wiki:SaneSecurity

Using Sanesecurity Phishing and Scam Signatures

If you use ClamAV as one of your virus scanners, you may wish to use some of the signatures published by Sanesecurity as well. These signatures don't detect viruses or other traditional malware, they're designed to detect the most dangerous sorts of spam: phishing attempts, stock and lottery scams, 419 ("Nigerian letter") scams, loan and mortgage scams, diploma scams, and even many image spams.

At first glance, the idea of using a virus scanner to detect spam may seem a bit odd, but analyzing strings of text characters is not much different from looking at strings of bytes in a binary file, and it definitely works. Rather than replacing a proper spam-filter like SpamAssassin, though, these signatures should be used as an extra layer of prevention.

Sanesecurity provides two signature databases--one for phishing attempts, one for scams. Generally I would advise you to use both of these as they're both quite useful. Installing these is as simple as copying them to wherever your ClamAV databases are stored (e.g. /var/clamav, or /var/lib/clamav) and unzipping them. Restart clamd and these new signatures should be picked up automatically.

Keeping the Sanesecurity signatures up to date, of course, requires that you run one of the update scripts suggested here, typically from a daily cron job.

The only Maia-specific change that needs to be made is to your amavisd.conf file, where amavisd-maia needs to be told to submit the full text of the email to the virus scanner, e.g.

@keep_decoded_original_maps = (new_RE(
  qr'^MAIL$',   # retain full original message for virus checking
  ...
));

Note that while the items these signatures detect are technically "spam", they will show up in the Maia GUI as "viruses" because they were detected by a virus scanner. Future Maia versions will account for this by letting you mark certain virus names (e.g. Email.*, Phish.*, etc.) as spam automatically, so those items will be listed properly in the spam quarantine.


Back to FAQ

Last modified 15 years ago Last modified on May 8, 2008, 3:04:34 PM