Using Sanesecurity Signatures for pdf email

A lot of pdf mail arrive in mailbox and maia can’t detect that. After googling I found in howtoforge about Filtering PDF-/XLS-/Image-Spam With ClamAV (And ISPConfig) On Debian/Ubuntu.

I wanna try it for FreeBSD, after red last section I try to update the scripts.

Changing two lines as suggested based on clamav installation on FreeBSD 6.2

clam_sigs="/var/db/clamav/"

clam_user="vscan"

run the script :

jedimaster# sh ss-msrbl.sh
=================================
SaneSecurity SCAM Database Update
=================================

curl: not found

my bad, Installing curl first icon smile Using Sanesecurity Signatures for pdf email

jedimaster# cd /usr/ports/ftp/curl && make install

jedimaster# whereis curl
curl: /usr/local/bin/curl /usr/local/man/man1/curl.1.gz /usr/ports/ftp/curl
try again :

jedimaster# sh ss-msrbl.sh
=================================
SaneSecurity SCAM Database Update
=================================

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  118k  100  118k    0     0  13903      0  0:00:08  0:00:08 –:–:– 56093

==================================
SaneSecurity PHISH Database Update
==================================

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  180k  100  180k    0     0  26849      0  0:00:06  0:00:06 –:–:– 62900

==========================
MSRBL SPAM Database Update
==========================

Number of files: 1
Number of files transferred: 1
Total file size: 228436 bytes
Total transferred file size: 228436 bytes
Literal data: 228436 bytes
Matched data: 0 bytes
File list size: 33
File list generation time: 0.001 seconds
File list transfer time: 0.000 seconds
Total bytes sent: 101
Total bytes received: 228579

sent 101 bytes  received 228579 bytes  26903.53 bytes/sec
total size is 228436  speedup is 1.00
mv: illegal option — u
usage: mv [-f | -i | -n] [-v] source target
       mv [-f | -i | -n] [-v] source … directory

===========================
MSRBL IMAGE Database Update
===========================

Number of files: 1
Number of files transferred: 1
Total file size: 520896 bytes
Total transferred file size: 520896 bytes
Literal data: 520896 bytes
Matched data: 0 bytes
File list size: 35
File list generation time: 0.001 seconds
File list transfer time: 0.000 seconds
Total bytes sent: 103
Total bytes received: 521077

sent 103 bytes  received 521077 bytes  45320.00 bytes/sec
total size is 520896  speedup is 1.00
mv: illegal option — u
usage: mv [-f | -i | -n] [-v] source target
       mv [-f | -i | -n] [-v] source … directory

jedimaster#

man about mv in linux  for u option :

-u, –update
    move only when the SOURCE file is newer than the destination file or when the destination file is missing

in FreeBSD, man about mv :

-f      Do not prompt for confirmation before overwriting the destination
             path.  (The -f option overrides any previous -i or -n options.)

     -i      Cause mv to write a prompt to standard error before moving a file
             that would overwrite an existing file.  If the response from the
             standard input begins with the character `y’ or `Y’, the move is
             attempted.  (The -i option overrides any previous -f or -n
             options.)

     -n      Do not overwrite an existing file.  (The -n option overrides any
             previous -f or -i options.)

     -v      Cause mv to be verbose, showing files after they are moved.

update the script manually to remove -u and try again :

jedimaster# sh ss-msrbl.sh
=================================
SaneSecurity SCAM Database Update
=================================

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 –:–:–  0:00:02 –:–:–     0

==================================
SaneSecurity PHISH Database Update
==================================

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 –:–:–  0:00:03 –:–:–     0

==========================
MSRBL SPAM Database Update
==========================

Number of files: 1
Number of files transferred: 0
Total file size: 228436 bytes
Total transferred file size: 0 bytes
Literal data: 0 bytes
Matched data: 0 bytes
File list size: 33
File list generation time: 0.001 seconds
File list transfer time: 0.000 seconds
Total bytes sent: 79
Total bytes received: 73

sent 79 bytes  received 73 bytes  23.38 bytes/sec
total size is 228436  speedup is 1502.87

===========================
MSRBL IMAGE Database Update
===========================

Number of files: 1
Number of files transferred: 0
Total file size: 520896 bytes
Total transferred file size: 0 bytes
Literal data: 0 bytes
Matched data: 0 bytes
File list size: 35
File list generation time: 0.001 seconds
File list transfer time: 0.000 seconds
Total bytes sent: 81
Total bytes received: 75

sent 81 bytes  received 75 bytes  28.36 bytes/sec
total size is 520896  speedup is 3339.08
jedimaster#

Great

Time to test pdf mail style, get sample from my gmail account in spam folder to my alamsyah account in rasyid.net return.

1st attempt, wait ….

email successfully arrived icon smile Using Sanesecurity Signatures for pdf email

Dam, I forget to restart clamav icon wink Using Sanesecurity Signatures for pdf email

jedimaster# /usr/local/etc/rc.d/clamav-clamd restart
Stopping clamav_clamd.
Waiting for PIDS: 50316.
Starting clamav_clamd.

Trying send email again from gmail.

Nothing appear in my webmail. Good…good.

See maillog :

Jul 28 17:33:15 jedimaster amavis[32083]: (32083-04) Checking: [209.85.132.246] <alamster@gmail.com> -> <alamsyah@rasyid.net>
Jul 28 17:33:15 jedimaster amavis[32083]: (32083-04) p004 1 Content-Type: multipart/mixed
Jul 28 17:33:15 jedimaster amavis[32083]: (32083-04) p005 1/1 Content-Type: multipart/alternative
Jul 28 17:33:15 jedimaster amavis[32083]: (32083-04) p001 1/1/1 Content-Type: text/plain, size: 141 B, name:
Jul 28 17:33:15 jedimaster amavis[32083]: (32083-04) p002 1/1/2 Content-Type: text/html, size: 331 B, name:
Jul 28 17:33:15 jedimaster amavis[32083]: (32083-04) p003 1/2 Content-Type: application/pdf, size: 28933 B, name: Email.pdf
Jul 28 17:33:15 jedimaster amavis[32083]: (32083-04) ask_av (ClamAV-clamd):

/var/amavisd/tmp/amavis-20070728T155831-32083/parts INFECTED: Email.Stk.Gen592.Sanesecurity.07071801.pdf
Jul 28 17:33:15 jedimaster amavis[32083]: (32083-04) virus_scan: (Email.Stk.Gen592.Sanesecurity.07071801.pdf), detected by 1

scanners: ClamAV-clamd
Jul 28 17:33:15 jedimaster amavis[32083]: (32083-04) Virus Email.Stk.Gen592.Sanesecurity.07071801.pdf matches (?-xism:.*),

sender addr ignored
Jul 28 17:33:15 jedimaster amavis[32083]: (32083-04) Blocked INFECTED (Email.Stk.Gen592.Sanesecurity.07071801.pdf),

[209.85.132.246] [209.85.132.246] <?@an-out-0708.google.com> -> <alamsyah@rasyid.net>, Message-ID:

<d7c6b0960707280333h320f4101l3f5a5543c552c3bc@mail.gmail.com>, Hits: -, 747 ms

Perfect, Clamav block it  .

Cron time icon wink Using Sanesecurity Signatures for pdf email