import mail/clamnailer:

Spear phishing is a technique used by spammers and scammers to try
to get your email username and password. They send you an email,
often claiming to be from your email provider or employer, in which
they say that your account will be deleted unless you supply them
with your username and password "for authentication" or some other
similar ruse. They say you must reply to the message giving them
this information, or send a message to a particular address giving
them this information.

ClamNailer takes 2 lists of addresses commonly used in these
attacks, and generates a ClamAV signature database to detect them.

mail/clamnailer/Makefile

@@ -0,0 +1,34 @@
+# $OpenBSD: Makefile,v 1.1.1.1 2009/11/02 17:00:02 sthen Exp $
+
+COMMENT=	generate ScamNailer spear phishing database in ClamAV format
+
+DISTNAME=	ClamNailer-1.00
+PKGNAME=	${DISTNAME:L}
+EXTRACT_SUFX=	.gz
+
+CATEGORIES=	mail security
+
+HOMEPAGE=	http://www.scamnailer.info/
+
+# Public Domain
+PERMIT_PACKAGE_CDROM=	Yes
+PERMIT_PACKAGE_FTP=	Yes
+PERMIT_DISTFILES_CDROM=	Yes
+PERMIT_DISTFILES_FTP=	Yes
+
+MASTER_SITES=	http://www.scamnailer.info/files/contrib/
+
+NO_BUILD=	Yes
+NO_REGRESS=	Yes
+RUN_DEPENDS=	::security/clamav
+
+WRKDIST=	${WRKDIR}
+
+# fix MS-DOS line-endings, output to a file with non-version-dependent name
+post-extract:
+	perl -pi -e 's/\r$$//' < ${WRKSRC}/${DISTNAME} > ${WRKSRC}/clamnailer
+
+do-install:
+	${INSTALL_SCRIPT} ${WRKSRC}/clamnailer ${PREFIX}/sbin
+
+.include <bsd.port.mk>

mail/clamnailer/distinfo

@@ -0,0 +1,5 @@
+MD5 (ClamNailer-1.00.gz) = JcCdmqhBYwmepG5eCFzMyQ==
+RMD160 (ClamNailer-1.00.gz) = EH/eV5vsZd36XRZtzeQB0x1N3Fk=
+SHA1 (ClamNailer-1.00.gz) = 6uKIXG7vaw1HZMb6FHwuHvXDbVo=
+SHA256 (ClamNailer-1.00.gz) = ncM9/CdtMiKgUlVBzm794XJUgKAFkdlqNj9VE/kFgd8=
+SIZE (ClamNailer-1.00.gz) = 1361

mail/clamnailer/patches/patch-ClamNailer

@@ -0,0 +1,42 @@
+$OpenBSD: patch-ClamNailer,v 1.1.1.1 2009/11/02 17:00:02 sthen Exp $
+--- clamnailer.orig	Mon Nov  2 15:47:00 2009
++++ clamnailer	Mon Nov  2 15:47:15 2009
+@@ -20,9 +20,9 @@ use strict;
+ use POSIX;
+ 
+ # clamd's database directory
+-my $db = "/var/lib/clamav";
++my $db = "/var/db/clamav";
+ # ScamNailer download directory
+-my $work = "/var/cache/clamnailer";
++my $work = "/var/db/clamnailer";
+ # ScamNailer download location
+ my $url = "http://www.mailscanner.tv/";
+ 
+@@ -40,7 +40,7 @@ my $base = readlink "current";
+ die "readlink $work/current: $!" unless defined $base or $! == ENOENT;
+ 
+ if (!defined $base or $base ne $latest_base) {
+-	system "wget --quiet $url/$latest_base" and die "wget failed\n";
++	system "ftp $url/$latest_base > /dev/null" and die "ftp failed\n";
+ 	unlink 'current', glob "$base*" if defined $base;
+ 	symlink $latest_base, 'current' or die "symlink $work/current: $!\n";
+ 	$base = $latest_base;
+@@ -58,7 +58,7 @@ close $in;
+ 
+ for my $patch (1 .. $latest_patch) {
+ 	my $file = "$base.$patch";
+-	system "wget --quiet $url/$file" and die "wget failed\n" unless -f $file;
++	system "ftp $url/$file" and die "ftp failed\n" unless -f $file;
+ 	open my $in, '<', $file
+ 	    or die "open $work/$file: $!\n";
+ 	while (<$in>) {
+@@ -85,7 +85,7 @@ for my $addr (keys %addr) {
+ close $out or die "write > $work/scamnailer.tmp: $!\n";
+ 
+ # only install if file has changed
+-if (system "diff -q scamnailer.tmp scamnailer.ndb &>/dev/null") {
++if (system "diff -q scamnailer.tmp scamnailer.ndb > /dev/null 2>&1") {
+ 	# keep a local copy for future comparisons
+ 	system "cp scamnailer.tmp scamnailer.ndb" and die "cp failed\n";
+ 	# install where clamd will pick it up

mail/clamnailer/pkg/DESCR

@@ -0,0 +1,11 @@
+Spear phishing is a technique used by spammers and scammers to try
+to get your email username and password. They send you an email,
+often claiming to be from your email provider or employer, in which
+they say that your account will be deleted unless you supply them
+with your username and password "for authentication" or some other
+similar ruse. They say you must reply to the message giving them
+this information, or send a message to a particular address giving
+them this information.
+
+ClamNailer takes 2 lists of addresses commonly used in these
+attacks, and generates a ClamAV signature database to detect them.

mail/clamnailer/pkg/PLIST

@@ -0,0 +1,7 @@
+@comment $OpenBSD: PLIST,v 1.1.1.1 2009/11/02 17:00:02 sthen Exp $
+sbin/clamnailer
+@owner _clamav
+@group _clamav
+@mode 775
+@sample /var/db/clamnailer/
+@extraunexec rm -rf /var/db/clamnailer