Swen does forge.  Sometimes it sends a fake bounce message to spread which is different from the primary payload.  The message also will forge the From address while using the Mail From of the infected computer.

I'm thinking this is more so the difference between what we consider forging, and why we individually use SKIPIFFORGING.  My only reason for sending virus notifications to my own clients right now is to show them when something like an infected document was intercepted from a real sender, and anything that forges whatsoever would be considered something to skip.  For instance, I used to have a form for one client where people could upload resumes, and my server would forward these resumes to them in E-mail, but they were regularly infected with macro viruses and it would be nice to drop them a note in that case instead of just making the message and attachment totally disappear.

Seems like SKIPIFFORGING was really intended to handle bounces to the sender and not to the receiver by the way it is being applied.

Matt



John Tolmachoff (Lists) wrote:

SWEN is not known to be forging. Every one that I have seen came from the sender that was indeed infected.

 

John Tolmachoff

Engineer/Consultant/Owner

eServices For You

 

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt
Sent:
Sunday, March 07, 2004 6:27 PM
To: [EMAIL PROTECTED]
Subject: [Declude.Virus] Swen not tagged as forging?

 

I just had a client ask me to turn off all virus notifications, and the message that they sent back was for Swen.A.

       Date: 03/07/2004 17:37:53
       Subject: Abort Notice
       Host: cybermatsa.com.mx [148.233.93.6]
       Attachment: enqofe.exe
       Virus: W32/[EMAIL PROTECTED]

Is it possible that this isn't in the forging database, or could this have been a failed lookup, or is it possible that this is a bug in the version of Declude Virus that I am running.  I'm on 1.78i14 currently.  I'm thinking that maybe the combination of the 'MIME Header' vulnerability along with the virus being detected might have caused the SKIPIFFORGING to be bypassed:

03/07/2004 17:37:53 Qa43c661500982fd2 MIME file: [text/html][quoted-printable; Length=228 Checksum=17379]
03/07/2004 17:37:53 Qa43c661500982fd2 Outlook 'MIME Header' Vulnerability: type=audio/x-wav, name=enqofe.exe.
03/07/2004 17:37:53 Qa43c661500982fd2 MIME file: enqofe.exe [base64; Length=106496 Checksum=9384207]
03/07/2004 17:37:53 Qa43c661500982fd2 Banning file with EXE extension [audio/x-wav].
03/07/2004 17:37:53 Qa43c661500982fd2 Scanner 1: Virus=W32/[EMAIL PROTECTED] Attachment=enqofe.exe [1] O
03/07/2004 17:37:53 Qa43c661500982fd2 Scanner 2: Virus=I-Worm/Swen.A Attachment=enqofe.exe [1] O
03/07/2004 17:37:53 Qa43c661500982fd2 File(s) are INFECTED [W32/[EMAIL PROTECTED]: 6]
03/07/2004 17:37:53 Qa43c661500982fd2 Deleting file with virus
03/07/2004 17:37:53 Qa43c661500982fd2 Deleting E-mail with virus!
03/07/2004 17:37:53 Qa43c661500982fd2 Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 2 106748]
03/07/2004 17:37:53 Qa43c661500982fd2 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 148.233.93.6]
03/07/2004 17:37:53 Qa43c661500982fd2 Subject: Abort Notice

Thanks,

Matt

-- 
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================

-- 
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================


Reply via email to