These messages don't contain any exploitable code, however it is likely that these viruses will all be linked by way of an IP. So maybe sending messages to the virus scanner when they contain an IP would be wise?
I am of course guessing that some virus scanners are detecting this just like they detect the phishes. As Andrew pointed out in the other forum, it wouldn't be a surprise to see these messages use a standard port, or even exclude the port and default to 80, and if they did that, we would be hard pressed to detect all of these viruses since it would mean that content patterns alone would be the deciding factor in detection and they can be variable enough for individual administrators to not be able to handle, while the AV companies consider this type of thing to be their job.
Matt
R. Scott Perry wrote:
I did as Scott recommended and turned off prescan; but afterwards I noticed in the clam logs that ClamAV had caught phish previously with prescasn ON sooo why would you think that is so? eg - I guess what I'm asking is will ClamAV reliably anti-phish to its capability with prescan on?
PRESCAN ON (which works with Declude Virus Pro) saves CPU resources by not calling the AV scanner when an E-mail arrives that contains one or more HTML segments, if [1] there are no other segments except text and/or HTML segments, and [2] the HTML doesn't contain any code that Declude Virus identifies as potentially dangerous.
In other words, since most E-mail these days has HTML (by default, most mail clients send HTML E-mail, even if you just say "hi" in normal text), PRESCAN ON is able to save a lot of CPU time by not scanning those E-mails (while still catching the few E-mails that contain viruses/worms in HTML, such as kak.worm).
The drawback here to PRESCAN ON is that phishing attacks won't get sent to the virus scanner, so a virus scanner that is looking for them won't find them.
What you are probably seeing is an E-mail with a phishing attack that *does* contain potentially dangerous code. For example, if it contains any JavaScript -- even safe JavaScript code -- it would be sent to the virus scanner. So you may see the virus scanner detecting some phishing attacks even with PRESCAN ON. But to catch them all, you would need PRESCAN OFF.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.
----
This outgoing message is guaranteed to be authentic by Message Level users.
Guarantee the authenticity of your email @ http://www.messagelevel.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
-- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
