Cheap VPS & Xen Server


Residential Proxy Network - Hourly & Monthly Packages

Filtering PDF-/XLS-/Image-Spam With ClamAV (And ISPConfig) On Debian/Ubuntu


There is currently a lot of spam where the spam “information” is attached as .pdf or .xls files, sometime also hidden inside a .zip file. While these spam mails are not easy to catch with e.g. SpamAssassin or a Bayes filter, the ClamAV virus scanner can catch them easily when it is fed with the correct signatures as ClamAV is built to scan mail attachments.

The website Sanesecurity (http://sanesecurity.co.uk) provides up to date signatures for these types of emails including image spam. The following guide will show you how to install the spam, phising, scam and image signatures from sanesecurity.co.uk and MSRBL into your ISPConfig ClamAV installation under Debian or Ubuntu Linux.

If you want to use the Sanesecurity signatures without ISPConfig, have a look at the explanations at the end of the

tutorial.

 

Install Some Prerequisites

apt-get install gzip curl rsync

Now download the update script for the Sansecurity signatures. The original script has been written by Bill Landry and is available here: http://www.sanesecurity.co.uk/clamav/usage.htm. I’ve modified the path variables to suit an ISPConfig installation – the modified script is available here: http://www.ispconfig.org/downloads/scripts/sanesecurity_update.sh.

cd /usr/bin
wget http://www.ispconfig.org/downloads/scripts/sanesecurity_update.sh
chmod +x sanesecurity_update.sh

Now we run the update script to check if the download works:

./sanesecurity_update.sh

The result should look similar to this:

—————————————————————————–
=================================
SaneSecurity SCAM Database Update
=================================

% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 116k 100 116k 0 0 65448 0 0:00:01 0:00:01 –:–:– 139k

==================================
SaneSecurity PHISH Database Update
==================================

% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 179k 100 179k 0 0 216k 0 –:–:– –:–:– –:–:– 216k

==========================
MSRBL SPAM Database Update
==========================

Number of files: 1
Number of files transferred: 1
Total file size: 228436 bytes
Total transferred file size: 228436 bytes
Literal data: 228436 bytes
Matched data: 0 bytes
File list size: 33
File list generation time: 0.001 seconds
File list transfer time: 0.000 seconds
Total bytes sent: 101
Total bytes received: 228579

sent 101 bytes received 228579 bytes 26903.53 bytes/sec
total size is 228436 speedup is 1.00

===========================
MSRBL IMAGE Database Update
===========================

Number of files: 1
Number of files transferred: 1
Total file size: 550503 bytes
Total transferred file size: 550503 bytes
Literal data: 550503 bytes
Matched data: 0 bytes
File list size: 35
File list generation time: 0.001 seconds
File list transfer time: 0.000 seconds
Total bytes sent: 103
Total bytes received: 550688

sent 103 bytes received 550688 bytes 157368.86 bytes/sec
total size is 550503 speedup is 1.00

—————————————————————————–

Now we a add the script to the root crontab to be run once a day:

crontab -e

Add the following line at the end of the root crontab:

53 04 * * * /usr/bin/sanesecurity_update.sh &> /dev/null

The script is executed at 04:53 AM, please modify the time a bit in your configuration to keep the load low on the download server.

 

Using Sanesecurity Signatures Without ISPConfig

If you want to use the Sanesecurity signatures without ISPConfig, you will have to customize the download script to match your ClamAV installation.

Download the original script from here:

http://www.sanesecurity.co.uk/clamav/ss-msrbl.sh

Edit the following variables to match your installation:

clam_sigs=”/var/lib/clamav”

The variable clamav_sigs contains the path to the directory where your ClamAV signatures are stored.

clam_user=”clamav”

The variable clam_user contains the username under which your ClamAV or clamd is executed.

Comments

comments