Filter out Scam and Phishing emails using SaneSecurity Clamav signatures

5-minute read

Clamav is probably the most popular open source antivirus software for Linux. At this time it contains 153727 signatures that will detect most viruses and the signatures are updated regularly to allow many mail servers to filter out the viruses before even reaching the users mailboxes.

This post will show how easy it is to install and use SaneSecurity 3rd party Clamav signatures to extend the antivirus protection built-in clamav with Scam and Phishing filtering. This can be very useful as these types of emails can be hard to detect by common antispam rules (spamassassin for ex.) - like the latest pdf spams, or phishing mails that are not always easy to detect. These will be filtered out directly by Clamav that is normally running prior to antispam measures.

These rules are provided and maintained by SaneSecurity and they are used by more and more peoples (including specialized companies like Barracuda Networks appear to be using SaneSecurity’s signature databases in their Barracuda Spam Firewall).

The installation and usage is very simple:

  1. we can manually download the SaneSecurity Phishing Signatures and SaneSecurity Scam Signatures from their download page. We can drop them in the clamav signatures folder (normally /var/lib/clamav , but check your clamd.conf for your DatabaseDirectory location) and they will be used right away (if you are using clamd it will need a reload to be notified of db changes or wait for the SelfCheck timer to expire and it will do that automatically).

  2. we can use one of the several scripts from their usage page to download initially the signatures and then to keep them updated regularly using cron.

Normally we would like to use the second option as we will always have the latest SaneSecurity rules updated. Check out the usage page and choose the script you think is best for you. Personally I have used script Nb2, by Bill Landry that downloads the SaneSecurity Phish/Scam databases and the MSRBL databases and SecuriteInfo’s Unofficial malware database.

Note: the script used depends on rsync and curl to download the signature updates so make sure you have then installed.

cd /etc/clamav/
wget http://www.sanesecurity.com/clamav/ss-msrbl.txt
mv ss-msrbl.txt ss-msrbl.sh
chmod +x ss-msrbl.sh

The script requires little customizations and it might even work with the defaults. Open up the script in a text editor and take a look at the following options:

# Set and export program paths.
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
# Set path to clamd.pid file (see clamd.conf for path location).
# To disable automatic signature database reloading, comment out
# the next line.
clamd_pid=/var/run/clamd/clamd.pid
# Set path to ClamAV signature files location .
clam_sigs="/var/lib/clamav"
# Set ClamD user and group accounts.
clam_user="clamav"
clam_group="clamav"

Make sure that PATH includes the location of clamav’s binaries and that clam_user and clam_group are both set to the correct values for your system. Also check the clamd_pid and clam_sigs locations (as noted comment out clamd_pid if you don’t want clamad to be notified on the signature changes). For ex. on debian’s clamav installation PidFile is set to /var/run/clamav/clamd.pid by default (check your clamd.conf)

Save the script with your changes and run it for the first time.

/etc/clamav/ss-msrbl.sh

This will get the initial dbs and will notify clamd of the changes if configured to do so (if not reload it yourself). You can see the files downloaded:

# ls -l /var/lib/clamav
total 15248
drwxr-xr-x 2 clamav clamav    4096 2007-09-18 09:26 daily.inc
-rw-r--r-- 1 clamav clamav 8189490 2007-07-26 05:13 main.cvd
drwxr-xr-x 2 clamav clamav    4096 2007-09-18 06:45 main.inc
-rw------- 1 clamav clamav    1248 2007-09-18 09:26 mirrors.dat
-rw-r--r-- 1 clamav clamav  105497 2007-09-18 09:00 MSRBL-Images.hdb
-rw-r--r-- 1 clamav clamav  107509 2007-09-18 09:13 MSRBL-Images.hdb-bak
-rw-r--r-- 1 clamav clamav  229567 2007-09-18 03:46 MSRBL-SPAM.ndb
-rw-r--r-- 1 clamav clamav  228436 2007-09-18 05:40 MSRBL-SPAM.ndb-bak
-rw-r--r-- 1 clamav clamav 1195964 2007-09-18 05:40 phish.ndb
-rw-r--r-- 1 clamav clamav 1100995 2007-09-18 05:40 phish.ndb-bak
-rw-r--r-- 1 clamav clamav  198315 2007-09-18 03:14 phish.ndb.gz
-rw-r--r-- 1 clamav clamav 3126417 2007-09-18 05:40 scam.ndb
-rw-r--r-- 1 clamav clamav  601183 2007-09-18 05:40 scam.ndb-bak
-rw-r--r-- 1 clamav clamav  445331 2007-09-18 03:14 scam.ndb.gz

After this your system has already started using the SaneSecurity rules (check your clamav.log and you will soon start to notice Sanesecurity matches), for ex:

Tue Sep 18 07:46:13 2007 -> SelfCheck: Database modification detected. Forcing reload.
Tue Sep 18 07:46:13 2007 -> Reading databases from /var/lib/clamav
Tue Sep 18 07:46:32 2007 -> Database correctly reloaded (257945 signatures)
Tue Sep 18 07:46:35 2007 -> stream 1286: Email.Spam.Gen135.Sanesecurity.07012400 FOUND
Tue Sep 18 07:50:37 2007 -> stream 2006: Html.Phishing.Bank.Rockv2Gen77.Sanesecurity.07081806 FOUND
Tue Sep 18 07:51:53 2007 -> stream 1194: Email.Spam.Sanesecurity.Url_8897 FOUND
Tue Sep 18 07:59:47 2007 -> stream 1904: Email.Spam.Gen595.Sanesecurity.07052401 FOUND
Tue Sep 18 08:02:20 2007 -> stream 1078: Email.Stk.Gen671.Sanesecurity.07091600 FOUND
Tue Sep 18 08:14:58 2007 -> stream 2002: MSRBL-Images/3-0-wgMq FOUND

:-) . Great! We are already getting results (this log is from a real server of an average size - about 1k mails /day).

If you are satisfied with the results and want to keep using it, there is just one final step to do: to add a crontab entry to execute the script regularly (daily should be fine) to keep the signatures updated.

crontab -e

and add a new cron entry similar to this one:

MM HH * * * /etc/clamav/ss-msrbl.sh

(where MM - minutes, HH - hour when the script will run; if you downloaded it in a different place you’ll have to update the location also). - for ex. 01 4 * * * /opt/ss-msrbl.sh if you downloaded it in /opt and want to run it daily at 4:01am.

Fighting spam is a continuous work and hopefully you will find this addition useful to your antispam blocking tools. Please feel free to leave a comment and share your ideas on how to fight this growing problem.

comments powered by Disqus