Matt, please keep us informed about this
bug. I thank you for your diligence.
John T
eServices For You
"Seek, and ye shall
find!"
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Monday, October 02, 2006
11:56 AM
To: declude.virus@declude.com
Subject: Re: [Declude.Virus] Bug
in mismatched extensions causes backscatter on spam
Here's an update about the attempted workaround.
I added "SKIPIFEXT mismatched.exe" to my bannotify.eml and it didn't
prevent the bounce. It would seem that while Declude is using the EXE
extension from mismatched.exe in determining the bannotify.eml action, it is
not using that file name in the variable that SKIPIFEXT is using.
It appears that there is no way to prevent the backscatter from this besides
maybe turning off bounces for EXE's (which may or may not work), turning off
all banned extension bouncing, or not blocking EXE's altogether. This
definitely needs a solution since none of those options are acceptable nor is
the potential of bouncing so much E-mail.
I know that I can create something to delete these messages on my own system,
but I would still be vulnerable to other exploits by broken spamware, and of
course that's only me and this affects all Declude users that block EXE's and
use bannotify.eml to bounce.
Matt
Colbeck, Andrew wrote:
.. I hope that Declude will agree with Matt's
point that backscatter must be avoided. There is ample
precedent, for example in that the BOUNCE action was renamed to
BOUNCEONLYIFYOUMUST to prevent backscatter.
Andrew.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darrell ([EMAIL PROTECTED])
Sent: Monday, October 02, 2006
5:44 AM
To: declude.virus@declude.com
Subject: Re: [Declude.Virus] Bug
in mismatched extensions causes backscatter on spam
I agree with everyone of your points - My intent was
to bring it up that I had reported this issue up a long time ago as I also
thought that what was happening was undesirable. However, at the time
Scott did not feel this was a bug. However, times change and back scatter
is a huge issue. Maybe thats enough now to convince for an alteration of
behavior. As my preference would be to handle mismatched exe's as its own
class of which I would not send bannotify messages for.
------------------------------------------------------------------------
Check out http://www.invariantsystems.com
for utilities for Declude And Imail. IMail/Declude Overflow Queue
Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers.
----- Original Message -----
Sent: Sunday,
October 01, 2006 8:24 PM
Subject: Re:
[Declude.Virus] Bug in mismatched extensions causes backscatter on spam
Darrell,
I'm sure that it is desirable to block (when the detection isn't erroring),
however having this handled as if it was an EXE when it comes to the
bannotify.eml is problematic. Backscatter can get you blacklisted, not to
mention it is annoying to get such things for forged E-mail.
I have Virus running after JunkMail and still I have bounced a dozen of these
today alone (which excludes messages that reached my DELETE weight). For
those that run JunkMail before Virus (the default), that number could be in the
hundreds or thousands depending on volume since this comes from a major zombie
spammer. I'm guessing that most are bouncing EXE's that aren't detected
as viruses.
To check this, just search your Virus log for "mismatched.exe".
The behavior needs to be changed so that this doesn't trigger bannotify.eml
bounces. I am testing using "SKIPIFEXT mismatched.exe" in my
bannotify.eml to see if that helps, but this should not bounce such messages by
default as if they were EXE's. It makes sense to give it a unique
extension for these conditions and let us determine what to do with them
instead of lumping it together with actions for EXE's.
Matt
Darrell ([EMAIL PROTECTED])
wrote:
I brought this up to Scott several years ago - and he
said this is not a bug but a by design issue. He explained a scenario why
this was important and I understood based on the explantion but for the life of
me I can't remember the scenario.
------------------------------------------------------------------------
Check out http://www.invariantsystems.com
for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring,
SURBL/URI integration, MRTG Integration, and Log Parsers.
----- Original Message -----
Sent: Sunday,
October 01, 2006 3:33 PM
Subject:
[Declude.Virus] Bug in mismatched extensions causes backscatter on spam
I just found this bug. Essentially, if the MIME
headers for an attachment are mismatched, Declude "assumes" that it
is an EXE for virus scanning purposes, and this causes EXE triggers such as
bannotify.eml to be triggered. This is especially bad since it is happening
fairly commonly on zombie spam.
For example, here are the MIME headers from the spam sample:
Content-Type: image/jpeg;
name="smoky.1.jpg"
Content-Transfer-Encoding: base64
Content-ID: <[EMAIL PROTECTED]>
Content-Disposition: inline;
filename="smoky.1.gi"
You will note the Content-Type being image/jpeg and
the file extension being "gi". Here is what Declude Virus
finds:
10/01/2006 14:03:44.656 q02f8014a00009ecc.smd
Vulnerability flags = 863
10/01/2006 14:03:44.671 q02f8014a00009ecc.smd MIME file: [text/html][7bit;
Length=590 Checksum=51800]
10/01/2006 14:03:44.671 q02f8014a00009ecc.smd Found file with mismatched
extensions [smoky.1.jpg-smoky.1.gi]; assuming .exe
10/01/2006 14:03:44.671 q02f8014a00009ecc.smd MIME file: mismatched.exe
[base64; Length=25644 Checksum=3233585]
10/01/2006 14:03:44.671 q02f8014a00009ecc.smd Banning file with EXE extension
[image/jpeg].
10/01/2006 14:03:44.890 q02f8014a00009ecc.smd Virus scanner 1 reports exit code
of 0
10/01/2006 14:03:45.421 q02f8014a00009ecc.smd Virus scanner 2 reports exit code
of 0
10/01/2006 14:03:45.421 q02f8014a00009ecc.smd Scanned: Banned file extension.
[Prescan OK][MIME: 2 26380]
10/01/2006 14:03:45.437 q02f8014a00009ecc.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from
62.161.108.7]
10/01/2006 14:03:45.437 q02f8014a00009ecc.smd Subject: Re: diagnostician dull
This is clearly not desirable behavior, and I have run
into a related bug previously (that was previously reported) where a filename
that spans two lines (which is RFC compliant when 'folded') will be treated as
an EXE and bounced if you are bouncing non-virus EXE's.
It is absolutely necessary to allow for bannotify.eml bouncing of messages with
EXE extensions because they are commonly received legitimately regardless of
whether they are allowed or not, but to have EXE be the assumed extension at
the same time causes a lot of different issues. Because of this, I would
strongly suggest that Declude assume a different extension when necessary, such
as "unknown" so that we can configure Declude Virus to handle
"unknown" files in a different way. We could choose for
instance to block them, but not bounce them.
Thanks,
Matt
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED],
and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED],
and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED],
and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED],
and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED],
and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
|
