Filtering PDF-/XLS-/Image-Spam With ClamAV (And ISPConfig) On Debian/Ubuntu

Want to support HowtoForge? Become a subscriber!
 
Submitted by till (Contact Author) (Forums) on Mon, 2007-07-23 17:33. :: Anti-Spam/Virus | Debian | Ubuntu | Email

Filtering PDF-/XLS-/Image-Spam With ClamAV (And ISPConfig) On Debian/Ubuntu

Version 1.0
Author: Till Brehm <t [dot] brehm [at] projektfarm [dot] com>
Last edited 07/23/2007

There is currently a lot of spam where the spam "information" is attached as .pdf or .xls files, sometime also hidden inside a .zip file. While these spam mails are not easy to catch with e.g. SpamAssassin or a Bayes filter, the ClamAV virus scanner can catch them easily when it is fed with the correct signatures as ClamAV is built to scan mail attachments.

The website Sanesecurity (http://sanesecurity.co.uk) provides up to date signatures for these types of emails including image spam. The following guide will show you how to install the spam, phising, scam and image signatures from sanesecurity.co.uk and MSRBL into your ISPConfig ClamAV installation under Debian or Ubuntu Linux.

If you want to use the Sanesecurity signatures without ISPConfig, have a look at the explanations at the end of the tutorial.

 

Install Some Prerequisites

apt-get install gzip curl rsync

Now download the update script for the Sansecurity signatures. The original script has been written by Bill Landry and is available here: http://www.sanesecurity.co.uk/clamav/usage.htm. I've modified the path variables to suit an ISPConfig installation - the modified script is available here: http://www.ispconfig.org/downloads/scripts/sanesecurity_update.sh.

cd /usr/bin
wget http://www.ispconfig.org/downloads/scripts/sanesecurity_update.sh
chmod +x sanesecurity_update.sh

Now we run the update script to check if the download works:

./sanesecurity_update.sh

The result should look similar to this:

-----------------------------------------------------------------------------
=================================
SaneSecurity SCAM Database Update
=================================

% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 116k 100 116k 0 0 65448 0 0:00:01 0:00:01 --:--:-- 139k

==================================
SaneSecurity PHISH Database Update
==================================

% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 179k 100 179k 0 0 216k 0 --:--:-- --:--:-- --:--:-- 216k

==========================
MSRBL SPAM Database Update
==========================

Number of files: 1
Number of files transferred: 1
Total file size: 228436 bytes
Total transferred file size: 228436 bytes
Literal data: 228436 bytes
Matched data: 0 bytes
File list size: 33
File list generation time: 0.001 seconds
File list transfer time: 0.000 seconds
Total bytes sent: 101
Total bytes received: 228579

sent 101 bytes received 228579 bytes 26903.53 bytes/sec
total size is 228436 speedup is 1.00

===========================
MSRBL IMAGE Database Update
===========================

Number of files: 1
Number of files transferred: 1
Total file size: 550503 bytes
Total transferred file size: 550503 bytes
Literal data: 550503 bytes
Matched data: 0 bytes
File list size: 35
File list generation time: 0.001 seconds
File list transfer time: 0.000 seconds
Total bytes sent: 103
Total bytes received: 550688

sent 103 bytes received 550688 bytes 157368.86 bytes/sec
total size is 550503 speedup is 1.00

-----------------------------------------------------------------------------

Now we a add the script to the root crontab to be run once a day:

crontab -e

Add the following line at the end of the root crontab:

53 04 * * * /usr/bin/sanesecurity_update.sh &> /dev/null

The script is executed at 04:53 AM, please modify the time a bit in your configuration to keep the load low on the download server.

 

Using Sanesecurity Signatures Without ISPConfig

If you want to use the Sanesecurity signatures without ISPConfig, you will have to customize the download script to match your ClamAV installation.

Download the original script from here:

http://www.sanesecurity.co.uk/clamav/ss-msrbl.sh

Edit the following variables to match your installation:

clam_sigs="/var/lib/clamav"

The variable clamav_sigs contains the path to the directory where your ClamAV signatures are stored.

clam_user="clamav"

The variable clam_user contains the username under which your ClamAV or clamd is executed.


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by soniah (registered user) on Tue, 2007-08-14 03:19.

I'm not using ISPConfig on my server - here are some additional changes that are required to sanesecurity_update.sh on a Debian 3.1 box:

clamd="/usr/sbin/clamd"
clamscan="/usr/bin/clamscan"
curl="/usr/bin/curl"

The service program doesn't exist on Debian/Ubuntu, but can be ignored as FreshClam will handle this. 

Sonia,

Multisite CVS Drupal Installation on Ubuntu
Submitted by sonoracomm (registered user) on Wed, 2007-08-01 15:43.

I have an answer to my own comment...I have recently learned a lot about clamav...

I am running ISPConfig on a Centos 5 box.  I wanted to use clamd for better performance. 

I temporararily enabled  the rpmforge repo and installed clamd with 'yum install clamd'.  It sets up logging for you and and a lot of other stuff.

I edited the /usr/bin/sanesecurity_update.sh script at these lines:

clamscan="/usr/bin/clamdscan"
clam_sigs="/var/clamav"
clam_user="clamav"

Now I tail the correct logs:

tail /var/log/clamav/clamd.log
tail /var/log/clamav/freshclam.log 

This is great!  Thanks again,

Submitted by sonoracomm (registered user) on Wed, 2007-08-01 06:25.

Hi,

Another question... Would this procedure need to be modified if you adjust ISPConfig to use clamd instead of clamscan?

Thanks again,

Submitted by sonoracomm (registered user) on Tue, 2007-07-31 17:10.

Hi and thanks for this howto.

I would just like to know how to test this new functionality with ISPConfig.

I sent the 'Phish Test' message I found on the author's web site:

<html>
<SaneSecurity>dr1aYlariaDiax!_!leBr_aWOEWIehi5s1oapro8yL#chlAC7iUtOezoUqluviUd</SaneSecurity>
</html> 

and it failed to come into my Inbox, but I'd like to be able to see it in a log somewhere.

Any suggestions?

Thanks again,