ClamAV, American Express, and Heuristics.Phishing.Email.SpoofedDomain
ClamAV was doing it’s job scanning email via amavis-new. It was catching all the nasties that folks tend to foist on their fellow net citizens. Unfortunately, when your spam and virus filters are doing their job, they occasionally catch folks who aren’t malicious, but also aren’t using best practices. This was the case with American Express. Emails to my clients from @welcome.aexp.com were being classified as “Heuristics.Phishing.Email.SpoofedDomain”. Searching around the net brought me to several sites where admins had ended up doing crazy things like disabling the heuristic scanning on email in ClamAV, or creating elaborate policy banks in amavis. Well, I was having none of that. I like the most correct, simplest solution. Hopefully, this methodology will help others solve similar issues.
One post I read referenced this document that relates how to create whitelists for Clam’s phishing filters. That’s a good start. That same document mentions a utility script called “why.py” that will help isolate why an email is getting picked up by a rule. Unfortunately, my install didn’t have that script. A little searching brought me to a copy on GitHub. Running that led to a laundry list of python specific issues, mostly due to my environment. But, using the script as a guide, I just did it manually. The following command gave me a goldmine of information.
A few items to note about the command:
- The path after the -d is the location of my AV signatures.
- The amex_mail.eml is the raw text of the email (headers and all) that I pulled out of our quarantine database.
In that giant slew of output from the clamscan debug, the important part was this:
LibClamAV debug: Phishing: looking up in whitelist: .www.youtube.com:.www208.americanexpress.com; host-only:1
LibClamAV debug: Looking up in regex_list: www.youtube.com:www208.americanexpress.com/
LibClamAV debug: Lookup result: not in regex list
LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different
LibClamAV debug: found Possibly Unwanted: Heuristics.Phishing.Email.SpoofedDomain
The issue is that there are links that display one URL, but link to a different URL altogether. I added the first pair to a file called daily.wdb in the same directory as my other ClamAV signatures. (/var/lib/clamav/ in my case.) With each pair that I added, I would re-run the debug command and discover a new pair. I ended up with three pairs in there before the emails checked out clean. Below is the contents of the daily.wdb file.
M:www.twitter.com:www208.americanexpress.com
M:www.youtube.com:www208.americanexpress.com
Here is a more advanced example of a daily.wdb file.
Once I restarted clamd, the AmEx emails started to pass as expected. Hope this helps someone.
Pandora from the Command Line
I like having Pandora going pretty much all the time, be it Bach when I’m coding, Techno for sysadmin tasks, or indulging my shameful pop music addiction. I wanted a way to control Pandora without having to drop out of the shell. I wanted it for my Mac, but lucked out and found one that works across all the platforms I use. Pianobar is a command line Pandora client and it works in Mac and Linux. (And Windows too.)
I was having a little trouble building it in Snow Leopard using the instructions from here, when I discovered that it’s already available in MacPorts. So I installed it with:
In Linux, you can find links to the repos for your distro of choice on the Pianobar website.
Next, I wanted it to login automatically and start playing when I launched it. On Mac, you can create a config file at ~/.config/pianobar/config, with contents similar to the following:
password = s3cR3t_sQu1RR3L
user = johnny.chimpo@afghanistanimation.org
To get the station ID for the autostart_station parameter:
- Run pianobar
- Log in manually
- Launch your favorite station
- Hit i to see the station and song info.
- The station ID will be in parentheses after the station name.
After you’ve got your file saved, you should be able to launch pianobar and have it start playing auto-magically.
Now, my next step was to use at so I could start pianobar at a given time and use it as an alarm clock.
You need to enable atrun on your Mac to use at to schedule jobs. (It’s enabled by default on most Linux distros.) You can schedule the launch like so:
pianobar #hit enter
#hit Ctl+D
If you start pianobar with at, it’s not on an interactive shell so you have no way to interact with it, or so I thought. You can create a fifo file to pass controls to the process:
Once you have that, you can control pianobar by echoing commands into the fifo:
echo p > ~/.config/pianobar/ctl
#To quit:
echo q > ~/.config/pianobar/ctl
#etc. etc.
Hopefully that’s food for though enough to get you started. Enjoy.
PHP Choose Your Own Adventure
It all started with a whim. “I wonder if anyone has written a choose your own adventure game in PHP?” That landed me on Cal Henderson’s “choose” game. That, in turn, led me to Club-Ubuntu’s fork. I started playing around with the stock version and found myself making quite a few changes, so I decided to dig in a little deeper and make it an official fork. I added support for Google Adsense and Analytics, ReCaptcha on the user forms, and an admin page to manage some of the new features as well as some of the copy throughout the site.
I pushed the initial release to github tonight. You can find the code here. There is also a working demo available.
Enjoy!
Portable Apps
Now that’s it’s “cool” to keep all your apps on your thumb drive, I thought I’d spit out a list of good resources.
Portable Apps has some major applications rewritten for portability. Notably Portable Firefox, Thunderbird (+ gpg and enigma), and OpenOffice.
Portable Freeware has tons of little apps to meet just about any need.
KeePass is a powerful, yet simple password manager that stores your password in a database encrypted with FIPS-compliant encryption.
TrueCrypt allows you to keep all your sensitive documents without having to worry about someone getting acces to them if they swipe your drive.
