[Clamav-users] freshclam's daily.cvd messages not showing
Hello, I'm running clamav (currently version 0.85) on two separate servers and my home notebook and recently noticed odd behavior when running freshclam. While on one server and my notebook it always both displays to the console and logs information about both main.cvd and daily.cvd (i.e. whether the were updated or are up to date), on the other server it only displays that information about main.cvd, though it does log information about both main.cvd and daily.cvd to the log and does update daily.cvd when appropriate. For example, here is the output from the first, normally operating server: root ~ # /usr/local/bin/freshclam ClamAV update process started at Sun May 15 04:49:38 2005 main.cvd is up to date (version: 31, sigs: 33079, f-level: 4, builder: tkojm) daily.cvd is up to date (version: 878, sigs: 1281, f-level: 5, builder: ccordes) root ~ # while the other server, running the same version of clamav with identical configuration files (as verified by md5sums), displays only: [EMAIL PROTECTED]:~# /usr/local/bin/freshclam ClamAV update process started at Sun May 15 04:50:39 2005 main.cvd is up to date (version: 31, sigs: 33079, f-level: 4, builder: tkojm) [EMAIL PROTECTED]:~# The log files for both, however, are identical (except for times, of course): [EMAIL PROTECTED]:~# tail -n 4 /var/log/freshclam.log -- ClamAV update process started at Sun May 15 04:50:39 2005 main.cvd is up to date (version: 31, sigs: 33079, f-level: 4, builder: tkojm) daily.cvd is up to date (version: 878, sigs: 1281, f-level: 5, builder: ccordes) Both installations were compiled from source using identical config options (./configure --sysconfdir=/etc) and with the default optimizations. I did grep -r 'up to date' in the source directory and find only four occurences, all in freshclam/manager.c, that consisted of two places where this message is first written to stdout then in the immediate next line apparently logged, so I am at a loss as to how the daily.cvd messages could be logged but not display to the console. I'm no C programmer, though, so perhaps someone who is has a better idea as to what's going on here? The first (normal) server is a linux virtual machine running under UML on a box with dual Intel Xeon processors. My notebook has a pentium3 processor, and the server where freshclam behaves oddly is an old box with an amd k6-3 processor. The UML server is running a linux 2.4.26 based kernel, while my notebook and the other server currently run linux 2.6.11-7 kernels. If you need any other information let me know. Thanks, Zibeli ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] WORM_MYTOB.EG I am not able to submit pattern
Ramya wrote: I have been hit by this virus 19 times as of yesterday WORM_MYTOB.EG. This has been identified as medium risk. I not able to send to submit a pattern since the zip is about 2.4MB and when i unzip this file it contains some 3000 odd EML files.. Is there a signature update for this virus.. Yes. There is ALWAYS am update available for any new virus because you can add it yourself, on-the-fly, immediately: shell# sigtool --md5 infected_file.zip /usr/local/share/clamav/some_name.hdb (sigtool is part of ClamAV and will be wherever you installed clamscan.) Then restart clamd. See the signatures.pdf file in the doc folder for more. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Sober.P
Jan Pieter Cornet wrote: It looks like the Sober.P virus has a termination date, just like the previous Sober variants had. The cutoff date is suspiciously close to Tue May 10 2005, 0:00 UTC. More accurate is to say that Sober-P entered hibernation - it's still active on infected machines, not replicating itself, but waiting for an update. The Sober-Q varianter was downloaded this way and it's currently responsible for a serie of rightwing propaganda spam messages. Best regards, Diego d'Ambra ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] database number
What is the current database version from freshclam for people out there? I've been getting a huge number of bounces with german subjects, addressed to people with usernames beginning with 3d (just starting to investigate what is going on with this...) but the past few freshclam runs have shown nothing new. Current output: # freshclam ClamAV update process started at Mon May 16 08:24:30 2005 main.cvd is up to date (version: 31, sigs: 33079, f-level: 4, builder: tkojm) daily.cvd is up to date (version: 879, sigs: 1282, f-level: 4, builder: tkojm) Platform is FreeBSD, using ClamAV from ports. -Bart ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] sober.p and german adverts?
Some more info... I see in our amavis logs on our ClamAV system (postfix pre-filter FreeBSD for email) this kind of listing... /usr/local/sbin/amavisd[35705]: (35705-10) Blocked INFECTED (Worm.Sober.P), [EMAIL PROTECTED] - f-Ge2_bV@address snipped, Hits: -, tag=0, tag2=4, kill=4, L/0/0/0 That address had been hammering us over and over for awhile with sober.p. Now it's become quiet. I notice a huge amount of german messages coming in, getting past the AV and our spam filter. I went into the Exchange server and there was one sample message in one of the recipient mailboxes with the following in the headers: Received: from oncsbuv.com (aolclient-24-25-128-223.aol.nycap.res.rr.com [24.25.128.223]) The message has the German subject line and the text appears to be just a link to a website...? Perhaps we now know what happened to sober.p? (anyone know offhand how to use the access file for postfix to reject a message by *sender* instead of recipient?) ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
I am also getting inundated with German gibberish spam. Would you mind explaining the significance (if any) of the email address that you posted? I am finding that the German Gibberish garbage is spoofing a different email address with each posting. Thanks Mike On 5/16/05, Bart Silverstrim [EMAIL PROTECTED] wrote: Some more info... I see in our amavis logs on our ClamAV system (postfix pre-filter FreeBSD for email) this kind of listing... /usr/local/sbin/amavisd[35705]: (35705-10) Blocked INFECTED (Worm.Sober.P), [EMAIL PROTECTED]http://aolclient-24-25-128-223.aol.nycap.res.rr.com - f-Ge2_bV@address snipped, Hits: -, tag=0, tag2=4, kill=4, L/0/0/0 That address had been hammering us over and over for awhile with sober.p. Now it's become quiet. I notice a huge amount of german messages coming in, getting past the AV and our spam filter. I went into the Exchange server and there was one sample message in one of the recipient mailboxes with the following in the headers: Received: from oncsbuv.com http://oncsbuv.com (aolclient-24-25-128-223.aol.nycap.res.rr.comhttp://aolclient-24-25-128-223.aol.nycap.res.rr.com[ 24.25.128.223 http://24.25.128.223]) The message has the German subject line and the text appears to be just a link to a website...? Perhaps we now know what happened to sober.p? (anyone know offhand how to use the access file for postfix to reject a message by *sender* instead of recipient?) ___ http://lurker.clamav.net/list/clamav-users.html ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On May 16, 2005, at 9:00 AM, Mike Blonder wrote: I am also getting inundated with German gibberish spam. Would you mind explaining the significance (if any) of the email address that you posted? I am finding that the German Gibberish garbage is spoofing a different email address with each posting. I'm new to the sleuthing aspect, so forgive me if I'm offbase here...(education/explanations always welcome! Plus it's made harder because the messages I have to work with are on a Unix system and managled headers off an Exchange final destination) I know that usually they alter the headers and spoof (viruses, that is) but I thought it strange that we've been hammered by sober.p with that same address showing up over and over again in our amavis logs : # grep 24-25-128-223 amavis.log|grep Sober.P |wc -l 16546 Usually it should vary things, I'd think. But then one of the first german gibberish messages I had found in a mailbox had the following right in the header: Received: from oncsbuv.com http://oncsbuv.com (aolclient-24-25-128-223.aol.nycap.res.rr.comhttp://aolclient-24-25 -128-223.aol.nycap.res.rr.com[ 24.25.128.223 http://24.25.128.223]) Coincidence? The first set I grepped was the IP of Sober.P's being stopped at the bastion server over the past couple weeks looking for that specific IP name. The second was a sample german message that managed to find it's way to the administrator mail account on the exchange server. I mean,...spoofing I understand, and expect...but is it really coincidental that these just happened to hit that IP? That's why I wondered if maybe there wasn't a link between the two...that sober.p is now a mass mailing spam tool. Are there any analysis papers out on sober.p yet? And can anyone else corroborate the theory I have, or am I totally off-base here? I'm still trying to figure it out from what I can piece together between phone calls for other tasks here :-) ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Bart Silverstrim wrote: Are there any analysis papers out on sober.p yet? And can anyone else corroborate the theory I have, or am I totally off-base here? I'm still trying to figure it out from what I can piece together between phone calls for other tasks here :-) If I remember correctly, a sideline of sober.p is to install sober.q on the infected machine, which then spews these messages. Matt ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
OK. I think I get it. You had identified the oncbuv.com http://oncbuv.comaddress as a source for the sober.p garbage earlier and now it is showing up with the German gibberish garbage. Thanks Mike I will check the next batch I receive (I hope I don't) for the same address On 5/16/05, Bart Silverstrim [EMAIL PROTECTED] wrote: On May 16, 2005, at 9:00 AM, Mike Blonder wrote: I am also getting inundated with German gibberish spam. Would you mind explaining the significance (if any) of the email address that you posted? I am finding that the German Gibberish garbage is spoofing a different email address with each posting. I'm new to the sleuthing aspect, so forgive me if I'm offbase here...(education/explanations always welcome! Plus it's made harder because the messages I have to work with are on a Unix system and managled headers off an Exchange final destination) I know that usually they alter the headers and spoof (viruses, that is) but I thought it strange that we've been hammered by sober.p with that same address showing up over and over again in our amavis logs : # grep 24-25-128-223 amavis.log|grep Sober.P |wc -l 16546 Usually it should vary things, I'd think. But then one of the first german gibberish messages I had found in a mailbox had the following right in the header: Received: from oncsbuv.com http://oncsbuv.com http://oncsbuv.com (aolclient-24-25-128-223.aol.nycap.res.rr.comhttp://aolclient-24-25-128-223.aol.nycap.res.rr.com http://aolclient-24-25 -128-223.aol.nycap.res.rr.com http://128-223.aol.nycap.res.rr.com[ 24.25.128.223 http://24.25.128.223 http://24.25.128.223]) Coincidence? The first set I grepped was the IP of Sober.P's being stopped at the bastion server over the past couple weeks looking for that specific IP name. The second was a sample german message that managed to find it's way to the administrator mail account on the exchange server. I mean,...spoofing I understand, and expect...but is it really coincidental that these just happened to hit that IP? That's why I wondered if maybe there wasn't a link between the two...that sober.p is now a mass mailing spam tool. Are there any analysis papers out on sober.p yet? And can anyone else corroborate the theory I have, or am I totally off-base here? I'm still trying to figure it out from what I can piece together between phone calls for other tasks here :-) ___ http://lurker.clamav.net/list/clamav-users.html ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: Follow-up on clamav-milter not mailing notice to postmaster
On Sat, 14 May 2005, Dennis Peterson wrote: Clam runs fine when properly configured. And it ran fine for me right up intil 0.85. Are you asking the developers to compensate for sloppy administration? I think for that you need a No, what I'm asking for is if it runs one day with certain permissions, it shouldn't fail at the next upgrade without saying something. Microsoft product, and it won't be free. Changeing behavior suddenly without warning is behavior I usually associate with Microsoft prodcuts. Along with your attitude. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] sober.p and german adverts?
Hi Please see http://www.theregister.co.uk/2005/05/16/sober_spews_spam/ Rgds John Taylor Network Security Manager Synstar -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Blonder Sent: 16 May 2005 15:00 To: ClamAV users ML Subject: Re: [Clamav-users] sober.p and german adverts? OK. I think I get it. You had identified the oncbuv.com http://oncbuv.comaddress as a source for the sober.p garbage earlier and now it is showing up with the German gibberish garbage. Thanks Mike I will check the next batch I receive (I hope I don't) for the same address On 5/16/05, Bart Silverstrim [EMAIL PROTECTED] wrote: On May 16, 2005, at 9:00 AM, Mike Blonder wrote: I am also getting inundated with German gibberish spam. Would you mind explaining the significance (if any) of the email address that you posted? I am finding that the German Gibberish garbage is spoofing a different email address with each posting. I'm new to the sleuthing aspect, so forgive me if I'm offbase here...(education/explanations always welcome! Plus it's made harder because the messages I have to work with are on a Unix system and managled headers off an Exchange final destination) I know that usually they alter the headers and spoof (viruses, that is) but I thought it strange that we've been hammered by sober.p with that same address showing up over and over again in our amavis logs : # grep 24-25-128-223 amavis.log|grep Sober.P |wc -l 16546 Usually it should vary things, I'd think. But then one of the first german gibberish messages I had found in a mailbox had the following right in the header: Received: from oncsbuv.com http://oncsbuv.com http://oncsbuv.com (aolclient-24-25-128-223.aol.nycap.res.rr.comhttp://aolclient-24-25 -128-223.aol.nycap.res.rr.com http://aolclient-24-25 -128-223.aol.nycap.res.rr.com http://128-223.aol.nycap.res.rr.com[ 24.25.128.223 http://24.25.128.223 http://24.25.128.223]) Coincidence? The first set I grepped was the IP of Sober.P's being stopped at the bastion server over the past couple weeks looking for that specific IP name. The second was a sample german message that managed to find it's way to the administrator mail account on the exchange server. I mean,...spoofing I understand, and expect...but is it really coincidental that these just happened to hit that IP? That's why I wondered if maybe there wasn't a link between the two...that sober.p is now a mass mailing spam tool. Are there any analysis papers out on sober.p yet? And can anyone else corroborate the theory I have, or am I totally off-base here? I'm still trying to figure it out from what I can piece together between phone calls for other tasks here :-) ___ http://lurker.clamav.net/list/clamav-users.html ___ http://lurker.clamav.net/list/clamav-users.html ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: Follow-up on clamav-milter not mailing notice to postmaster
Christopher X. Candreva said: On Sat, 14 May 2005, Dennis Peterson wrote: Clam runs fine when properly configured. And it ran fine for me right up intil 0.85. Are you asking the developers to compensate for sloppy administration? I think for that you need a No, what I'm asking for is if it runs one day with certain permissions, it shouldn't fail at the next upgrade without saying something. Microsoft product, and it won't be free. Changeing behavior suddenly without warning is behavior I usually associate with Microsoft prodcuts. Along with your attitude. So you want code writers who never make a mistake so you don't have to assume any responsibility for your installations. Those coders don't exist, you see, so you are stuck with keeping your systems configured. Get over it. dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] database number
[EMAIL PROTECTED](Bart Silverstrim) 16.05.05 08:27 What is the current database version from freshclam for people out there? It's always shown in the bottom line of http://www.clamav.net/ Latest database release is: main.cvd 31 daily.cvd 879 Latest ClamAV stable release is: 0.85 I've been getting a huge number of bounces with german subjects, addressed to people with usernames beginning with 3d (just starting to investigate what is going on with this...) 3d is = and originates from broken ISO interpretation. but the past few freshclam runs have shown nothing new. Why should clamav point up? That are just bounces, there is NO worm inside. They are just sent by a worm. There nothing a virus scanner can do anymore. It's to late now. Write to the abuse account of the orignating host, and beg him ot reject all messages for unknown users, and not to bounce them. admin.net-abuse.email might be of more help for this problem. Rainer ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On May 16, 2005, at 9:59 AM, Mike Blonder wrote: OK. I think I get it. You had identified the oncbuv.com http://oncbuv.comaddress as a source for the sober.p garbage earlier and now it is showing up with the German gibberish garbage. Sort of. I can't find oncbuv.com so it's spoofed. The IP actually reverses to a RoadRunner address. I was hammered by the RR address, then administrator had one message in german gibberwocky from that appeared to be from that IP. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On May 16, 2005, at 10:52 AM, Rainer Zocholl wrote: [EMAIL PROTECTED](Bart Silverstrim) 16.05.05 08:51 Maybe you should have simply entered it into google? I'm quite sure that google would have lead you to the right place. Yes, google can search for german strings too! IMOH ;-) I did enter it in when I first discovered it, but there were no hits. I thought perhaps it was too new at the time, and then turned to the lists to corroborate what I was seeing. and the text appears to be just a link to a website...? Yes, it is. Many of them are pointing to websites of reputated printed newletters/magazins like Der Spiegel. Apparently it will be very hard to block if it's just text without extra spammer tricks in it to bypass filters...or at least not enough to cross the threshold of spam vs. regular mail. Perhaps we now know what happened to sober.p? See: http://www.viruslist.com/en/weblog http://www.trendmicro.com/vinfo/virusencyclo/default5.asp? VName=WORM%5FSOBER%2EUVSect=P Details in german: http://www.heise.de/newsticker/meldung/59562 Well...I'm somewhat proud of myself that so far my hunches and (amateurish) deductions had me on the right track :-) (anyone know offhand how to use the access file for postfix to reject a message by *sender* instead of recipient?) Write complaints to the owners of the IP blocks! The MAIL FROM is always faked. The URL-owner is mostly innocent too. Block all mails from dynamic IP. They are 99,99% spam. Is there a way to do that with the access file/postmap in postfix? Block sender IP's/IP blocks? I thought it was odd that our hammering from particular sober.p infections were consistent in IP. If they were spoofing (this was from the logs that I extracted that grep), then why wouldn't I have 16000 different sober.p sources instead of a few of them over and over? ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Block all mails from dynamic IP. They are 99,99% spam. No they aren't that rule causes quite a few of my customers a headache, as the (linux) mailserver I often install sends the email direct, irrespective of whether there Ip is dynamic or static. Some ISPs charge an arm and a leg for static IPs. -- Cheers Brian http://www.abandonmicrosoft.co.uk ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] sober.p and german adverts?
It's easy to block. Check the handler's Diary at http://isc.sans.org/ and follow the links. Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bart Silverstrim Sent: 16 May 2005 16:05 To: ClamAV users ML Subject: Re: [Clamav-users] sober.p and german adverts? On May 16, 2005, at 10:52 AM, Rainer Zocholl wrote: [EMAIL PROTECTED](Bart Silverstrim) 16.05.05 08:51 Maybe you should have simply entered it into google? I'm quite sure that google would have lead you to the right place. Yes, google can search for german strings too! IMOH ;-) I did enter it in when I first discovered it, but there were no hits. I thought perhaps it was too new at the time, and then turned to the lists to corroborate what I was seeing. and the text appears to be just a link to a website...? Yes, it is. Many of them are pointing to websites of reputated printed newletters/magazins like Der Spiegel. Apparently it will be very hard to block if it's just text without extra spammer tricks in it to bypass filters...or at least not enough to cross the threshold of spam vs. regular mail. Perhaps we now know what happened to sober.p? See: http://www.viruslist.com/en/weblog http://www.trendmicro.com/vinfo/virusencyclo/default5.asp? VName=WORM%5FSOBER%2EUVSect=P Details in german: http://www.heise.de/newsticker/meldung/59562 Well...I'm somewhat proud of myself that so far my hunches and (amateurish) deductions had me on the right track :-) (anyone know offhand how to use the access file for postfix to reject a message by *sender* instead of recipient?) Write complaints to the owners of the IP blocks! The MAIL FROM is always faked. The URL-owner is mostly innocent too. Block all mails from dynamic IP. They are 99,99% spam. Is there a way to do that with the access file/postmap in postfix? Block sender IP's/IP blocks? I thought it was odd that our hammering from particular sober.p infections were consistent in IP. If they were spoofing (this was from the logs that I extracted that grep), then why wouldn't I have 16000 different sober.p sources instead of a few of them over and over? ___ http://lurker.clamav.net/list/clamav-users.html ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] database number
On May 16, 2005, at 10:51 AM, Rainer Zocholl wrote: [EMAIL PROTECTED](Bart Silverstrim) 16.05.05 08:27 What is the current database version from freshclam for people out there? It's always shown in the bottom line of http://www.clamav.net/ Latest database release is: main.cvd 31 daily.cvd 879 Latest ClamAV stable release is: 0.85 Thanks for the info. I didn't realize that was there...I knew there were recent threads about versioning problems going around, and began to suspect something was wrong with this one. Apparently not. I've been getting a huge number of bounces with german subjects, addressed to people with usernames beginning with 3d (just starting to investigate what is going on with this...) 3d is = and originates from broken ISO interpretation. Figured that. Knew that most bounces/address attempts with that prefix tended to come from viruses. but the past few freshclam runs have shown nothing new. Why should clamav point up? That are just bounces, there is NO worm inside. They are just sent by a worm. There nothing a virus scanner can do anymore. It's to late now. What I thought we were seeing was an attempt for a virus to propagate. I've had bounces in some mail systems that still contain the virus, or even if they didn't, I hoped that I'd see something change at the bastion server (update virus database, whatever was trying to propagate would suddenly get flagged as a virus instead of get through and become bounce fodder). Write to the abuse account of the orignating host, and beg him ot reject all messages for unknown users, and not to bounce them. The ones I was searching through were actually undeliverables to nonexistent accounts within our network. I was getting the error messages to follow up on. -Bart ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On May 16, 2005, at 11:08 AM, Randal, Phil wrote: It's easy to block. Check the handler's Diary at http://isc.sans.org/ and follow the links. Thank you, that's my next task when I get a block of time today. Thanks again! ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: custom signature files
sigtool docs/signatures.pdf Interesting stuff! I had no idea this capability was available. Hey, has anyone made or run across a signature file that matches all windows executables and all archive formats? Seems like this would be fairly easy to create. --- Jef Jef Poskanzer [EMAIL PROTECTED] http://www.acme.com/jef/ ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Brian Read wrote: Block all mails from dynamic IP. They are 99,99% spam. No they aren't that rule causes quite a few of my customers a headache, as the (linux) mailserver I often install sends the email direct, irrespective of whether there Ip is dynamic or static. Some ISPs charge an arm and a leg for static IPs. There are reasonable ISP's, (pricewise), with regards to static ranges. There is however the fact that whether the IP's are static or dynamic, business or domestic class, some ISP's, (mentioning no names), impose relay restrictions by the domain part in the *sender* address, if you try doing it the 'relay through ISP's mailhost' way. Which does leave the choice of having the MTA connect directly to retain the correct domain part of the senders mail address. This bumph about people shouldn't be allowed to run a direct MTA to MTA setup unless they have static IP's is nonsense. One might even say that it is MTA (elitism|snobbery). There are plenty of legitimate MTA setups running on dynamic IP's. A lot of the time they are configured in a better fashion than the service providers own MTA's that most would have them relay through. There really is no legitimate reason for blocking dynamic IP ranges at the outset. What really does amaze me though, is that these are generally the admins who will turn around and say, 'Don't block (variable), you will lose too much legitimate mail'. Where is the logic in that? They will allow a crappily configured multinational corporation or ISP to connect, yet not give dynamics the slightest chance to prove their reliability. Matt ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Bart Silverstrim schrieb: That address had been hammering us over and over for awhile with sober.p. Now it's become quiet. Yes. Now the infected hosts are sending out spam containing (very) right-wing political propaganda. Perhaps we now know what happened to sober.p? Yes. The same thing has happened last year, IIRC with another version of sober. (anyone know offhand how to use the access file for postfix to reject a message by *sender* instead of recipient?) Those senders are faked. -thh ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Todd Lyons wrote: You should make their ISP's mail servers be the smarthost or relayhost for that customer's mail server. Oh yes, really. Some ISP's don't allow you to relay mail through them if it's not for @ispdomain.com. They don't allow you to do that so that they can charge you more than your service charge per month for the 'ability to use your own domain name in outgoing mail'. Dream on about using them as a relayhost. This restriction bit me in the arse with several customers before finding out what the problem was. The fact that the information on this point is buried away, and in no way any reference, or hint, supplied in any 5** responses, doesn't make life any easier. Matt ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Matt Fretwell wrote: Brian Read wrote: Block all mails from dynamic IP. They are 99,99% spam. No they aren't that rule causes quite a few of my customers a headache, as the (linux) mailserver I often install sends the email direct, irrespective of whether there Ip is dynamic or static. Some ISPs charge an arm and a leg for static IPs. There are reasonable ISP's, (pricewise), with regards to static ranges. There is however the fact that whether the IP's are static or dynamic, business or domestic class, some ISP's, (mentioning no names), impose relay restrictions by the domain part in the *sender* address, if you try doing it the 'relay through ISP's mailhost' way. Which does leave the choice of having the MTA connect directly to retain the correct domain part of the senders mail address. This bumph about people shouldn't be allowed to run a direct MTA to MTA setup unless they have static IP's is nonsense. One might even say that it is MTA (elitism|snobbery). There are plenty of legitimate MTA setups running on dynamic IP's. A lot of the time they are configured in a better fashion than the service providers own MTA's that most would have them relay through. There really is no legitimate reason for blocking dynamic IP ranges at the outset. What really does amaze me though, is that these are generally the admins who will turn around and say, 'Don't block (variable), you will lose too much legitimate mail'. Where is the logic in that? They will allow a crappily configured multinational corporation or ISP to connect, yet not give dynamics the slightest chance to prove their reliability. Matt ___ http://lurker.clamav.net/list/clamav-users.html This email, for instance was sent from a properly configured mta running antispam and antivirus scanning in BOTH directions, from a dynamic ip. If my wife sends email from her computer, it goes to the isp's mta, which does inbound only scanning. I have several rules in place for postfix to force it to use my isp's mta for domains that refuse traffic from dynamic or residential ip addresses. The price for a non-residential ip from my isp is nearly double that for residential. Do I get any added-value service for that? No, in fact, I lose the ability to take faulty equipment directly to the service center for replacement, instead of waiting for a service call. I think more people running mtas would take the tack of examining the TRAFFIC, not the IP it came from. That's just laziness. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] database number
[EMAIL PROTECTED](Bart Silverstrim) 16.05.05 11:10 Once upon a time Bart Silverstrim shaped the electrons to say... On May 16, 2005, at 10:51 AM, Rainer Zocholl wrote: [EMAIL PROTECTED](Bart Silverstrim) 16.05.05 08:27 What is the current database version from freshclam for people out there? It's always shown in the bottom line of http://www.clamav.net/ Latest database release is: main.cvd 31 daily.cvd 879 Latest ClamAV stable release is: 0.85 Thanks for the info. I didn't realize that was there... You are not the only one who is having problems with the not very ergonomic design of the clamav web page. There are two flaws IMHO: - Gray should only be used for *un*important infos, but it is used for important infos and worse main titles(!) too. - Important infos should be visible with out scrolling. If you click one item at top, nothing seems to change, because all changes are shown below... Just tried again: If i now click http://www.clamav.net/bugs.html#pagestart that item is scrolled up. If i only get the URL http://www.clamav.net/bugs.html; it is not and the page looks like homepage... (Mozilla 1.7.7) Rainer ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
[EMAIL PROTECTED](Bart Silverstrim) 16.05.05 11:05 I did enter it in when I first discovered it, but there were no hits. Ok, next time mention it ;-) I thought perhaps it was too new at the time, and then turned to the lists to corroborate what I was seeing. Many of them are pointing to websites of reputated printed newletters/magazins like Der Spiegel. Apparently it will be very hard to block if it's just text without extra spammer tricks in it to bypass filters... There is a list of known subjects which can be feed into spamassasign. But in a few days that spam will stop. or at least not enough to cross the threshold of spam vs. regular mail. Write complaints to the owners of the IP blocks! The MAIL FROM is always faked. The URL-owner is mostly innocent too. Block all mails from dynamic IP. They are 99,99% spam. Is there a way to do that with the access file/postmap in postfix? Block sender IP's/IP blocks? Sounds good. There are RBL realtime black list which lists all known dynamic IPs. Another way ist to trigger on the strings link dial dyn ADSL cable in the reverse name. Rejecting all IP which do not have an rDNS is helpfull too. But have an exact look on the logfiles! I thought it was odd that our hammering from particular sober.p infections were consistent in IP. I scanned out logfile today: there where If they were spoofing (this was from the logs that I extracted that grep), then why wouldn't I have 16000 different sober.p sources instead of a few of them over and over? They use 16000 different home PCs infected before. TCP IP spoofing is very difficult, and if they could it, they would use it just to sent spam. But too there are bigger engine owned. Rainer ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
[EMAIL PROTECTED](Brian Read) 16.05.05 16:08 Once upon a time Brian Read shaped the electrons to say... Block all mails from dynamic IP. They are 99,99% spam. No they aren't that rule causes quite a few of my customers a headache, Thats the missing 0.01% i know. as the (linux) mailserver I often install sends the email direct, irrespective of whether there Ip is dynamic or static. Some ISPs charge an arm and a leg for static IPs. But most offer a smart host. If not, you have the wrong ISP. To be realistic: It is already not wise to sent emails from a dynamic IP to unknown recipients. Too many ISP rejects such mails to, have to reject as the worm traffic has already an unbeleavable amount. Rainer ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
[EMAIL PROTECTED](Todd Lyons) 16.05.05 10:14 Brian Read wanted us to know: Block all mails from dynamic IP. They are 99,99% spam. Agreed. No they aren't that rule causes quite a few of my customers a headache, as the (linux) mailserver I often install sends the email direct, irrespective of whether there Ip is dynamic or static. Some ISPs charge an arm and a leg for static IPs. You should make their ISP's mail servers be the smarthost or relayhost for that customer's mail server. Some ISP's don't allow you to relay mail through them if it's not for @ispdomain.com. In that case, you should offer them a value add service to relay mail for them and then configure SSL (583) so that they don't have that problem. But very often the domain hoster relays mails for all domains he hosts (that's why he is called domain hoster? ;-)). SMTP AUTH is required, but no problem today. Rainer ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On May 16, 2005, at 11:06 AM, Thomas Hochstein wrote: Bart Silverstrim schrieb: That address had been hammering us over and over for awhile with sober.p. Now it's become quiet. Yes. Now the infected hosts are sending out spam containing (very) right-wing political propaganda. Don't read German, and haven't had the pleasure of the English versions (yet?)...so, I guess it's another case of I'm not the target audience. (anyone know offhand how to use the access file for postfix to reject a message by *sender* instead of recipient?) Those senders are faked. Thanks to someone else's posting, I found some regex lists to put into the header_check file for postfix...should put a stop to it. I HATE that solution simply because it's too easy to forget about it and people who may send such headings in the subject line are blocked as well (there are courses here where you never know...the German course may have someone send info on Dresden in 1945...). I also know there can be collateral damage from it. Weigh...invalid bounce, or silently dropping messages that may be legit...hmm... Some days it's just not worth using the Internet anymore. -Bart ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On May 16, 2005, at 1:41 PM, John Jolet wrote: This email, for instance was sent from a properly configured mta running antispam and antivirus scanning in BOTH directions, from a dynamic ip. If my wife sends email from her computer, it goes to the isp's mta, which does inbound only scanning. I have several rules in place for postfix to force it to use my isp's mta for domains that refuse traffic from dynamic or residential ip addresses. The price for a non-residential ip from my isp is nearly double that for residential. Do I get any added-value service for that? No, in fact, I lose the ability to take faulty equipment directly to the service center for replacement, instead of waiting for a service call. I think more people running mtas would take the tack of examining the TRAFFIC, not the IP it came from. That's just laziness. Also...what if you don't trust your provider? What if you want to have more control over the spam filtering, the virus handling...data retention...remember, in the US, your ISP records can be searched now without them being able to notify you, and your messages logged from their mail server. Yes, there are ways around it, but why make it really easy for the people the tin-foil-hat brigade fears? And what if you believe that people willing to take responsibility for their connections should be allowed to do so? It's the irresponsible, the lazy, and the foolish that are setting up open relays today. If someone is willing to take the time to wear the sysadmin hat and do it right, they should be able to run their own mail service. The ISP should be just that. Internet Service Provider. Gimme my connection and leave the rest to me, thank you! :-) ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On May 16, 2005, at 1:54 PM, Rainer Zocholl wrote: [EMAIL PROTECTED](Bart Silverstrim) 16.05.05 11:05 I did enter it in when I first discovered it, but there were no hits. Ok, next time mention it ;-) Here I thought it was common sense now! :-) Apparently it will be very hard to block if it's just text without extra spammer tricks in it to bypass filters... There is a list of known subjects which can be feed into spamassasign. But in a few days that spam will stop. I used someone's advice from the list to add to the header_check file for postfix. Seems to have stemmed the spam. I'm gonna be ticked if it stops now that I just got that all set up... :-/ I thought it was odd that our hammering from particular sober.p infections were consistent in IP. I scanned out logfile today: there where ? Missing part of that? If they were spoofing (this was from the logs that I extracted that grep), then why wouldn't I have 16000 different sober.p sources instead of a few of them over and over? They use 16000 different home PCs infected before. That one IP showed up in the log as hitting us 16000 times. Unless you're saying there were 16000 pc's all spoofing that same IP. If so, I pity the owner of that IP lease. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] database number
Rainer Zocholl wrote: There are two flaws IMHO: - Gray should only be used for *un*important infos, but it is used for important infos and worse main titles(!) too. And I thought I rambled on about irrelevant things. - Important infos should be visible with out scrolling. If you click one item at top, nothing seems to change, because all changes are shown below... My, would you like someone to volunteer to press the down button for you? For goodness sake, someone has gone to the pain and trouble of designing the site, writing the documentation and making it all available, and your complaining about colours and having to scroll? Matt ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] database number
Matt Fretwell wrote: Rainer Zocholl wrote: There are two flaws IMHO: - Gray should only be used for *un*important infos, but it is used for important infos and worse main titles(!) too. And I thought I rambled on about irrelevant things. I don't see it as irrelevant as you do. The web page it's the face to people that don't know about the product. A well presented web page can attract users just like any other quality of the product. - Important infos should be visible with out scrolling. If you click one item at top, nothing seems to change, because all changes are shown below... My, would you like someone to volunteer to press the down button for you? For goodness sake, someone has gone to the pain and trouble of designing the site, writing the documentation and making it all available, and your complaining about colours and having to scroll? Don't go criticizing clamav.net's next volunteer web designer ;) No, really... Maybe I don't feel what your talking about because I have a 17 monitor with a resolution of at least 1024x768, but people on 800x600 could have problem noticing that the page actually changed (without the #pagestart anchor). Maybe a smaller header could do the trick. -Samuel ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
John Jolet said: Matt Fretwell wrote: This email, for instance was sent from a properly configured mta running antispam and antivirus scanning in BOTH directions, from a dynamic ip. If my wife sends email from her computer, it goes to the isp's mta, which does inbound only scanning. I have several rules in place for postfix to force it to use my isp's mta for domains that refuse traffic from dynamic or residential ip addresses. The price for a non-residential ip from my isp is nearly double that for residential. Do I get any added-value service for that? No, in fact, I lose the ability to take faulty equipment directly to the service center for replacement, instead of waiting for a service call. I think more people running mtas would take the tack of examining the TRAFFIC, not the IP it came from. That's just laziness. Most of the spam I've gotten the last three days is from comcast.net. Apparently they allow their customers to send out to port 25. They should lock that down so that spam goes out through their own servers so they can feel the pain when they are blacklisted for incompetence. If you need to run your own stand-alone mail service you should pay the price for the privilege. Nobody should send mail directly unless it is filtered outbound. In fact, that would be a good blacklist: real-time-morons.org. I'd even toss in systems that NDR after the connection is closed as they have no idea at that point whe the sender is. dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
that would be a good blacklist: real-time-morons.org. I'd even toss in systems that NDR after the connection is closed as they have no idea at that point whe the sender is. Which means all sites running qmail! Yay! ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On Monday 16 May 2005 04:43 pm, Dennis Peterson wrote: John Jolet said: Matt Fretwell wrote: This email, for instance was sent from a properly configured mta running antispam and antivirus scanning in BOTH directions, from a dynamic ip. If my wife sends email from her computer, it goes to the isp's mta, which does inbound only scanning. I have several rules in place for postfix to force it to use my isp's mta for domains that refuse traffic from dynamic or residential ip addresses. The price for a non-residential ip from my isp is nearly double that for residential. Do I get any added-value service for that? No, in fact, I lose the ability to take faulty equipment directly to the service center for replacement, instead of waiting for a service call. I think more people running mtas would take the tack of examining the TRAFFIC, not the IP it came from. That's just laziness. Most of the spam I've gotten the last three days is from comcast.net. Apparently they allow their customers to send out to port 25. They should lock that down so that spam goes out through their own servers so they can feel the pain when they are blacklisted for incompetence. If you need to run your own stand-alone mail service you should pay the price for the privilege. Nobody should send mail directly unless it is filtered outbound. In fact, that would be a good blacklist: real-time-morons.org. I'd even toss in systems that NDR after the connection is closed as they have no idea at that point whe the sender is. dp ___ That was my point. My mail IS filtered outbound. So I should have to pay double for the privilege of controlling my own email? How about this...I send an email to a client via my isp's mta. There's a problem, but I don't find out about it for 5 days. I lose business. On the other hand, I send the email direct, I've got my installation set to notify me of problems after minutes, not days. I can do that because I'm my only customer. I know nearly every email that gets sent out and can be very responsive to problems. I should double my fee for that single advantage? Not sure I buy that. That's a microsoft-type business plan. -- John Jolet Technology Solutions Your On-Demand IT Department 512-762-0729 www.jolet.net [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Dennis Peterson wrote: Nobody should send mail directly unless it is filtered outbound. In fact, that would be a good blacklist: real-time-morons.org. I'd even toss in systems that NDR after the connection is closed as they have no idea at that point whe the sender is. That, I cannot argue with :) Although if I remember correctly, there are some on this list who are guilty of not filtering outbound. I think, (was it Julian who accused us of it?), misanthropic.admins.org might be a good name :) Matt ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Matt Fretwell said: Dennis Peterson wrote: Nobody should send mail directly unless it is filtered outbound. In fact, that would be a good blacklist: real-time-morons.org. I'd even toss in systems that NDR after the connection is closed as they have no idea at that point whe the sender is. That, I cannot argue with :) Although if I remember correctly, there are some on this list who are guilty of not filtering outbound. I think, (was it Julian who accused us of it?), misanthropic.admins.org might be a good name :) Matt I like it when they admit it - it helps me populate my access_db file. dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
John Jolet said: On Monday 16 May 2005 04:43 pm, Dennis Peterson wrote: John Jolet said: Nobody should send mail directly unless it is filtered outbound. In fact, that would be a good blacklist: real-time-morons.org. I'd even toss in systems that NDR after the connection is closed as they have no idea at that point whe the sender is. dp ___ That was my point. My mail IS filtered outbound. So I should have to pay double for the privilege of controlling my own email? How about this...I send an email to a client via my isp's mta. There's a problem, but I don't find out about it for 5 days. I lose business. On the other hand, I send the email direct, I've got my installation set to notify me of problems after minutes, not days. I can do that because I'm my only customer. I know nearly every email that gets sent out and can be very responsive to problems. I should double my fee for that single advantage? Not sure I buy that. That's a microsoft-type business plan. -- John Jolet How am I to know that you are filtering your mail? If your IP is in the middle of a block of dynamic IP's you are fair game for me to block. The world experience is that Windows drones on dialups or cable/dsl are a major source of spam/viruses. Nothing distinguishes you from them. You get out of that mess by purchasing a fixed IP from an ISP that keeps track of non-dynamic IP's for all of our benefits. Nobody said this was easy or cheap. In Microsoft's plan there would be no room for you to make money. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Dennis Peterson wrote: That was my point. My mail IS filtered outbound. So I should have to pay double for the privilege of controlling my own email? How am I to know that you are filtering your mail? If your IP is in the middle of a block of dynamic IP's you are fair game for me to block. The world experience is that Windows drones on dialups or cable/dsl are a major source of spam/viruses. Nothing distinguishes you from them. You get out of that mess by purchasing a fixed IP from an ISP that keeps track of non-dynamic IP's for all of our benefits. Nobody said this was easy or cheap. That is coming back to the dynamic elitist viewpoint. Just as a sideline question on this, how many corporate machines, on static IP ranges, are running outdated, security wise, IIS machines which are guaranteed to spew crap as soon as anything hits? [ price != competence ] Also, this does not take into account the fact that quite a large amount of dynamic ISP accounts are practically static, except in name. I have no problem with blocking a /24 range if attempts are seen from that block of addresses, (static or otherwise), but I still cannot see the point of penalising dynamic IP's just because they are dynamic, without good cause. If one was going down the OS fingerprinting route tallied to a dynamic IP check, then that might be feasible, but a straight block with no absolute reason? Matt ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Matt Fretwell said: Dennis Peterson wrote: That was my point. My mail IS filtered outbound. So I should have to pay double for the privilege of controlling my own email? How am I to know that you are filtering your mail? If your IP is in the middle of a block of dynamic IP's you are fair game for me to block. The world experience is that Windows drones on dialups or cable/dsl are a major source of spam/viruses. Nothing distinguishes you from them. You get out of that mess by purchasing a fixed IP from an ISP that keeps track of non-dynamic IP's for all of our benefits. Nobody said this was easy or cheap. That is coming back to the dynamic elitist viewpoint. Just as a sideline question on this, how many corporate machines, on static IP ranges, are running outdated, security wise, IIS machines which are guaranteed to spew crap as soon as anything hits? [ price != competence ] We do what we can with what we have, one step at a time. Also, this does not take into account the fact that quite a large amount of dynamic ISP accounts are practically static, except in name. I have no problem with blocking a /24 range if attempts are seen from that block of addresses, (static or otherwise), but I still cannot see the point of penalising dynamic IP's just because they are dynamic, without good cause. If one was going down the OS fingerprinting route tallied to a dynamic IP check, then that might be feasible, but a straight block with no absolute reason? Here's how it works, Matt - if you have a dynamic IP, even one that has a long life time, other people will still block mail from your IP block. That seldom happens if you have a true fixed IP, all other things being equal. And you know what? You have no say in it. It is out of your control. And if the number of Windows drones continues to grow at the current rate you can expect to be blocked pretty damn soon as there's just about nothing else left to do. And I'm ok with that. dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Dennis Peterson wrote: Here's how it works, Matt - if you have a dynamic IP, even one that has a long life time, other people will still block mail from your IP block. That seldom happens if you have a true fixed IP, all other things being equal. And you know what? You have no say in it. It is out of your control. And if the number of Windows drones continues to grow at the current rate you can expect to be blocked pretty damn soon as there's just about nothing else left to do. And I'm ok with that. Just for later 'discussion' purposes, as your headers for this mail will prove, I am on a static IP range. I am not in the same boat as John, but I still would not dream of penalising without a proven, (with regards to what my own logs say), reason. The really annoying thing is, it is easy to set up an automated system to add offending IP's or IP blocks to your own local rbl's, so any IP, whether it be dynamic or static has a one shot chance. There is no need to block outright from the outset. Matt ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Matt Fretwell said: Dennis Peterson wrote: Here's how it works, Matt - if you have a dynamic IP, even one that has a long life time, other people will still block mail from your IP block. That seldom happens if you have a true fixed IP, all other things being equal. And you know what? You have no say in it. It is out of your control. And if the number of Windows drones continues to grow at the current rate you can expect to be blocked pretty damn soon as there's just about nothing else left to do. And I'm ok with that. Just for later 'discussion' purposes, as your headers for this mail will prove, I am on a static IP range. I'm using you in the generic sense for discussion. Not refering to you, Matt. I could have been more clear on that. I am not in the same boat as John, but I still would not dream of penalising without a proven, (with regards to what my own logs say), reason. The really annoying thing is, it is easy to set up an automated system to add offending IP's or IP blocks to your own local rbl's, so any IP, whether it be dynamic or static has a one shot chance. There is no need to block outright from the outset. As I mentioned earlier, I'm getting slammed from comcast.net from relays all over the US. It is far easier to block by obvious dsl/cable host identifiers than to spend hours trying to figure out what /24 IP ranges to tweek. I see the problem as comcasts, not mine. Your milage may vary - I know mine did. dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Dennis Peterson wrote: There is no need to block outright from the outset. As I mentioned earlier, I'm getting slammed from comcast.net from relays all over the US. It is far easier to block by obvious dsl/cable host identifiers than to spend hours trying to figure out what /24 IP ranges to tweek. I see the problem as comcasts, not mine. Your milage may vary - I know mine did. The point with the above is different. Comcast had the initial, with you, opportunity and made a mess of it. With that level of abuse, if its related to their network in any way or form, it would be blocked. Even I wouldn't bother with a /24 block for that level of abuse. By that point, I would merrily block their entire network, rhsbl and rbl, without giving it a second thought. There is no need to blanket ban every other providers dsl yet, though :) All the best, Matt ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Matt Fretwell wrote: There is no need to blanket ban every other providers dsl yet, though :) Just as a side note, here are a couple of links for Postfix header checks for this german spam outbreak. http://archives.neohapsis.com/archives/postfix/2005-05/1377.html http://www.heise.de/newsticker/foren/go.shtml?read=1msg_id=7992046forum_id=78695 Matt ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] /dev/console Permission in ClamAV 0.85
The /dev/console permission problem seems to be solved in the just-released ClamAV 0.85.1. Thank you. On Mon, 16 May 2005 12:12:09 +0800 imacat [EMAIL PROTECTED] wrote: Sorry, I did not noticed that I had disbled this list, and am wondering why there is no response on my previous post. And while I'm reading the archive I did not notice that search box is at the button. So I browse several pages and decided to write a more diagnostic mail and maybe with a patch to it in replace of my previous rush one. Sorry for the bothering and thanks that it is solved in CVS. On Sun, 15 May 2005 22:54:24 -0500 (CDT) Damian Menscher [EMAIL PROTECTED] wrote: On Sun, 15 May 2005, imacat wrote: [EMAIL PROTECTED]:~# /dev/console: Permission denied It's considered polite to at least look at the past week's worth of subject lines before posting to an email list with hundreds of recipients. Damian Menscher -- -=#| Physics Grad Student SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| [EMAIL PROTECTED] www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- ___ http://lurker.clamav.net/list/clamav-users.html -- imacat ^_*' [EMAIL PROTECTED] PGP Key: http://www.imacat.idv.tw/me/pgpkey.txt Tavern IMACAT's http://www.imacat.idv.tw/ Woman's Voice http://www.wov.idv.tw/ TLUG List Manager http://www.linux.org.tw/mailman/listinfo/tlug -- Best regards, imacat ^_*' [EMAIL PROTECTED] PGP Key: http://www.imacat.idv.tw/me/pgpkey.txt Woman's Voice News: http://www.wov.idv.tw/ Tavern IMACAT's: http://www.imacat.idv.tw/ TLUG List Manager: http://www.linux.org.tw/mailman/listinfo/tlug pgpj6Ea2SMpWS.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Brian Read wrote: Block all mails from dynamic IP. They are 99,99% spam. No they aren't that rule causes quite a few of my customers a headache, as the (linux) mailserver I often install sends the email direct, irrespective of whether there Ip is dynamic or static. Some ISPs charge an arm and a leg for static IPs. I wind up blocking mail from people like that for an entirely different reason. Basic DNS checking against the HELO string to be sure it resolves to the IP address the connection's actually coming from. I couldn't imagine how much spam I don't even have to waste cycles filtering as a result. :-) Mind you, I wind up having to send your mailserver isn't configured right messages to some sites. But the reduction in the noise is well worth it. This attack, for example, would all but be completely blocked without a single invocation of SpamAssassin. :-) Unless of course they luck out and infect a PC that has a proper mail config. :-\ Bill ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Matt Fretwell wrote: Brian Read wrote: Block all mails from dynamic IP. They are 99,99% spam. No they aren't that rule causes quite a few of my customers a headache, as the (linux) mailserver I often install sends the email direct, irrespective of whether there Ip is dynamic or static. Some ISPs charge an arm and a leg for static IPs. [...] This bumph about people shouldn't be allowed to run a direct MTA to MTA setup unless they have static IP's is nonsense. One might even say that it is MTA (elitism|snobbery). There are plenty of legitimate MTA setups running on dynamic IP's. [...] What really does amaze me though, is that these are generally the admins who will turn around and say, 'Don't block (variable), you will lose too much legitimate mail'. Where is the logic in that? They will allow a crappily configured multinational corporation or ISP to connect, yet not give dynamics the slightest chance to prove their reliability. I don't think it's a matter of reliability... it's more an issue of accountability and traceability. How can one trace back to a dynamically IP'ed MTA when it's dynamic? DynDNS doesn't prove itself in the majority of cases, or isn't even used. Some of these are even worse because the mail is coming from a NAT'ed host from behind a dyn IP firewall, which won't even allow return messages -- and I suspect this is extremely common. Kind of like an inverse roach motel for email. I don't disagree that there may well be many people running wholesome MTAs on dynamic IP's that suffer for the rest. But it's that rest we're all concerned with. I honestly wonder whether an authorization framework such as SPF would be the salvation of such setups... permitting them to prove themselves worthy without the need for static IP addresses. But until that time comes, any host who appears to lie about it's identity by giving a host name that doesn't match it's visible IP address is getting the door slammed in it's face by my MTA. YMMV. Bill Matt ___ http://lurker.clamav.net/list/clamav-users.html ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On Mon, 16 May 2005, Matt Fretwell wrote: Dennis Peterson wrote: The world experience is that Windows drones on dialups or cable/dsl are a major source of spam/viruses. That is coming back to the dynamic elitist viewpoint. I agree with both of you, actually. In theory, of course, Matt is right. If you're doing everything properly, you shouldn't be punished. On the other hand, given a limited amount of time to mess with e-mail, blocking all dynamic traffic proves to be an incredibly effective, efficient, and accurate means of blocking spam. If you configure your error messages properly and have a decent exception policy, smart, competent people like Matt are going to be able to work around the system with a minimum of fuss while Dennis is still protected from those other 99.9% of users. A lot of idealism goes down the tubes when confronted with the real world, but there are compromises you can make that, while imperfect, get you to a place where everything functions reasonably. -jef ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Bill Taroli: I wind up blocking mail from people like that for an entirely different reason. Basic DNS checking against the HELO string to be sure it resolves to the IP address the connection's actually coming from. There are a few different ways to do DNS checks. I haven't seen this particular one suggested before. The correct check is: fDNS(rDNS(IP)) == IP However, this check doesn't actually do very much; it just ensures that the IP address exists in the DNS system. The typical broken check is: rDNS(fDNS(HELO)) == HELO This is wrong for a number of reasons, the main one being that not everyone has control of their reverse-DNS mapping. And in this terminology, you're doing: fDNS(HELO) == IP That's a little better than the broken version, since you're comparing IP addresses. But it's still a bad idea to use HELO. For example, what if the mail sender likes to masquerade as example.com even though it is actually mail.example.com? If those two names have different IP addresses, then your check will reject the connection. Anyway, how many connections/day are you using this check on? I find DNS checks to be fairly expensive due to how long they take, on the average. Most of them return quickly but a substantial minority go to a broken DNS server and take the full time-out period. Because of this I use DNS-based anti-spam measures late in the checking process, while it sounds like you are using this as your first line of defense. And finally, if you want to run a check on the HELO string, I find that just rejecting outside connections that claim a HELO of your own hostname gets rid of a very high proportion of crapmail. This very simple check is successful enough that I'll probably publish a notme_milter at some point after spfmilter gets out of beta status. --- Jef Jef Poskanzer [EMAIL PROTECTED] http://www.acme.com/jef/ ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Matt Fretwell said: Dennis Peterson wrote: There is no need to block outright from the outset. As I mentioned earlier, I'm getting slammed from comcast.net from relays all over the US. It is far easier to block by obvious dsl/cable host identifiers than to spend hours trying to figure out what /24 IP ranges to tweek. I see the problem as comcasts, not mine. Your milage may vary - I know mine did. The point with the above is different. Comcast had the initial, with you, opportunity and made a mess of it. With that level of abuse, if its related to their network in any way or form, it would be blocked. Even I wouldn't bother with a /24 block for that level of abuse. By that point, I would merrily block their entire network, rhsbl and rbl, without giving it a second thought. There is no need to blanket ban every other providers dsl yet, though :) I'm just getting over a heart attack - I don't have time to play around with these bastids. Time's become way too important to be playing around with class C address space - I'm taking out whole nations now :-) dp ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Freshclam fall back to HTTP
All, I cannot run Freshclam in DNS mode, it always fall back to HTTP. Below attached the message from my machine; [EMAIL PROTECTED] root]# freshclam ClamAV update process started at Tue May 17 12:43:32 2005 WARNING: DNS record is older than 3 hours. WARNING: Invalid DNS reply. Falling back to HTTP mode. Reading CVD header (main.cvd): OK (IMS) main.cvd is up to date (version: 31, sigs: 33079, f-level: 4, builder: tkojm) Reading CVD header (daily.cvd): OK (IMS) daily.cvd is up to date (version: 880, sigs: 1312, f-level: 5, builder: ccordes) Then I check the DNS resolv; --- SNIP --- [EMAIL PROTECTED] root]# host -t txt current.cvd.clamav.net current.cvd.clamav.net text 0.85.1:31:881:1116300541:0 [EMAIL PROTECTED] root]# nslookup current.cvd.clamav.net Server: 202.155.0.10 Address:202.155.0.10#53 Non-authoritative answer: *** Can't find current.cvd.clamav.net: No answer -- Compare to resolve yahoo.com ---SNIP--- [EMAIL PROTECTED] root]# nslookup yahoo.com Server: 202.155.0.10 Address:202.155.0.10#53 Non-authoritative answer: Name: yahoo.com Address: 66.94.234.13 Name: yahoo.com Address: 216.109.112.135 --- The DNS can get the TXT record (not A record) of current.cvd.clamav.net, but why Freshclam cannot run in DNS? What things should I fix? Your answer is very appreciated Thx Rgds, Awie ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Rene Berber infected?
I've been getting plenty of those German spams, and they're almost all coming from prod-infinitum.com.mx. Interestingly, I got one that spoofed its From: header as [EMAIL PROTECTED] Which indicates that an active clamav user is infected. So, I did the obvious thing and grepped for that domian in my mailspool. Turns up one hit, for Rene Berber. Could you check your machines please? (Yes, I realize this is circumstantial evidence, but that netblock isn't exactly huge, and the [EMAIL PROTECTED] address that was spoofed makes it pretty unlikely that it was some random person) Damian Menscher -- -=#| Physics Grad Student SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| [EMAIL PROTECTED] www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- ___ http://lurker.clamav.net/list/clamav-users.html