Setup Sanesecurity Signatures to Combat PDF spam

Users tips and ideas

Moderators: FlorianB, Pascal, bourgeois, mentor

User avatar
suhasingale
Posts: 298
Joined: Mon Nov 13, 2006 2:30 pm
Location: India
Contact:

Setup Sanesecurity Signatures to Combat PDF spam

Postby suhasingale » Fri Aug 03, 2007 10:45 am

Hi,

Here is a small step-by-step howto on integrating sanesecurity's clamav signatures to combat PDF spam emails. It also catches many other phishing and spam emails.

Code: Select all

Login to the server via ssh and run the following commands.

mailcleaner:/#cd /

mailcleaner:/#mkdir sanesecurity

mailcleaner:/#cd sanesecurity

mailcleaner:/sanesecurity#apt-get install curl rsync

mailcleaner:/sanesecurity#wget http://www.sanesecurity.co.uk/clamav/unofficial-sigs.txt

mailcleaner:/sanesecurity#mv unofficial-sigs.txt ss-msrbl.sh

mailcleaner:/sanesecurity#vi ss-msrbl.sh

Make the below given changes.

-> Add "/usr/clamav/bin" in the PATH

Make the changes to the following lines. It should look like this.

clamd="/usr/clamav/sbin/clamd"
clamscan="/usr/clamav/bin/clamscan"

clam_sigs="/var/mailcleaner/spool/clamav/"
clam_user="clamav"

mailcleaner:/sanesecurity#chmod 755 ss-msrbl.sh

mailcleaner:/sanesecurity#sh ss-msrbl.sh

-> The next command will add the script in hourly cron.

mailcleaner:/# echo "00 * * * * root /sanesecurity/ss-msrbl.sh >& /dev/null" >> /etc/crontab

-> Following command will help you to know if it's really working for you.

mailcleaner:/# cat /var/mailcleaner/log/mailscanner/infolog | grep Sanesecurity



Last edited by suhasingale on Thu Sep 06, 2007 11:13 am, edited 3 times in total.
Promise only what you can deliver...
Some_Bored_Dude
Posts: 22
Joined: Sun Dec 17, 2006 3:32 am
Location: Albany, WA, AU
Contact:

Postby Some_Bored_Dude » Sun Aug 05, 2007 1:01 pm

I have applied this to mine mailcleaner server. So far so good. I'm waiting on feedback from some clients on if its helping. So far, I can see results! Nice work!
-----
If you afraid to try something, chances are you will never learn a thing.
Lars
Posts: 4
Joined: Thu May 10, 2007 10:57 pm
Location: Germany

Postby Lars » Mon Aug 06, 2007 12:19 am

Thanks for this cool Tip!
User avatar
Klug
Posts: 126
Joined: Fri Nov 17, 2006 1:19 pm
Contact:

Postby Klug » Mon Aug 06, 2007 8:15 am

And for the ones who did not check carefully, the used script actually download signatures from SaneSecurity but also from MSRBL.
User avatar
suhasingale
Posts: 298
Joined: Mon Nov 13, 2006 2:30 pm
Location: India
Contact:

Postby suhasingale » Mon Aug 06, 2007 12:14 pm

Klug wrote:And for the ones who did not check carefully, the used script actually download signatures from SaneSecurity but also from MSRBL.


Yes you are right!
Promise only what you can deliver...
User avatar
Freek
Posts: 64
Joined: Tue Oct 31, 2006 6:22 am
Location: Arnhem, the Netherlands
Contact:

Postby Freek » Tue Aug 07, 2007 6:52 am

I installed the whole lot and when i run ss-msrbl.sh it works fine (as far as i can see).


Code: Select all

=================================
SaneSecurity SCAM Database Update
=================================

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0

==================================
SaneSecurity PHISH Database Update
==================================

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0

==========================
MSRBL SPAM Database Update
==========================

Number of files: 1
Number of files transferred: 0
Total file size: 229231 bytes
Total transferred file size: 0 bytes
Literal data: 0 bytes
Matched data: 0 bytes
File list size: 33
File list generation time: 0.001 seconds
File list transfer time: 0.000 seconds
Total bytes sent: 80
Total bytes received: 73

sent 80 bytes  received 73 bytes  61.20 bytes/sec
total size is 229231  speedup is 1498.24

===========================
MSRBL IMAGE Database Update
===========================

Number of files: 1
Number of files transferred: 1
Total file size: 146838 bytes
Total transferred file size: 146838 bytes
Literal data: 1238 bytes
Matched data: 145600 bytes
File list size: 35
File list generation time: 0.001 seconds
File list transfer time: 0.000 seconds
Total bytes sent: 1364
Total bytes received: 2195

sent 1364 bytes  received 2195 bytes  2372.67 bytes/sec
total size is 146838  speedup is 41.26



But when i cat the infolog no entry's for Sanesecurity can be found.

Any ideas?
****************************
* Mondays are the potholes of life *
****************************
User avatar
suhasingale
Posts: 298
Joined: Mon Nov 13, 2006 2:30 pm
Location: India
Contact:

Postby suhasingale » Wed Aug 08, 2007 9:39 am

Freek wrote:I installed the whole lot and when i run ss-msrbl.sh it works fine (as far as i can see).

But when i cat the infolog no entry's for Sanesecurity can be found.

Any ideas?


Use the following command and scan any of your spam folders.. See if clamav detects any viruses using sanescurity's sigs.

Code: Select all

mailcleaner:~#/usr/clamav/bin/clamscan /path/to/spam
Promise only what you can deliver...
User avatar
Freek
Posts: 64
Joined: Tue Oct 31, 2006 6:22 am
Location: Arnhem, the Netherlands
Contact:

Postby Freek » Wed Aug 08, 2007 1:55 pm

It seems i was a little to hasty, the messages appeared after a short while when the pdf's started coming in.

Thanks for the great tool suhasingale!
****************************

* Mondays are the potholes of life *

****************************
nikod
Posts: 4
Joined: Tue Sep 04, 2007 3:01 pm
Location: Toronto, Ontario, Canada
Contact:

Postby nikod » Tue Sep 04, 2007 3:09 pm

Theses instructions look really straight forward so I thought I would give them a try.

The command

wget http://www.sanesecurity.co.uk/clamav/ss-msrbl.sh

fails with a 404 file not found error.

It seems the ss-msrbl.sh is gone and has likely been replaced with an updated script (unofficial-sigs.sh)

Has anyone tested this updated scritpt yet and got it working?
User avatar
suhasingale
Posts: 298
Joined: Mon Nov 13, 2006 2:30 pm
Location: India
Contact:

Postby suhasingale » Wed Sep 05, 2007 9:37 am

nikod wrote:Theses instructions look really straight forward so I thought I would give them a try.

The command

wget http://www.sanesecurity.co.uk/clamav/ss-msrbl.sh

fails with a 404 file not found error.

It seems the ss-msrbl.sh is gone and has likely been replaced with an updated script (unofficial-sigs.sh)

Has anyone tested this updated scritpt yet and got it working?


URL fixed above... Can you try it now?

Let me know if everything works properly for u.
Promise only what you can deliver...
nikod
Posts: 4
Joined: Tue Sep 04, 2007 3:01 pm
Location: Toronto, Ontario, Canada
Contact:

Postby nikod » Wed Sep 05, 2007 11:57 am

Sorry, but that URL looks the same and still doesn't work.
User avatar
suhasingale
Posts: 298
Joined: Mon Nov 13, 2006 2:30 pm
Location: India
Contact:

Postby suhasingale » Wed Sep 05, 2007 2:14 pm

nikod wrote:Sorry, but that URL looks the same and still doesn't work.


Have you tried this step?

mailcleaner:/sanesecurity#wget http://www.sanesecurity.co.uk/clamav/Up ... curity.txt
Promise only what you can deliver...
nikod
Posts: 4
Joined: Tue Sep 04, 2007 3:01 pm
Location: Toronto, Ontario, Canada
Contact:

Postby nikod » Wed Sep 05, 2007 6:43 pm

I couldn't find the lines you suggested to modify in the

http://www.sanesecurity.co.uk/clamav/Up ... curity.txt

so I tried using

http://www.sanesecurity.co.uk/clamav/un ... l-sigs.txt

I also had to modify the line

clamd_pid="/var/run/clamd/clamd.pid"

to say:

clamd_pid="/var/mailcleaner/run/clamd/clamd.pid"

The script seems to run without error so now I am just scanning my logs waiting to see if it works.
User avatar
suhasingale
Posts: 298
Joined: Mon Nov 13, 2006 2:30 pm
Location: India
Contact:

Postby suhasingale » Thu Sep 06, 2007 11:22 am

nikod wrote:I couldn't find the lines you suggested to modify in the

http://www.sanesecurity.co.uk/clamav/Up ... curity.txt

so I tried using

http://www.sanesecurity.co.uk/clamav/un ... l-sigs.txt

I also had to modify the line

clamd_pid="/var/run/clamd/clamd.pid"

to say:

clamd_pid="/var/mailcleaner/run/clamd/clamd.pid"

The script seems to run without error so now I am just scanning my logs waiting to see if it works.


I have updated the URL in the steps...

Hope this is perfect now.
Promise only what you can deliver...
JCasale
Posts: 6
Joined: Thu Oct 11, 2007 4:02 am

Postby JCasale » Fri Oct 12, 2007 1:19 pm

Hi guys,
I did not manually create the clam user and clam group, was this needed?
I am new to Linux and not even sure how to do this :)

When I run the script I get the following:

*** SCRIPT CONFIGURATION HAS NOT BEEN COMPLETED ***
Please review and configure the 'USER EDIT SECTION' of the script.
Once the user configuration section is complete, rerun the script.


Thanks

Return to “Tips”

Who is online

Users browsing this forum: No registered users and 1 guest