Bill Landry wrote: > Roberto Ullfig wrote: >> Bill Landry wrote: >>> Roberto Ullfig wrote: >>> >>>> Bill Landry wrote: >>>> >>>>> Roberto Ullfig wrote: >>>>> >>>>> >>>>>> Can I use a local.ign file to allow a signature caught by >>>>>> sanesecurity? >>>>>> I've found the db entry here: >>>>>> >>>>>> 69599:INetMsg.SpamDomain-2m.private_pl:4:*:(2e|2f|40|20|3c|5f)707269766174652e706c(27|22|20|2f|3d|5f|3e|0a|0d) >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Can I just put in the local.ign file: >>>>>> >>>>>> sanesecurity-INetMsg-SpamDomains-2m.ndb:69599:INetMsg.SpamDomain-2m.private_pl >>>>>> >>>>>> >>>>>> >>>>> Yes. >>>>> >>>>> >>>>> >>>>>> Will this eventually stop working? Does the line number of the >>>>>> signature >>>>>> ever change? >>>>>> >>>>> Yes, the line numbers do change, however, if you are using the >>>>> clamav-unofficial-sigs script, it will automatically update the >>>>> local.ign file with the new line info, and also remove it from the file >>>>> when the signature has either changed or been removed from the >>>>> database. >>>>> >>>>> Anyway, I just removed this domain from the signature database about 15 >>>>> minutes ago. It will be gone with the next update that goes out in >>>>> about 30 minutes. >>>>> >>>>> Bill >>>>> >>>>> >>>>> >>>> Thanks! What is private_pl? How did you know which domain to remove? Did >>>> they contact you? >>>> >>> The domain was listed in the signature file you were asking about adding >>> to local.ign (INetMsg.SpamDomain-2m.private_pl). It's a Polish domain, >>> but I have no idea what its purpose is as this site is in Polish, which >>> I don't understand. >>> >>> I removed the domain earlier yesterday as I was contacted by someone >>> from uiuc.edu regarding the listing. However, as I told that person, >>> the more serious issue is that the domain is also listed in URIBL Black: >>> >>> host private.pl.multi.uribl.com >>> private.pl.multi.uribl.com has address 127.0.0.2 >>> >>> That listing has much broader coverage than my signature database would >>> have. >>> >>> Bill >>> >>> >>> >> Shouldn't such a check only look for strings like http://.*private.pl/ >> instead of getting tagged because of a filename within the URL called >> private.pl? >> >> pl is a pretty common suffix for files (perl). > > Domains listed in my signature databases are already prefixed and > suffixed as follows: > > (2e|2f|40|20|3c|5f)7a7a78636b77772e636e(27|22|20|2f|3d|5f|3e|0a|0d) > > which decodes to: > > (.|/|@| |<|_)domain.ext('|"| |/|=|_|>) > > and what you don't see decoded and the end of the string above is a > newline and carriage-return. > > So if a file was tagged by the signature, it must have been named > something like: <private.pl> or something that included the prefix and > suffix delimiters shown above, otherwise it would have not been flagged. > > Hope this helps to clarify... Hmmm, actually, in this case, just the file name would have gotten flagged because of the leading and trailing space delimiters. I guess I will have to look into how to better prevent this from happening in the future... Bill