Clamav is probably the most popular open source antivirus software for Linux. At this time it contains 153727 signatures that will detect most viruses and the signatures are updated regularly to allow many mail servers to filter out the viruses before even reaching the users mailboxes.
This post will show how easy it is to install and use SaneSecurity 3rd party Clamav signatures to extend the antivirus protection built-in clamav with Scam and Phishing filtering. This can be very useful as these types of emails can be hard to detect by common antispam rules (spamassassin for ex.) - like the latest pdf spams, or phishing mails that are not always easy to detect. These will be filtered out directly by Clamav that is normally running prior to antispam measures.
These rules are provided and maintained by SaneSecurity and they are used by more and more peoples (including specialized companies like Barracuda Networks appear to be using SaneSecurityâ€™s signature databases in their Barracuda Spam Firewall).
The installation and usage is very simple:
we can manually download the SaneSecurity Phishing Signatures and SaneSecurity Scam Signatures from their download page. We can drop them in the clamav signatures folder (normally /var/lib/clamav , but check your clamd.conf for your DatabaseDirectory location) and they will be used right away (if you are using clamd it will need a reload to be notified of db changes or wait for the SelfCheck timer to expire and it will do that automatically).
we can use one of the several scripts from their usage page to download initially the signatures and then to keep them updated regularly using cron.
Normally we would like to use the second option as we will always have the latest SaneSecurity rules updated. Check out the usage page and choose the script you think is best for you. Personally I have used script Nb2, by Bill Landry that downloads the SaneSecurity Phish/Scam databases and the MSRBL databases and SecuriteInfo’s Unofficial malware database.
Note: the script used depends on rsync and curl to download the signature updates so make sure you have then installed.
1 2 3 4
The script requires little customizations and it might even work with the defaults. Open up the script in a text editor and take a look at the following options:
1 2 3 4 5 6 7 8 9 10 11
Make sure that PATH includes the location of clamavâ€™s binaries and that clam_user and clam_group are both set to the correct values for your system. Also check the clamd_pid and clam_sigs locations (as noted comment out clamd_pid if you don’t want clamad to be notified on the signature changes). For ex. on debianâ€™s clamav installation PidFile is set to /var/run/clamav/clamd.pid by default (check your clamd.conf)
Save the script with your changes and run it for the first time.
This will get the initial dbs and will notify clamd of the changes if configured to do so (if not reload it yourself). You can see the files downloaded:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
After this your system has already started using the SaneSecurity rules (check your clamav.log and you will soon start to notice Sanesecurity matches), for ex:
1 2 3 4 5 6 7 8 9
:-) . Great! We are already getting results (this log is from a real server of an average size - about 1k mails /day).
If you are satisfied with the results and want to keep using it, there is just one final step to do: to add a crontab entry to execute the script regularly (daily should be fine) to keep the signatures updated.
and add a new cron entry similar to this one:
(where you a_dd your own MM - minutes, HH - hour when the script will run; if you downloaded it in a different place update the location also). - for ex. 01 4 * * * /opt/ss-msrbl.sh if you downloaded it in /opt and want to run it daily at 4:01am_.
Fighting spam is a continuous work and hopefully you will find this addition useful to your antispam blocking tools. Please feel free to leave a comment and share your ideas on how to fight this growing problem.