[clamav-users] Automated submissions to third party databases?

Joel Esler (jesler) jesler at cisco.com
Mon Sep 2 22:22:17 UTC 2019 

Have you automated their upload to ClamAV.net using clamsubmit?

Sent from my  iPhone

> On Sep 2, 2019, at 05:11, G.W. Haywood via clamav-users <clamav-users at lists.clamav.net> wrote:
> 
> Hi there,
> 
> If you've been paying even scant attention to the list mail you'll
> know that I've been doing some testing, particularly of clamd, when
> it's used for scanning mail.
> 
> This is something of side issue, but I'll throw it into the pot to see
> if anything comes of it.
> 
> The testing that I'm doing is for more than one purpose; there's clamd
> itself (that is whether my patched version crashes, or whatever); and
> there's the milter which feeds it.  The milter isn't the one supplied
> with ClamAV, it's one of my own written in pure Perl and it needs much
> more thrashing than it's getting at the moment because I need it to be
> reliable.  And now, there's this side issue - which might blossom into
> something which I think may be more interesting - the potential for an
> automated submission system for messages which are certainly spam, but
> for which the databases don't have a matching signature.  It could go
> well beyond that, but right now I don't want to get ahead of myself.
> 
> There seems to be some kind of a spammer campaign at the moment which
> uses IPs from all over the planet to attempt to send much the same
> kind of message.  Normally I wouldn't see these messages, they'd be
> rejected at the CONNECT stage after the connecting IP had been found
> in nearly a dozen DNS block lists.  But I'm desperate for more traffic
> to test clamd and my milter, so I've configured the milter to allow a
> message which has already triggered a REJECT response to reach all the
> way to End Of Message, so that clamd can scan it.  Then, after logging
> the message text, even if clamd says "OK", I'll reject it anyway.  If
> nothing else it might slow them down a little. :)
> 
> So I'm flagging up quite a few messages which are guaranteed spam, but
> which aren't in any of the third-party databases that I'm using.  The
> successes are all 'Sanesecurity.Junk.NNNNN', where 'NNNNN' is usually
> a five-digit number beginning with '5'.  The detection success rate is
> in the region of 35% at present, so I'm collecting ~two out of three.
> 
> My milter can very easily process these messages, in any way, and then
> send them, or the results of this processing, in any format and by any
> means, to anyone who'd like to have that information.  Once set up, it
> could do it all in real time, without manual intervention at my end.
> 
> Any takers?
> 
> -- 
> 
> 73,
> Ged.
> 
> _______________________________________________
> 
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3010 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20190902/ae834aec/attachment.bin>

More information about the clamav-users mailing list