[sanesecurity] Re: Sanesecurity.Jurlbl.5624.UNOFFICIAL matches "com"
- From: Bill Landry <bill@xxxxxxxxxxx>
- To: sanesecurity@xxxxxxxxxxxxx
- Date: Tue, 14 Jul 2009 06:59:29 -0700
sanesecurity@xxxxxxxxxxxx wrote:
> Bill Landry wrote:
>
>>>>> This signature really scared me...
>>>> Yep, me too. I've got a really busy schedule right now, but look
>>>> for an
>>>> update to the download script within the next week or so. As usual, I
>>>> will announce it here...
>>> It would be nice if you could stick something like for example this in
>>> the config file:
>>>
>>> ham_folders = /home/*/Maildir/.Ham/cur/
>>>
>>> Then the script downloads the signature files to a temporary directory,
>>> and runs "clamscan" with the "-d" option to choose the temporary
>>> directory.
>>
>> If you ran the script, you would see that it already does this.
>
> I've already been through your script. You scan one small test file to
> make sure that the signatures aren't corrupt.
>
>>> If any of the emails that are scanned are then flagged up as
>>> infected by one of the new signatures you could spit out a fatal warning
>>> and not apply the new sigs.
>>
>> Rather, I am planing to simply strip the signatures that do not meet the
>> user's minimum character requirements and possibly place them into a
>> temporary file for viewing and maybe even log the occurrence to the log
>> file.
>
> That's not a very good solution. All that does is stop small domains
> being listed. It doesn't stop domains like facebook.com being listed. A
> *much* better solution would be to give the user an option to scan a
> folder(s) of their selection before rolling them out.
Ah, ok, I read your email too quickly, as I saw it just before leaving
work yesterday. This is actually a good idea, if we had a good variety
of ham to check against. Sounds like Steve has already taken the
initiative to do this before pushing the signature databases up to the
mirrors.
I'll think about adding the ability to scan a folder of ham after
signature download, as well, and make it configurable. That way users
can decide if they want to implement post download scanning or not. I
could even strip signatures that hit on messages in the ham folder
before implementing the database.
Anyway, as soon as I get some time over the next week or so I look into
this...
Bill
Other related posts:
