Total % Received % Xferd Average Speed Time Time Time Current
Dload
Upload Total Spent Left Speed
100 179k 100 179k 0 0 216k 0 --:--:-- --:--:--
--:--:-- 216k
==========================
MSRBL SPAM Database
Update
==========================
Number of files: 1
Number of files transferred: 1
Total file size:
228436 bytes
Total transferred file size: 228436 bytes
Literal data:
228436 bytes
Matched data: 0 bytes
File list size: 33
File list
generation time: 0.001 seconds
File list transfer time: 0.000
seconds
Total bytes sent: 101
Total bytes received: 228579
sent 101 bytes received 228579 bytes 26903.53 bytes/sec
total size is
228436 speedup is 1.00
===========================
MSRBL IMAGE Database
Update
===========================
Number of files: 1
Number of files transferred: 1
Total file size:
550503 bytes
Total transferred file size: 550503 bytes
Literal data:
550503 bytes
Matched data: 0 bytes
File list size: 35
File list
generation time: 0.001 seconds
File list transfer time: 0.000
seconds
Total bytes sent: 103
Total bytes received: 550688
sent 103 bytes received 550688 bytes 157368.86 bytes/sec
total size is
550503 speedup is 1.00
-----------------------------------------------------------------------------
Now we a add the script to the root crontab to be run once a day:
crontab -e
Add the following line at the end of the root crontab:
53 04 * * * /usr/bin/sanesecurity_update.sh &> /dev/null
The
script is executed at 04:53 AM, please modify the time a bit in your
configuration to keep the load low on the download server.
Using Sanesecurity Signatures Without ISPConfig
If you want to use the
Sanesecurity signatures without ISPConfig, you will have to customize the
download script to match your ClamAV installation.
Download the original script from here:
Edit the following variables to match your installation:
clam_sigs="/var/lib/clamav"
The variable clamav_sigs contains the path to the directory where your
ClamAV signatures are stored.
clam_user="clamav"
The variable clam_user contains the username under which your ClamAV or
clamd is executed.
Copyright © 2007 Till Brehm
All Rights Reserved.