MSRBL-SPAM.Meds.35.UNOFFICIAL
MSRBL-SPAM.Meds.35.UNOFFICIAL
Since yesterday @ 2.30 (GMT) clamav rules updated MSRBL-SPAM.Meds.35.UNOFFICIAL, which has stopped virtually every single in bound message since. Ran updates/etc, still no good and messages blocked. Deleted the matching (last) line in /var/clamav/MSRBL-SPAM.ndb and set chattr +i /var/clamav/MSRBL-SPAM.ndb until the problem is resolved. Any one else having problem with this clamav sig?
Re: MSRBL-SPAM.Meds.35.UNOFFICIAL
In an effort to locate the source of the issue, took a look at /usr/bin/clamav_updater.sh and get_update MSRBL-SPAM.ndb http://www.atomicorp.com/signatures/clamav/msrbl/ is the source so commented that line and reset file permissions chattr -i /var/clamav/MSRBL-SPAM.ndb (cron was complaining about changing ownership of `/var/clamav/MSRBL-SPAM.ndb').
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: MSRBL-SPAM.Meds.35.UNOFFICIAL
We don't use that cronjob or script anymore, so you should disable it. ASL is also not setup to download that rule family, and I want to say we dropped it at least a year ago (the MSRBL project doesnt seem to have updated its rules since 2010).
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: MSRBL-SPAM.Meds.35.UNOFFICIAL
OK, thanks. Never set it up manually (been running ASL for years) and have been upgrading as major versions came along. How best to remove? Delete /etc/cron.hourly/freshclam and /usr/bin/clamav_updater.sh and everything from /var/clamav? Why wasn't this handled as part of the ASL upgrade whichmikeshinn wrote:We don't use that cronjob or script anymore, so you should disable it. ASL is also not setup to download that rule family, and I want to say we dropped it at least a year ago (the MSRBL project doesnt seem to have updated its rules since 2010).
replaced the cron/script mechanism?
Re: MSRBL-SPAM.Meds.35.UNOFFICIAL
Have the following rules in /var/clamav/ - some of which should be kept and some deleted?
Assume /etc/cron.hourly/freshclam is OK to keep?
Code: Select all
drwxr-xr-x 2 root root 4.0K Aug 28 08:32 .
drwxr-xr-x 26 root root 4.0K Apr 12 2010 ..
-rw-r--r-- 1 root root 4.1M Aug 24 19:15 ASL-blacklist.ldb
-rw-r--r-- 1 root root 20K Aug 24 19:15 ASL.hdb
-rw-r--r-- 1 root root 38K Aug 24 19:15 ASL-h.ndb
-rw-r--r-- 1 root root 43M Aug 24 19:15 ASL-honeypot.hdb
-rw-r--r-- 1 root root 452K Aug 24 19:15 ASL-honeypot-hex.ndb
-rw-r--r-- 1 root root 1.3K Aug 24 19:15 ASL.ldb
-rw-r--r-- 1 root root 467K Jul 14 21:01 bytecode.cld
-rw-r--r-- 1 root root 11M Aug 28 04:01 daily.cld
-rw-r--r-- 1 root root 52K Apr 7 2010 honeynet.hdb
-rwxr-xr-x 1 root root 6.0K Jun 16 04:02 index.php
-rw-r--r-- 1 root root 4.8M Aug 17 16:54 junk.ndb
-rw-r--r-- 1 root root 236K Aug 15 16:54 lott.ndb
-rw-r--r-- 1 root root 26M Jul 27 17:49 main.cvd
-rw-r--r-- 1 root root 111K Apr 6 2010 mbl.db
-rw------- 1 root root 1.5K Aug 28 08:01 mirrors.dat
-rw-r--r-- 1 root root 19M Apr 21 2010 MSRBL-Images-FULL-SoN.hdb [REMOVED]
-rw-r--r-- 1 root root 5.4K Aug 26 09:37 MSRBL-SPAM.ndb [REMOVED]
-rw-r--r-- 1 root root 2.8M Aug 19 11:53 phish.ndb
-rw-r--r-- 1 root root 155K Aug 23 17:55 rogue.hdb
-rw-r--r-- 1 root root 30M Aug 28 08:01 safebrowsing.cld
-rw-r--r-- 1 root root 1.7M Aug 21 20:54 scam.ndb
-rw-r--r-- 1 root root 11M Apr 7 2010 securiteinfo.hdb
-rw-r--r-- 1 root root 56K Jun 23 16:53 spamimg.hdb
-rw-r--r-- 1 root root 19K Apr 11 12:53 spam.ldb
-rw-r--r-- 1 root root 1.8M Aug 23 22:53 spear.ndb
-rw-r--r-- 1 root root 708K Apr 7 2010 vx.hdb
Re: MSRBL-SPAM.Meds.35.UNOFFICIAL
You have the same old stuff left over from ages ago as I had on most of my systems before I removed it a year or so ago.
Keep the following:
And in case of finger trouble, do a freshclam immediately afterwards.
Keep the following:
Code: Select all
ASL-blacklist.ldb
ASL-h.ndb
ASL-honeypot-hex.ndb
ASL-honeypot.hdb
ASL.hdb
ASL.ldb
bytecode.cld
daily.cld
main.cvd
mirrors.dat
safebrowsing.cld
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Re: MSRBL-SPAM.Meds.35.UNOFFICIAL
Many thanks faris removed those files (and daily.cron) ran freshclam and all is good.