arachne-digest Monday, March 31 2003 Volume 01 : Number 2083
----------------------------------------------------------------------
Date: Sun, 30 Mar 2003 14:0:15 +0000
From: "J J Young" <[EMAIL PROTECTED]>
Subject: Re: Email viruses in MIME encoded attachments
Hello Sam,
======= On 2003-03-29 at 23:55:00 you wrote: =======
>I have noticed that F-prot AV will discover, flag, identify, and report
>any MIME-encoded email attachments containing viruses in messages
>received by Arachne's email client, even if the the attachment has not
>yet been decoded and saved to a file.
>
>In the case of messages received by Nettamer's email client a
>MIME-encoded attachment containing a virus will not get caught by
>F-prot until after the attachment has been decoded and saved to a
>file.
Last September I was in contact with Frisk (the F-Prot people) because
the then-current DOS version would not detect viruses in Foxmail 4.1
mailboxes larger than 500,000 bytes. This is still the case, and I have
not received a satisfactory reply. In fact, their first reply stated:
>You should not have problems with scanning 500+ KB files. If that
>were the case F-Prot would not be in business. Have you tried using
>the Dumb scan mode?
I had, indeed. I have also tried the two(?) updates to F-Prot released
since then.
Foxmail's mailboxes are zip-compressed. I zipped them further for
uploading so Frisk could download and examine them. The example
mailbox of less than 500,000 bytes did not reveal its infection to
F-Prot when zipped.
>This applies even in the case of same virus, different email client.
>
>I wonder why this is so. Does anyone know why?
See if Nettamer's mailboxes can be unzipped and whether the one you're
dealing with is over 500,000 bytes.
My inbox is currently over 38MB...
Regards,
Jake Young
2003-03-30 13:54:30 BST (GMT +1)
------------------------------
Date: Sun, 30 Mar 2003 12:36:29 -0500
From: "Samuel W. Heywood" <[EMAIL PROTECTED]>
Subject: Re: Email viruses in MIME encoded attachments
On Sun, 30 Mar 2003 14:0:15 +0000, J J Young wrote:
> Hello Sam,
> ======= On 2003-03-29 at 23:55:00 you wrote: =======
>> I have noticed that F-prot AV will discover, flag, identify, and report
>> any MIME-encoded email attachments containing viruses in messages
>> received by Arachne's email client, even if the the attachment has not
>> yet been decoded and saved to a file.
>> In the case of messages received by Nettamer's email client a
>> MIME-encoded attachment containing a virus will not get caught by
>> F-prot until after the attachment has been decoded and saved to a
>> file.
> Last September I was in contact with Frisk (the F-Prot people) because
> the then-current DOS version would not detect viruses in Foxmail 4.1
> mailboxes larger than 500,000 bytes. This is still the case, and I have
> not received a satisfactory reply. In fact, their first reply stated:
> >You should not have problems with scanning 500+ KB files. If that
> >were the case F-Prot would not be in business. Have you tried using
> >the Dumb scan mode?
> I had, indeed. I have also tried the two(?) updates to F-Prot released
> since then.
> Foxmail's mailboxes are zip-compressed. I zipped them further for
> uploading so Frisk could download and examine them. The example
> mailbox of less than 500,000 bytes did not reveal its infection to
> F-Prot when zipped.
>> This applies even in the case of same virus, different email client.
>> I wonder why this is so. Does anyone know why?
> See if Nettamer's mailboxes can be unzipped and whether the one you're
> dealing with is over 500,000 bytes.
> My inbox is currently over 38MB...
> Regards,
> Jake Young
> 2003-03-30 13:54:30 BST (GMT +1)
Thanks for your reply, Jake. My Nettamer inbox is over 2MB. Unlike
an Arachne inbox which in its raw form consists of individual text
files, a Nettamer inbox in its raw form consists of just one very long
concatenated text file in which all the messages have separator symbols
inserted between individual messages. The file is not zipped. Is your
Foxmail inbox in its raw form a zipped file consisting of just one very
long concatenated text file?
Perhaps F-prot is capable of indentifying email viruses only when it is
examining individual message files one at a time. It appears to not
work at all in finding viruses in concatenated mail. It will work with
a MIME-encoded message part separated out of a concatented mail file after
it has been decoded and saved as an individual binary file. I suppose
F-prot will probably work also with any MIME-encoded message part saved as
an individual file even if the MIME-encoded message part has not yet been
decoded to a binary file.
Sam Heywood
- --
This mail was written by user of The Arachne Browser:
http://browser.arachne.cz/
------------------------------
Date: Sun, 30 Mar 2003 19:13:10 +00
From: "Bastiaan Edelman, PA3FFZ" <[EMAIL PROTECTED]>
Subject: Re: Email viruses in MIME encoded attachments
Hi Samuel,
Are you sure Arachne did not decode the attachment?
It may not have been written to a file yet... but it is written to the
cache already, decoded.
CU, Bastiaan
On Sat, 29 Mar 2003 23:55:55 -0500, Samuel W. Heywood wrote:
> I have noticed that F-prot AV will discover, flag, identify, and report
> any MIME-encoded email attachments containing viruses in messages
> received by Arachne's email client, even if the the attachment has not
> yet been decoded and saved to a file.
> In the case of messages received by Nettamer's email client a
> MIME-encoded attachment containing a virus will not get caught by
> F-prot until after the attachment has been decoded and saved to a
> file.
> This applies even in the case of same virus, different email client.
> I wonder why this is so. Does anyone know why?
> Sam Heywood
> --
> This mail was written by user of The Arachne Browser:
> http://browser.arachne.cz/
------------------------------
Date: Sun, 30 Mar 2003 15:33:01 -0500
From: "Samuel W. Heywood" <[EMAIL PROTECTED]>
Subject: Re: Email viruses in MIME encoded attachments
On Sun, 30 Mar 2003 19:13:10 +00, Bastiaan Edelman, PA3FFZ wrote:
> Hi Samuel,
> Are you sure Arachne did not decode the attachment?
> It may not have been written to a file yet... but it is written to the
> cache already, decoded.
> CU, Bastiaan
Yes, I am sure. Executable programs sent as MIME-encoded email
attachments and received by Arachne's email client do not get
automagically decoded and written to cache unless one clicks on
the attachment ikon.
> On Sat, 29 Mar 2003 23:55:55 -0500, Samuel W. Heywood wrote:
>> I have noticed that F-prot AV will discover, flag, identify, and report
>> any MIME-encoded email attachments containing viruses in messages
>> received by Arachne's email client, even if the the attachment has not
>> yet been decoded and saved to a file.
>> In the case of messages received by Nettamer's email client a
>> MIME-encoded attachment containing a virus will not get caught by
>> F-prot until after the attachment has been decoded and saved to a
>> file.
>> This applies even in the case of same virus, different email client.
>> I wonder why this is so. Does anyone know why?
Sam Heywood
- --
This mail was written by user of The Arachne Browser:
http://browser.arachne.cz/
------------------------------
Date: Mon, 31 Mar 2003 08:50:05 +1000
From: "Ron Clarke" <[EMAIL PROTECTED]>
Subject: Re: Email viruses in MIME encoded attachments
Hi Folks, Sam,
On Sun, 30 Mar 2003 14:55:55 +1000, Samuel W. Heywood wrote:
> I have noticed that F-prot AV will discover, flag, identify, and report
> any MIME-encoded email attachments containing viruses in messages
> received by Arachne's email client, even if the the attachment has not
> yet been decoded and saved to a file.
> In the case of messages received by Nettamer's email client a
> MIME-encoded attachment containing a virus will not get caught by
> F-prot until after the attachment has been decoded and saved to a
> file.
> This applies even in the case of same virus, different email client.
> I wonder why this is so. Does anyone know why?
I only use Arachne for email.
I have also noted that F-Prot, which I use daily, will identify some
attached virii immediately, and a very few not until the message has
been opened and the attachments written to TEMP.
I have always assumed that for some of those email attachments the
identity of the attachment is not so easy to pick because of some
difference in the encoding. (MIME or UU ?)
Regards,
Ron
Ron Clarke
http://homepages.valylink.net.au/~ausreg/index.html
http://tadpole.aus.as
- -- This mail was written by user of The Arachne Browser - http://arachne.cz/
------------------------------
Date: Mon, 31 Mar 2003 9:25:26 +0000
From: "J J Young" <[EMAIL PROTECTED]>
Subject: Re: Re: Email viruses in MIME encoded attachments
Hello again Sam,
======= On 2003-03-30 at 12:36:00 you wrote: =======
>Thanks for your reply, Jake. My Nettamer inbox is over 2MB. Unlike
>an Arachne inbox which in its raw form consists of individual text
>files, a Nettamer inbox in its raw form consists of just one very long
>concatenated text file in which all the messages have separator symbols
>inserted between individual messages. The file is not zipped. Is your
>Foxmail inbox in its raw form a zipped file consisting of just one very
>long concatenated text file?
The Foxmail mailboxes may indeed be opened in a text editor and read as
one file with separator symbols. I find this a convenient way to search
archived mail. When unzipped, the individual messages are spat out as
text files.
>Perhaps F-prot is capable of indentifying email viruses only when it is
>examining individual message files one at a time. It appears to not
>work at all in finding viruses in concatenated mail.
As I said, there's the 500,000 byte watershed with Foxmail (which I assume
is saving the mail in concatenated form). I ought to try my small collection
of viruses to see if they're all susceptible to the mailbox size limit.
Perhaps you could try it on a zipped zipfile?
Regards,
Jake Young
2003-03-31 09:25:39 BST (GMT +1)
------------------------------
Date: Mon, 31 Mar 2003 10:38:51
From: Alejandro Lieber <[EMAIL PROTECTED]>
Subject: ActiveMime
Today I received an email with an attached file: EDITDATA.MSO
The first characters of this binary file are: ActiveMime
What type of file is this ?
Thanks.
Free good Sans Serif fonts for MS-DOS at:
http://www.limasa.com.ar/novafont.zip
Configurable dialing menu for several DOS internet programs at:
http://www.limasa.com.ar/dial_ip.zip
- ----------------------
Ing. Alejandro Lieber
Rosario Argentina
lima[at]citynet.net.ar
- ----------------------
------------------------------
End of arachne-digest V1 #2083
******************************
