Using Sanesecurity Signatures for pdf email

Published in Unix - on Jul 30, 2007 - Comment Off

A lot of pdf mail arrive in mailbox and maia can’t detect that. After googling I found in howtoforge about Filtering PDF-/XLS-/Image-Spam With ClamAV (And ISPConfig) On Debian/Ubuntu.

I wanna try it for FreeBSD, after red last section I try to update the scripts.

Changing two lines as suggested based on clamav installation on FreeBSD 6.2

clam_sigs="/var/db/clamav/"

clam_user="vscan"

run the script :

jedimaster# sh ss-msrbl.sh
=================================
SaneSecurity SCAM Database Update
=================================

curl: not found

my bad, Installing curl first 🙂

jedimaster# cd /usr/ports/ftp/curl && make install

jedimaster# whereis curl
curl: /usr/local/bin/curl /usr/local/man/man1/curl.1.gz /usr/ports/ftp/curl
try again :

jedimaster# sh ss-msrbl.sh
=================================
SaneSecurity SCAM Database Update
=================================

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  118k  100  118k    0     0  13903      0  0:00:08  0:00:08 –:–:– 56093

==================================
SaneSecurity PHISH Database Update
==================================

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  180k  100  180k    0     0  26849      0  0:00:06  0:00:06 –:–:– 62900

==========================
MSRBL SPAM Database Update
==========================

Number of files: 1
Number of files transferred: 1
Total file size: 228436 bytes
Total transferred file size: 228436 bytes
Literal data: 228436 bytes
Matched data: 0 bytes
File list size: 33
File list generation time: 0.001 seconds
File list transfer time: 0.000 seconds
Total bytes sent: 101
Total bytes received: 228579

sent 101 bytes  received 228579 bytes  26903.53 bytes/sec
total size is 228436  speedup is 1.00
mv: illegal option — u
usage: mv [-f | -i | -n] [-v] source target
       mv [-f | -i | -n] [-v] source … directory

===========================
MSRBL IMAGE Database Update
===========================

Number of files: 1
Number of files transferred: 1
Total file size: 520896 bytes
Total transferred file size: 520896 bytes
Literal data: 520896 bytes
Matched data: 0 bytes
File list size: 35
File list generation time: 0.001 seconds
File list transfer time: 0.000 seconds
Total bytes sent: 103
Total bytes received: 521077

sent 103 bytes  received 521077 bytes  45320.00 bytes/sec
total size is 520896  speedup is 1.00
mv: illegal option — u
usage: mv [-f | -i | -n] [-v] source target
       mv [-f | -i | -n] [-v] source … directory
jedimaster#

man about mv in linux  for u option :

-u, –update
    move only when the SOURCE file is newer than the destination file or when the destination file is missing

in FreeBSD, man about mv :

-f      Do not prompt for confirmation before overwriting the destination
             path.  (The -f option overrides any previous -i or -n options.)

     -i      Cause mv to write a prompt to standard error before moving a file
             that would overwrite an existing file.  If the response from the
             standard input begins with the character `y’ or `Y’, the move is
             attempted.  (The -i option overrides any previous -f or -n
             options.)

     -n      Do not overwrite an existing file.  (The -n option overrides any
             previous -f or -i options.)

     -v      Cause mv to be verbose, showing files after they are moved.

update the script manually to remove -u and try again :

jedimaster# sh ss-msrbl.sh
=================================
SaneSecurity SCAM Database Update
=================================

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 –:–:–  0:00:02 –:–:–     0

==================================
SaneSecurity PHISH Database Update
==================================

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 –:–:–  0:00:03 –:–:–     0

==========================
MSRBL SPAM Database Update
==========================

Number of files: 1
Number of files transferred: 0
Total file size: 228436 bytes
Total transferred file size: 0 bytes
Literal data: 0 bytes
Matched data: 0 bytes
File list size: 33
File list generation time: 0.001 seconds
File list transfer time: 0.000 seconds
Total bytes sent: 79
Total bytes received: 73

sent 79 bytes  received 73 bytes  23.38 bytes/sec
total size is 228436  speedup is 1502.87

===========================
MSRBL IMAGE Database Update
===========================

Number of files: 1
Number of files transferred: 0
Total file size: 520896 bytes
Total transferred file size: 0 bytes
Literal data: 0 bytes
Matched data: 0 bytes
File list size: 35
File list generation time: 0.001 seconds
File list transfer time: 0.000 seconds
Total bytes sent: 81
Total bytes received: 75

sent 81 bytes  received 75 bytes  28.36 bytes/sec
total size is 520896  speedup is 3339.08
jedimaster#

Great

Time to test pdf mail style, get sample from my gmail account in spam folder to my alamsyah account in rasyid.net return.

1st attempt, wait ….

email successfully arrived 🙂

Dam, I forget to restart clamav 😉

jedimaster# /usr/local/etc/rc.d/clamav-clamd restart
Stopping clamav_clamd.
Waiting for PIDS: 50316.
Starting clamav_clamd.

Trying send email again from gmail.

Nothing appear in my webmail. Good…good.

See maillog :

Jul 28 17:33:15 jedimaster amavis[32083]: (32083-04) Checking: [209.85.132.246] <[email protected]> -> <[email protected]>
Jul 28 17:33:15 jedimaster amavis[32083]: (32083-04) p004 1 Content-Type: multipart/mixed
Jul 28 17:33:15 jedimaster amavis[32083]: (32083-04) p005 1/1 Content-Type: multipart/alternative
Jul 28 17:33:15 jedimaster amavis[32083]: (32083-04) p001 1/1/1 Content-Type: text/plain, size: 141 B, name:
Jul 28 17:33:15 jedimaster amavis[32083]: (32083-04) p002 1/1/2 Content-Type: text/html, size: 331 B, name:
Jul 28 17:33:15 jedimaster amavis[32083]: (32083-04) p003 1/2 Content-Type: application/pdf, size: 28933 B, name: Email.pdf
Jul 28 17:33:15 jedimaster amavis[32083]: (32083-04) ask_av (ClamAV-clamd):

/var/amavisd/tmp/amavis-20070728T155831-32083/parts INFECTED: Email.Stk.Gen592.Sanesecurity.07071801.pdf
Jul 28 17:33:15 jedimaster amavis[32083]: (32083-04) virus_scan: (Email.Stk.Gen592.Sanesecurity.07071801.pdf), detected by 1

scanners: ClamAV-clamd
Jul 28 17:33:15 jedimaster amavis[32083]: (32083-04) Virus Email.Stk.Gen592.Sanesecurity.07071801.pdf matches (?-xism:.*),

sender addr ignored
Jul 28 17:33:15 jedimaster amavis[32083]: (32083-04) Blocked INFECTED (Email.Stk.Gen592.Sanesecurity.07071801.pdf),

[209.85.132.246] [209.85.132.246] <[email protected]> -> <[email protected]>, Message-ID:

<[email protected]>, Hits: -, 747 ms

Perfect, Clamav block it  .

Cron time 😉

 

 

you might also like