|
.. I hope that Declude will agree with Matt's point that
backscatter must be avoided. There is ample precedent, for
example in that the BOUNCE action was renamed to BOUNCEONLYIFYOUMUST to
prevent backscatter.
Andrew.
Matt,
I agree with everyone of your points - My intent
was to bring it up that I had reported this issue up a long time ago as I also
thought that what was happening was undesirable. However, at the time
Scott did not feel this was a bug. However, times change and back
scatter is a huge issue. Maybe thats enough now to convince for an
alteration of behavior. As my preference would be to handle mismatched
exe's as its own class of which I would not send bannotify messages
for.
Darrell
------------------------------------------------------------------------ Check
out http://www.invariantsystems.com for
utilities for Declude And Imail. IMail/Declude Overflow Queue
Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers.
----- Original Message -----
Sent: Sunday, October 01, 2006 8:24
PM
Subject: Re: [Declude.Virus] Bug in
mismatched extensions causes backscatter on spam
Darrell,
I'm sure that it is desirable to block (when
the detection isn't erroring), however having this handled as if it was an
EXE when it comes to the bannotify.eml is problematic. Backscatter can
get you blacklisted, not to mention it is annoying to get such things for
forged E-mail.
I have Virus running after JunkMail and still I have
bounced a dozen of these today alone (which excludes messages that reached
my DELETE weight). For those that run JunkMail before Virus (the
default), that number could be in the hundreds or thousands depending on
volume since this comes from a major zombie spammer. I'm guessing that
most are bouncing EXE's that aren't detected as viruses.
To check
this, just search your Virus log for "mismatched.exe".
The behavior
needs to be changed so that this doesn't trigger bannotify.eml
bounces. I am testing using "SKIPIFEXT mismatched.exe" in my
bannotify.eml to see if that helps, but this should not bounce such messages
by default as if they were EXE's. It makes sense to give it a unique
extension for these conditions and let us determine what to do with them
instead of lumping it together with actions for
EXE's.
Matt
Darrell ([EMAIL PROTECTED])
wrote:
I brought this up to Scott several years ago
- and he said this is not a bug but a by design issue. He explained a
scenario why this was important and I understood based on the explantion
but for the life of me I can't remember the scenario.
Darrell
------------------------------------------------------------------------ Check
out http://www.invariantsystems.com
for utilities for Declude And Imail. IMail/Declude Overflow Queue
Monitoring, SURBL/URI integration, MRTG Integration, and Log
Parsers.
-----
Original Message -----
Sent:
Sunday, October 01, 2006 3:33 PM
Subject:
[Declude.Virus] Bug in mismatched extensions causes backscatter on
spam
I just found this bug. Essentially, if the MIME
headers for an attachment are mismatched, Declude "assumes" that it is
an EXE for virus scanning purposes, and this causes EXE triggers such as
bannotify.eml to be triggered. This is especially bad since it is
happening fairly commonly on zombie spam.
For example, here are
the MIME headers from the spam sample:
Content-Type:
image/jpeg;
name="smoky.1.jpg"
Content-Transfer-Encoding:
base64
Content-ID: <[EMAIL PROTECTED]>
Content-Disposition:
inline;
filename="smoky.1.gi"
You will note the
Content-Type being image/jpeg and the file extension being "gi".
Here is what Declude Virus finds:
10/01/2006 14:03:44.656 q02f8014a00009ecc.smd
Vulnerability flags = 863
10/01/2006 14:03:44.671
q02f8014a00009ecc.smd MIME file: [text/html][7bit; Length=590
Checksum=51800]
10/01/2006 14:03:44.671 q02f8014a00009ecc.smd Found
file with mismatched extensions [smoky.1.jpg-smoky.1.gi]; assuming
.exe
10/01/2006 14:03:44.671 q02f8014a00009ecc.smd MIME file:
mismatched.exe [base64; Length=25644 Checksum=3233585]
10/01/2006
14:03:44.671 q02f8014a00009ecc.smd Banning file with EXE extension
[image/jpeg].
10/01/2006 14:03:44.890 q02f8014a00009ecc.smd Virus
scanner 1 reports exit code of 0
10/01/2006 14:03:45.421
q02f8014a00009ecc.smd Virus scanner 2 reports exit code of
0
10/01/2006 14:03:45.421 q02f8014a00009ecc.smd Scanned: Banned
file extension. [Prescan OK][MIME: 2 26380]
10/01/2006 14:03:45.437
q02f8014a00009ecc.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED]
[outgoing from 62.161.108.7]
10/01/2006 14:03:45.437
q02f8014a00009ecc.smd Subject: Re: diagnostician
dull
This is clearly not desirable behavior, and I have
run into a related bug previously (that was previously reported) where a
filename that spans two lines (which is RFC compliant when 'folded')
will be treated as an EXE and bounced if you are bouncing non-virus
EXE's.
It is absolutely necessary to allow for bannotify.eml
bouncing of messages with EXE extensions because they are commonly
received legitimately regardless of whether they are allowed or not, but
to have EXE be the assumed extension at the same time causes a lot of
different issues. Because of this, I would strongly suggest that
Declude assume a different extension when necessary, such as "unknown"
so that we can configure Declude Virus to handle "unknown" files in a
different way. We could choose for instance to block them, but not
bounce them.
Thanks,
Matt
---
This E-mail
came from the Declude.Virus mailing list. To
unsubscribe, just send
an E-mail to [EMAIL PROTECTED], and
type
"unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This
E-mail came from the Declude.Virus mailing list. To
unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type
"unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing
list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED],
and
type "unsubscribe Declude.Virus". The archives can be found
at
http://www.mail-archive.com.
---
This E-mail came from the
Declude.Virus mailing list. To
unsubscribe, just send an E-mail to
[EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives
can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
|
