Thursday, April 17, 2008

Fighting phishing plague with ClamAV

It's about one year and one month since long time awaited version of ClamAV 0.90 was released. The latest available version today is 0.92.1. The new version incorporates a lot of bug fixes, changes in configuration syntax, scripted updates and many other enhancements.

In my opinion, the most important one is an implementation of anti-phishing engine with help of Google Summer of Code 2006 program. It supports more generic methods how to identify phishing emails based on searching and comparing faked and real URLs in their bodies. The engine is based on heuristic analysis supported with special signatures. Through the next releases of versions 0.91 and 0.92 the engine was further improving. Finally, it was enabled by default in the release 0.91. If you are more interested in the releases you can check them in the clamav-announce mailing list.

So to protect your mail communication from phishing plague you only need to update to the latest version of ClamAV. But that's not everything. Sometimes, you can require to turn it off for purposes of e.g., testing false positives or to configure it more thoroughly. Everything like this is available in the configuration file /etc/clamd.conf in the form of these options (default values are specified here):
  • PhishingSignatures yes
    • try to detect phishing messages via signatures
  • PhishingScanURLs yes
    • scan URLs in the messages for heuristic analysis
  • PhishingRestrictedScan yes
    • anti-phishing engine works only with domains listed in the .pdb database otherwise scanning all of the domains may increase the false positive rate
  • PhishingAlwaysBlockSSLMismatch no
    • always block SSLmismatches, it is false positive raiser
  • PhishingAlwaysBlockCloak no
    • always block cloaked URLs, if it is enabled it seems to lead to the increase of false positives
More on these options you can find in the configuration file which is well annotated or in the related man page of ClamAV (e.g. here).

Was there any way how to deal with phishing messages before the release of ClamAV 0.90? Yes, it was, it is still here and it is good practice to combine it with ClamAV featuring anti-phishing. Before ClamAV 0.90 you could use third party signature files which contain definitions of phishing mails. The best known project doing this and more is the Sanesecurity project where you can download such signatures and feed your ClamAV with them. The ClamAV default place for signatures in the filesystem is the /var/lib/clam directory where you can download the files. After that, you need to restart clamd service (or similar).

Beside this, you can download from their web page scam signatures which can help you to get rid of spams based on MIME attachments like PDF documents, JPEG images and so on. I'm using it for a long period and it is really efficient. And you don't need to waste your time with SpamAssassin rules tuning. By the way, I don't know any which are so effective. To check the content of the signature files use the sigtool tool like this:
  • sigtool -l /var/lib/clamav/scam.ndb
  • sigtool -l /var/lib/clamav/phish.ndb
You can find there many interesting information. The part of signatures' names is well documented and you can break them down with help of this web page.

I don't have to forget to mention that the more comfortable approach is to install into your system the update script which can download the signatures for you automatically via cron service. The script is placed at the web page in the usage section (or directly here).

In the end, we have two weapons how to fight against phishing. Sanesecurity signatures seems to be more robust and mature while the ClamAV anti-phishing engine is too young to be as accurate as Sanesecurity. But it uses heuristics approach which means to be more flexible and dynamic and don't have drawbacks of static signatures like zero-day attacks. So the best practice is to join their power and use them together. If you go through the ClamAV tests at Sanesecurity web page, by the way they aren't up to date, you will find out the previous sentence about quality is true. The ClamAV isn't as perfect so far but in many cases it catches mails which are invisible to Sanesecurity signatures.

No comments: