|
Matt,
I agree with everyone of your points - My intent
was to bring it up that I had reported this issue up a long time ago as I also
thought that what was happening was undesirable. However, at the time
Scott did not feel this was a bug. However, times change and back scatter
is a huge issue. Maybe thats enough now to convince for an alteration of
behavior. As my preference would be to handle mismatched exe's as its own
class of which I would not send bannotify messages for.
Darrell
------------------------------------------------------------------------ Check
out http://www.invariantsystems.com for
utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring,
SURBL/URI integration, MRTG Integration, and Log Parsers.
----- Original Message -----
Sent: Sunday, October 01, 2006 8:24
PM
Subject: Re: [Declude.Virus] Bug in
mismatched extensions causes backscatter on spam
Darrell,
I'm sure that it is desirable to block (when
the detection isn't erroring), however having this handled as if it was an EXE
when it comes to the bannotify.eml is problematic. Backscatter can get
you blacklisted, not to mention it is annoying to get such things for forged
E-mail.
I have Virus running after JunkMail and still I have bounced a
dozen of these today alone (which excludes messages that reached my DELETE
weight). For those that run JunkMail before Virus (the default), that
number could be in the hundreds or thousands depending on volume since this
comes from a major zombie spammer. I'm guessing that most are bouncing
EXE's that aren't detected as viruses.
To check this, just search your
Virus log for "mismatched.exe".
The behavior needs to be changed so
that this doesn't trigger bannotify.eml bounces. I am testing using
"SKIPIFEXT mismatched.exe" in my bannotify.eml to see if that helps, but this
should not bounce such messages by default as if they were EXE's. It
makes sense to give it a unique extension for these conditions and let us
determine what to do with them instead of lumping it together with actions for
EXE's.
Matt
Darrell ([EMAIL PROTECTED])
wrote:
I brought this up to Scott several years ago -
and he said this is not a bug but a by design issue. He explained a
scenario why this was important and I understood based on the explantion but
for the life of me I can't remember the scenario.
Darrell
------------------------------------------------------------------------ Check
out http://www.invariantsystems.com
for utilities for Declude And Imail. IMail/Declude Overflow Queue
Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers.
-----
Original Message -----
Sent:
Sunday, October 01, 2006 3:33 PM
Subject:
[Declude.Virus] Bug in mismatched extensions causes backscatter on
spam
I just found this bug. Essentially, if the MIME
headers for an attachment are mismatched, Declude "assumes" that it is an
EXE for virus scanning purposes, and this causes EXE triggers such as
bannotify.eml to be triggered. This is especially bad since it is
happening fairly commonly on zombie spam.
For example, here are the
MIME headers from the spam sample:
Content-Type:
image/jpeg;
name="smoky.1.jpg"
Content-Transfer-Encoding:
base64
Content-ID: <[EMAIL PROTECTED]>
Content-Disposition:
inline;
filename="smoky.1.gi"
You will note the
Content-Type being image/jpeg and the file extension being "gi".
Here is what Declude Virus finds:
10/01/2006 14:03:44.656 q02f8014a00009ecc.smd Vulnerability
flags = 863
10/01/2006 14:03:44.671 q02f8014a00009ecc.smd MIME file:
[text/html][7bit; Length=590 Checksum=51800]
10/01/2006 14:03:44.671
q02f8014a00009ecc.smd Found file with mismatched extensions
[smoky.1.jpg-smoky.1.gi]; assuming .exe
10/01/2006 14:03:44.671
q02f8014a00009ecc.smd MIME file: mismatched.exe [base64; Length=25644
Checksum=3233585]
10/01/2006 14:03:44.671 q02f8014a00009ecc.smd
Banning file with EXE extension [image/jpeg].
10/01/2006 14:03:44.890
q02f8014a00009ecc.smd Virus scanner 1 reports exit code of
0
10/01/2006 14:03:45.421 q02f8014a00009ecc.smd Virus scanner 2
reports exit code of 0
10/01/2006 14:03:45.421 q02f8014a00009ecc.smd
Scanned: Banned file extension. [Prescan OK][MIME: 2
26380]
10/01/2006 14:03:45.437 q02f8014a00009ecc.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED]
[outgoing from 62.161.108.7]
10/01/2006 14:03:45.437
q02f8014a00009ecc.smd Subject: Re: diagnostician dull
This
is clearly not desirable behavior, and I have run into a related bug
previously (that was previously reported) where a filename that spans two
lines (which is RFC compliant when 'folded') will be treated as an EXE and
bounced if you are bouncing non-virus EXE's.
It is absolutely
necessary to allow for bannotify.eml bouncing of messages with EXE
extensions because they are commonly received legitimately regardless of
whether they are allowed or not, but to have EXE be the assumed extension
at the same time causes a lot of different issues. Because of this,
I would strongly suggest that Declude assume a different extension when
necessary, such as "unknown" so that we can configure Declude Virus to
handle "unknown" files in a different way. We could choose for
instance to block them, but not bounce
them.
Thanks,
Matt
---
This E-mail came from
the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to
[EMAIL PROTECTED], and
type
"unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This
E-mail came from the Declude.Virus mailing list. To
unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type
"unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list.
To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type
"unsubscribe Declude.Virus". The archives can be found
at
http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
|
