Sanesecurity's ClamAV - Phishing and Scam/Spam Signatures

	... mad about email, sane about security ...
	Phishing and Scam Signatures for ClamAV

Stats from sites using the Unofficial Phishing and Scam signatures:

Site 1 Site 2 Site 3 Site 4 Site 5 Site 6 Site 7 Site 8 Site 9 Site 10 Site 11 Site 12 Site 13

Site 14 Site 15 Site 16 Site 17 Site 18 Site 19

Stats from sites using only the Unofficial Phishing signatures:

Site 1 Site 2

Note: some of the above sites have removed Sanesecurity from the virus name

Stats

If you want to produce your own ClamAV stats, here's a perl script to run.

Usage: If you want a nice .html output use the below command line in an hourly cronjob:

/usr/local/bin/clamstats.pl --html > /home/chris/clamstuff/mystats.html

Comments:

comment out $startdate = "06 January 2009"; on line 28, so that the first log file line's date will be used instead.

remove the text "stream" from the regexp on line 158, so that it matches my "FOUND" log file lines.

Support for amavis:

--- clamstats.pl 2009-01-25 18:07:30.000000000 -0800
+++ /usr/local/bin/clamstats.pl 2009-04-23 19:23:44.000000000 -0700
@@ -154,6 +154,9 @@
print "DEFANG: ID: $id, EXT: $ext, VIRUS: $virus\n";
addstats($date,$virus,$ext);

+ } elsif (($id,$virus) = ($log =~ m{amavis-(\w+).*:\s+(.+)
FOUND} )) {
+ #print "AMAVIS: ID: $id, VIRUS: $virus\n";
+ addstats($date,$virus,'N/A');
# } elsif (($virus) = ($log =~ /^stream(?: \d+)?: (.+)
FOUND/ )) {
} elsif (($virus) = ($log =~ /^stream[^:]+: (.+) FOUND/ ))
{
# Tue Feb 13 23:03:04 2007 -> stream:
Html.Phishing.Bank.Gen175.Sanesecurity.06032008 FOUND

Win32 changes:

This line :

} elsif (($virus) = ($log =~ /^[^:]+: (.+) FOUND/ )) {

didn't work with a line like this (win32 platform clamd scanning a file) :

Fri Apr 24 15:21:20 2009 -> C:\Tools\AvFilter\tmp\AVF6BB8.tmp:
Sanesecurity.Hdr.10108.UNOFFICIAL FOUND

But this one :

} elsif (($virus) = ($log =~ /^.+: (.+) FOUND/ )) {

worked like a charm (and should work in any case until another ": "
sequence appears in a line)