date:20050516

What is the current database version from freshclam for people out 
there?  I've been getting a huge number of bounces with german 
subjects, addressed to people with usernames beginning with 3d (just 
starting to investigate what is going on with this...) but the past few 
freshclam runs have shown nothing new.

Current output:
# freshclam
ClamAV update process started at Mon May 16 08:24:30 2005
main.cvd is up to date (version: 31, sigs: 33079, f-level: 4, builder: 
tkojm)
daily.cvd is up to date (version: 879, sigs: 1282, f-level: 4, builder: 
tkojm)

Platform is FreeBSD, using ClamAV from ports.
-Bart
___
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] sober.p and german adverts?

Some more info...
I see in our amavis logs on our ClamAV system (postfix pre-filter 
FreeBSD for email) this kind of listing...
/usr/local/sbin/amavisd[35705]: (35705-10) Blocked INFECTED 
(Worm.Sober.P), [EMAIL PROTECTED] - 
f-Ge2_bV@address snipped, Hits: -, tag=0, tag2=4, kill=4, L/0/0/0

That address had been hammering us over and over for awhile with 
sober.p.  Now it's become quiet.

I notice a huge amount of german messages coming in, getting past the 
AV and our spam filter.  I went into the Exchange server and there was 
one sample message in one of the recipient mailboxes with the following 
in the headers:

Received: from oncsbuv.com 
(aolclient-24-25-128-223.aol.nycap.res.rr.com [24.25.128.223])

The message has the German subject line and the text appears to be just 
a link to a website...?

Perhaps we now know what happened to sober.p?
(anyone know offhand how to use the access file for postfix to reject a 
message by *sender* instead of recipient?)

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Mike Blonder

I am also getting inundated with German gibberish spam. Would you mind
explaining the significance (if any) of the email address that you posted? I
am finding that the German Gibberish garbage is spoofing a different email
address with each posting.

Thanks

Mike

On 5/16/05, Bart Silverstrim [EMAIL PROTECTED] wrote:

Some more info...

I see in our amavis logs on our ClamAV system (postfix pre-filter
FreeBSD for email) this kind of listing...
/usr/local/sbin/amavisd[35705]: (35705-10) Blocked INFECTED
(Worm.Sober.P), [EMAIL
PROTECTED]http://aolclient-24-25-128-223.aol.nycap.res.rr.com
-
f-Ge2_bV@address snipped, Hits: -, tag=0, tag2=4, kill=4, L/0/0/0

That address had been hammering us over and over for awhile with
sober.p. Now it's become quiet.

I notice a huge amount of german messages coming in, getting past the
AV and our spam filter. I went into the Exchange server and there was
one sample message in one of the recipient mailboxes with the following
in the headers:

Received: from oncsbuv.com http://oncsbuv.com
(aolclient-24-25-128-223.aol.nycap.res.rr.comhttp://aolclient-24-25-128-223.aol.nycap.res.rr.com[
24.25.128.223 http://24.25.128.223])

The message has the German subject line and the text appears to be just
a link to a website...?

Perhaps we now know what happened to sober.p?

(anyone know offhand how to use the access file for postfix to reject a
message by *sender* instead of recipient?)

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

On May 16, 2005, at 9:00 AM, Mike Blonder wrote:
I am also getting inundated with German gibberish spam. Would you mind
explaining the significance (if any) of the email address that you  
posted? I
am finding that the German Gibberish garbage is spoofing a different  
email
address with each posting.
I'm new to the sleuthing aspect, so forgive me if I'm offbase  
here...(education/explanations always welcome!  Plus it's made harder  
because the messages I have to work with are on a Unix system and  
managled headers off an Exchange final destination)

I know that usually they alter the headers and spoof (viruses, that is)  
but I thought it strange that we've been hammered by sober.p with that  
same address showing up over and over again in our amavis logs :
# grep 24-25-128-223 amavis.log|grep Sober.P |wc -l
16546

Usually it should vary things, I'd think.  But then one of the first  
german gibberish messages I had found in a mailbox had the following  
right in the header:
Received: from oncsbuv.com http://oncsbuv.com
(aolclient-24-25-128-223.aol.nycap.res.rr.comhttp://aolclient-24-25 
-128-223.aol.nycap.res.rr.com[
24.25.128.223 http://24.25.128.223])
Coincidence?  The first set I grepped was the IP of Sober.P's being  
stopped at the bastion server over the past couple weeks looking for  
that specific IP name.  The second was a sample german message that  
managed to find it's way to the administrator mail account on the  
exchange server.

I mean,...spoofing I understand, and expect...but is it really  
coincidental that these just happened to hit that IP?  That's why I  
wondered if maybe there wasn't a link between the two...that sober.p is  
now a mass mailing spam tool.

Are there any analysis papers out on sober.p yet?  And can anyone else  
corroborate the theory I have, or am I totally off-base here?  I'm  
still trying to figure it out from what I can piece together between  
phone calls for other tasks here :-)

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

Bart Silverstrim wrote:

 Are there any analysis papers out on sober.p yet?  And can anyone else  
 corroborate the theory I have, or am I totally off-base here?  I'm  
 still trying to figure it out from what I can piece together between  
 phone calls for other tasks here :-)


 If I remember correctly, a sideline of sober.p is to install sober.q on
the infected machine, which then spews these messages.


Matt 
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Mike Blonder

OK.

I think I get it. You had identified the oncbuv.com
http://oncbuv.comaddress as a source for the
sober.p garbage earlier and now it is showing up with the German gibberish
garbage.

Thanks

Mike

I will check the next batch I receive (I hope I don't) for the same address

On 5/16/05, Bart Silverstrim [EMAIL PROTECTED] wrote:

On May 16, 2005, at 9:00 AM, Mike Blonder wrote:

I am also getting inundated with German gibberish spam. Would you mind
explaining the significance (if any) of the email address that you
posted? I
am finding that the German Gibberish garbage is spoofing a different
email
address with each posting.

I'm new to the sleuthing aspect, so forgive me if I'm offbase
here...(education/explanations always welcome! Plus it's made harder
because the messages I have to work with are on a Unix system and
managled headers off an Exchange final destination)

I know that usually they alter the headers and spoof (viruses, that is)
but I thought it strange that we've been hammered by sober.p with that
same address showing up over and over again in our amavis logs :
# grep 24-25-128-223 amavis.log|grep Sober.P |wc -l
16546

Usually it should vary things, I'd think. But then one of the first
german gibberish messages I had found in a mailbox had the following
right in the header:
Received: from oncsbuv.com http://oncsbuv.com http://oncsbuv.com
(aolclient-24-25-128-223.aol.nycap.res.rr.comhttp://aolclient-24-25-128-223.aol.nycap.res.rr.com
http://aolclient-24-25
-128-223.aol.nycap.res.rr.com http://128-223.aol.nycap.res.rr.com[
24.25.128.223 http://24.25.128.223 http://24.25.128.223])

Coincidence? The first set I grepped was the IP of Sober.P's being
stopped at the bastion server over the past couple weeks looking for
that specific IP name. The second was a sample german message that
managed to find it's way to the administrator mail account on the
exchange server.

I mean,...spoofing I understand, and expect...but is it really
coincidental that these just happened to hit that IP? That's why I
wondered if maybe there wasn't a link between the two...that sober.p is
now a mass mailing spam tool.

Are there any analysis papers out on sober.p yet? And can anyone else
corroborate the theory I have, or am I totally off-base here? I'm
still trying to figure it out from what I can piece together between
phone calls for other tasks here :-)

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Re: Follow-up on clamav-milter not mailing notice to postmaster

2005-05-16 Thread Christopher X. Candreva

On Sat, 14 May 2005, Dennis Peterson wrote:

 Clam runs fine when properly configured. 

And it ran fine for me right up intil 0.85.

 Are you asking the developers to
 compensate for sloppy administration? I think for that you need a

No, what I'm asking for is if it runs one day with certain permissions, it
shouldn't fail at the next upgrade without saying something.

 Microsoft product, and it won't be free.
Changeing behavior suddenly without warning is behavior I usually associate 
with Microsoft prodcuts.  Along with your attitude.

==
Chris Candreva  -- [EMAIL PROTECTED] -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/
___
http://lurker.clamav.net/list/clamav-users.html

RE: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread John Taylor

Hi

Please see http://www.theregister.co.uk/2005/05/16/sober_spews_spam/

Rgds

John Taylor
Network  Security Manager
Synstar
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mike Blonder
Sent: 16 May 2005 15:00
To: ClamAV users ML
Subject: Re: [Clamav-users] sober.p and german adverts?

OK.

I think I get it. You had identified the oncbuv.com
http://oncbuv.comaddress as a source for the sober.p garbage earlier and
now it is showing up with the German gibberish garbage.

Thanks

Mike

I will check the next batch I receive (I hope I don't) for the same address

On 5/16/05, Bart Silverstrim [EMAIL PROTECTED] wrote:
 
 
 On May 16, 2005, at 9:00 AM, Mike Blonder wrote:
 
  I am also getting inundated with German gibberish spam. Would you 
  mind explaining the significance (if any) of the email address that 
  you posted? I am finding that the German Gibberish garbage is 
  spoofing a different email address with each posting.
 
 I'm new to the sleuthing aspect, so forgive me if I'm offbase 
 here...(education/explanations always welcome! Plus it's made harder 
 because the messages I have to work with are on a Unix system and 
 managled headers off an Exchange final destination)
 
 I know that usually they alter the headers and spoof (viruses, that 
 is) but I thought it strange that we've been hammered by sober.p with 
 that same address showing up over and over again in our amavis logs :
 # grep 24-25-128-223 amavis.log|grep Sober.P |wc -l
 16546
 
 Usually it should vary things, I'd think. But then one of the first 
 german gibberish messages I had found in a mailbox had the following 
 right in the header:
  Received: from oncsbuv.com http://oncsbuv.com http://oncsbuv.com 
  (aolclient-24-25-128-223.aol.nycap.res.rr.comhttp://aolclient-24-25
  -128-223.aol.nycap.res.rr.com
 http://aolclient-24-25
  -128-223.aol.nycap.res.rr.com 
  http://128-223.aol.nycap.res.rr.com[
  24.25.128.223 http://24.25.128.223 http://24.25.128.223])
 
 Coincidence? The first set I grepped was the IP of Sober.P's being 
 stopped at the bastion server over the past couple weeks looking for 
 that specific IP name. The second was a sample german message that 
 managed to find it's way to the administrator mail account on the 
 exchange server.
 
 I mean,...spoofing I understand, and expect...but is it really 
 coincidental that these just happened to hit that IP? That's why I 
 wondered if maybe there wasn't a link between the two...that sober.p 
 is now a mass mailing spam tool.
 
 Are there any analysis papers out on sober.p yet? And can anyone else 
 corroborate the theory I have, or am I totally off-base here? I'm 
 still trying to figure it out from what I can piece together between 
 phone calls for other tasks here :-)
 
 ___
 http://lurker.clamav.net/list/clamav-users.html

___
http://lurker.clamav.net/list/clamav-users.html
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Re: Follow-up on clamav-milter not mailing notice to postmaster

Christopher X. Candreva said:
 On Sat, 14 May 2005, Dennis Peterson wrote:

 Clam runs fine when properly configured.

 And it ran fine for me right up intil 0.85.

 Are you asking the developers to
 compensate for sloppy administration? I think for that you need a

 No, what I'm asking for is if it runs one day with certain permissions, it
 shouldn't fail at the next upgrade without saying something.

 Microsoft product, and it won't be free.
 Changeing behavior suddenly without warning is behavior I usually
 associate
 with Microsoft prodcuts.  Along with your attitude.

So you want code writers who never make a mistake so you don't have to
assume any responsibility for your installations. Those coders don't
exist, you see, so you are stuck with keeping your systems configured. Get
over it.

dp

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] database number

[EMAIL PROTECTED](Bart Silverstrim)  16.05.05 08:27


What is the current database version from freshclam for people out
there?

It's always shown in the bottom line of 
http://www.clamav.net/
 Latest database release is: main.cvd 31 daily.cvd 879
 Latest ClamAV stable release is: 0.85
 

I've been getting a huge number of bounces with german
subjects, addressed to people with usernames beginning with 3d (just
starting to investigate what is going on with this...) 

3d is = and originates from broken ISO interpretation.

but the past few freshclam runs have shown nothing new.

Why should clamav point up?
That are just bounces, there is NO worm inside.
They are just sent by a worm.
There nothing a virus scanner can do anymore. It's to late now.

Write to the abuse account of the orignating host,
and beg him ot reject all messages for unknown users,
and not to bounce them.

admin.net-abuse.email might be of more help for this problem.


Rainer

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

On May 16, 2005, at 9:59 AM, Mike Blonder wrote:
OK.
I think I get it. You had identified the oncbuv.com
http://oncbuv.comaddress as a source for the
sober.p garbage earlier and now it is showing up with the German 
gibberish
garbage.
Sort of.  I can't find oncbuv.com so it's spoofed.  The IP actually 
reverses to a RoadRunner address.  I was hammered by the RR address, 
then administrator had one message in german gibberwocky from that 
appeared to be from that IP.

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

On May 16, 2005, at 10:52 AM, Rainer Zocholl wrote:
[EMAIL PROTECTED](Bart Silverstrim)  16.05.05 08:51
Maybe you should have simply entered it into google?
I'm quite sure that google would have lead you to the right place.
Yes, google can search for german strings too! IMOH ;-)
I did enter it in when I first discovered it, but there were no hits.   
I thought perhaps it was too new at the time, and then turned to the  
lists to corroborate what I was seeing.

and the text appears to be just a link to a website...?
Yes, it is.
Many of them are pointing to websites of
reputated printed newletters/magazins like Der Spiegel.
Apparently it will be very hard to block if it's just text without  
extra spammer tricks in it to bypass filters...or at least not enough  
to cross the threshold of spam vs. regular mail.

Perhaps we now know what happened to sober.p?
See:
http://www.viruslist.com/en/weblog
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp? 
VName=WORM%5FSOBER%2EUVSect=P
Details in german:
http://www.heise.de/newsticker/meldung/59562
Well...I'm somewhat proud of myself that so far my hunches and  
(amateurish) deductions had me on the right track :-)

(anyone know offhand how to use the access file for postfix to reject
a message by *sender* instead of recipient?)
Write complaints to the owners of the IP blocks!
  The MAIL FROM is always faked.
  The URL-owner is mostly innocent too.
Block all mails from dynamic IP.
They are 99,99% spam.
Is there a way to do that with the access file/postmap in postfix?   
Block sender IP's/IP blocks?

I thought it was odd that our hammering from particular sober.p  
infections were consistent in IP.  If they were spoofing (this was from  
the logs that I extracted that grep), then why wouldn't I have 16000  
different sober.p sources instead of a few of them over and over?

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Brian Read


Block all mails from dynamic IP.
They are 99,99% spam.
 

No they aren't that rule causes quite a few of my customers a 
headache, as the (linux) mailserver I often install sends the email 
direct, irrespective of whether there Ip is dynamic or static.  Some 
ISPs charge an arm and a leg for static IPs.

--
Cheers
Brian
http://www.abandonmicrosoft.co.uk
___
http://lurker.clamav.net/list/clamav-users.html

RE: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Randal, Phil

It's easy to block.

Check the handler's Diary at http://isc.sans.org/ and follow the links.

Cheers,

Phil


Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK  

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 Bart Silverstrim
 Sent: 16 May 2005 16:05
 To: ClamAV users ML
 Subject: Re: [Clamav-users] sober.p and german adverts?
 
 
 On May 16, 2005, at 10:52 AM, Rainer Zocholl wrote:
 
  [EMAIL PROTECTED](Bart Silverstrim)  16.05.05 08:51 
 Maybe you 
  should have simply entered it into google?
  I'm quite sure that google would have lead you to the right place.
  Yes, google can search for german strings too! IMOH ;-)
 
 I did enter it in when I first discovered it, but there were 
 no hits.   
 I thought perhaps it was too new at the time, and then turned 
 to the lists to corroborate what I was seeing.
 
  and the text appears to be just a link to a website...?
 
  Yes, it is.
  Many of them are pointing to websites of reputated printed 
  newletters/magazins like Der Spiegel.
 
 Apparently it will be very hard to block if it's just text 
 without extra spammer tricks in it to bypass filters...or at 
 least not enough to cross the threshold of spam vs. regular mail.
 
  Perhaps we now know what happened to sober.p?
 
  See:
 
  http://www.viruslist.com/en/weblog
  http://www.trendmicro.com/vinfo/virusencyclo/default5.asp? 
  VName=WORM%5FSOBER%2EUVSect=P
  Details in german:
  http://www.heise.de/newsticker/meldung/59562
 
 Well...I'm somewhat proud of myself that so far my hunches and
 (amateurish) deductions had me on the right track :-)
 
  (anyone know offhand how to use the access file for 
 postfix to reject 
  a message by *sender* instead of recipient?)
 
  Write complaints to the owners of the IP blocks!
The MAIL FROM is always faked.
The URL-owner is mostly innocent too.
 
  Block all mails from dynamic IP.
  They are 99,99% spam.
 
 Is there a way to do that with the access file/postmap in postfix?   
 Block sender IP's/IP blocks?
 
 I thought it was odd that our hammering from particular 
 sober.p infections were consistent in IP.  If they were 
 spoofing (this was from the logs that I extracted that grep), 
 then why wouldn't I have 16000 different sober.p sources 
 instead of a few of them over and over?
 
 ___
 http://lurker.clamav.net/list/clamav-users.html
 
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] database number

On May 16, 2005, at 10:51 AM, Rainer Zocholl wrote:
[EMAIL PROTECTED](Bart Silverstrim)  16.05.05 08:27

What is the current database version from freshclam for people out
there?
It's always shown in the bottom line of
http://www.clamav.net/
 Latest database release is: main.cvd 31 daily.cvd 879
 Latest ClamAV stable release is: 0.85
Thanks for the info.  I didn't realize that was there...I knew there 
were recent threads about versioning problems going around, and began 
to suspect something was wrong with this one.  Apparently not.

I've been getting a huge number of bounces with german
subjects, addressed to people with usernames beginning with 3d (just
starting to investigate what is going on with this...)
3d is = and originates from broken ISO interpretation.
Figured that.  Knew that most bounces/address attempts with that prefix 
tended to come from viruses.

but the past few freshclam runs have shown nothing new.
Why should clamav point up?
That are just bounces, there is NO worm inside.
They are just sent by a worm.
There nothing a virus scanner can do anymore. It's to late now.
What I thought we were seeing was an attempt for a virus to propagate.  
I've had bounces in some mail systems that still contain the virus, or 
even if they didn't, I hoped that I'd see something change at the 
bastion server (update virus database, whatever was trying to propagate 
would suddenly get flagged as a virus instead of get through and become 
bounce fodder).

Write to the abuse account of the orignating host,
and beg him ot reject all messages for unknown users,
and not to bounce them.
The ones I was searching through were actually undeliverables to 
nonexistent accounts within our network.  I was getting the error 
messages to follow up on.

-Bart
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

On May 16, 2005, at 11:08 AM, Randal, Phil wrote:
It's easy to block.
Check the handler's Diary at http://isc.sans.org/ and follow the links.
Thank you, that's my next task when I get a block of time today.
Thanks again!
___
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] Re: custom signature files

2005-05-16 Thread Jef Poskanzer

sigtool
docs/signatures.pdf

Interesting stuff!  I had no idea this capability was available.

Hey, has anyone made or run across a signature file that matches
all windows executables and all archive formats?  Seems like this
would be fairly easy to create.
---
Jef

 Jef Poskanzer  [EMAIL PROTECTED]  http://www.acme.com/jef/
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

Brian Read wrote:

 Block all mails from dynamic IP. They are 99,99% spam.

 No they aren't that rule causes quite a few of my customers a 
 headache, as the (linux) mailserver I often install sends the email 
 direct, irrespective of whether there Ip is dynamic or static.  Some
 ISPs charge an arm and a leg for static IPs.

 There are reasonable ISP's, (pricewise), with regards to static ranges.

 There is however the fact that whether the IP's are static or dynamic,
business or domestic class, some ISP's, (mentioning no names), impose
relay restrictions by the domain part in the *sender* address, if you try
doing it the 'relay through ISP's mailhost' way. Which does leave the
choice of having the MTA connect directly to retain the correct domain
part of the senders mail address. This bumph about people shouldn't be
allowed to run a direct MTA to MTA setup unless they have static IP's is
nonsense. One might even say that it is MTA (elitism|snobbery). There are
plenty of legitimate MTA setups running on dynamic IP's. A lot of the time
they are configured in a better fashion than the service providers own
MTA's that most would have them relay through. There really is no
legitimate reason for blocking dynamic IP ranges at the outset. What
really does amaze me though, is that these are generally the admins who
will turn around and say, 'Don't block (variable), you will lose too
much legitimate mail'. Where is the logic in that? They will allow a
crappily configured multinational corporation or ISP to connect, yet not
give dynamics the slightest chance to prove their reliability.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Thomas Hochstein

Bart Silverstrim schrieb:

 That address had been hammering us over and over for awhile with 
 sober.p.  Now it's become quiet.

Yes. Now the infected hosts are sending out spam containing (very)
right-wing political propaganda.

 Perhaps we now know what happened to sober.p?

Yes. The same thing has happened last year, IIRC with another version
of sober.

 (anyone know offhand how to use the access file for postfix to reject a 
 message by *sender* instead of recipient?)

Those senders are faked.

-thh
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

Todd Lyons wrote:

 You should make their ISP's mail servers be the smarthost or
 relayhost for that customer's mail server.

 Oh yes, really.


 Some ISP's don't allow you to relay mail through them if it's not for
 @ispdomain.com.

 They don't allow you to do that so that they can charge you more than
your service charge per month for the 'ability to use your own domain name
in outgoing mail'. Dream on about using them as a relayhost.

 This restriction bit me in the arse with several customers before finding
out what the problem was. The fact that the information on this point is
buried away, and in no way any reference, or hint, supplied in any 5**
responses, doesn't make life any easier.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread John Jolet

Matt Fretwell wrote:
Brian Read wrote:
 

Block all mails from dynamic IP. They are 99,99% spam.
 

 

No they aren't that rule causes quite a few of my customers a 
headache, as the (linux) mailserver I often install sends the email 
direct, irrespective of whether there Ip is dynamic or static.  Some
ISPs charge an arm and a leg for static IPs.
   

There are reasonable ISP's, (pricewise), with regards to static ranges.
There is however the fact that whether the IP's are static or dynamic,
business or domestic class, some ISP's, (mentioning no names), impose
relay restrictions by the domain part in the *sender* address, if you try
doing it the 'relay through ISP's mailhost' way. Which does leave the
choice of having the MTA connect directly to retain the correct domain
part of the senders mail address. This bumph about people shouldn't be
allowed to run a direct MTA to MTA setup unless they have static IP's is
nonsense. One might even say that it is MTA (elitism|snobbery). There are
plenty of legitimate MTA setups running on dynamic IP's. A lot of the time
they are configured in a better fashion than the service providers own
MTA's that most would have them relay through. There really is no
legitimate reason for blocking dynamic IP ranges at the outset. What
really does amaze me though, is that these are generally the admins who
will turn around and say, 'Don't block (variable), you will lose too
much legitimate mail'. Where is the logic in that? They will allow a
crappily configured multinational corporation or ISP to connect, yet not
give dynamics the slightest chance to prove their reliability.
Matt
___
http://lurker.clamav.net/list/clamav-users.html
 

This email, for instance was sent from a properly configured mta running 
antispam and antivirus scanning in BOTH directions, from a dynamic ip.  
If my wife sends email from her computer, it goes to the isp's mta, 
which does inbound only scanning.  I have several rules in place for 
postfix to force it to use my isp's mta for domains that refuse traffic 
from dynamic or residential ip addresses.  The price for a 
non-residential ip from my isp is nearly double that for residential.  
Do I get any added-value service for that?  No, in fact, I lose the 
ability to take faulty equipment directly to the service center for 
replacement, instead of waiting for a service call.  I think more people 
running mtas would take the tack of examining the TRAFFIC, not the IP it 
came from.  That's just laziness.
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] database number

[EMAIL PROTECTED](Bart Silverstrim)  16.05.05 11:10

Once upon a time Bart Silverstrim  shaped the electrons to say...


On May 16, 2005, at 10:51 AM, Rainer Zocholl wrote:

 [EMAIL PROTECTED](Bart Silverstrim)  16.05.05 08:27


 What is the current database version from freshclam for people out
 there?

 It's always shown in the bottom line of
 http://www.clamav.net/
  Latest database release is: main.cvd 31 daily.cvd 879
  Latest ClamAV stable release is: 0.85

Thanks for the info.  I didn't realize that was there...

You are not the only one who is having problems with the
not very ergonomic design of the clamav web page.

There are two flaws IMHO:
 - Gray should only be used for *un*important infos, but
it is used for important infos and worse main titles(!) too. 
 - Important infos should be visible with out scrolling.
   If you click one item at top, nothing seems to change,
   because all changes are shown below...

Just tried again: 
If i now click http://www.clamav.net/bugs.html#pagestart
that item is scrolled up.
If i only get the URL http://www.clamav.net/bugs.html;
it is not and the page looks like homepage...
(Mozilla 1.7.7)   


Rainer

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[EMAIL PROTECTED](Bart Silverstrim)  16.05.05 11:05



I did enter it in when I first discovered it, but there were no hits.

Ok, next time mention it ;-)

I thought perhaps it was too new at the time, and then turned to the
lists to corroborate what I was seeing.

 Many of them are pointing to websites of
 reputated printed newletters/magazins like Der Spiegel.

Apparently it will be very hard to block if it's just text without
extra spammer tricks in it to bypass filters...

There is a list of known subjects which can be feed into
spamassasign.
But in a few days that spam will stop.


or at least not enough
to cross the threshold of spam vs. regular mail.

 Write complaints to the owners of the IP blocks!
   The MAIL FROM is always faked.
   The URL-owner is mostly innocent too.

 Block all mails from dynamic IP.
 They are 99,99% spam.

Is there a way to do that with the access file/postmap in postfix?
Block sender IP's/IP blocks?

Sounds good.
There are RBL realtime black list which lists all known dynamic IPs.
Another way ist to trigger on the strings link 
dial dyn ADSL  cable in the reverse name.
Rejecting all IP which do not have an rDNS is helpfull too.
But have an exact look on the logfiles!

I thought it was odd that our hammering from particular sober.p
infections were consistent in IP. 

I scanned out logfile today:
there where 

If they were spoofing (this was from the logs that I extracted that grep), 
then why wouldn't I have 16000 different sober.p sources instead of a 
few of them over and over?

They use 16000 different home PCs infected before.
TCP IP spoofing is very difficult, and if they could it,
they would use it just to sent spam.

But too there are bigger engine owned.


Rainer

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[EMAIL PROTECTED](Brian Read)  16.05.05 16:08

Once upon a time Brian Read  shaped the electrons to say...


Block all mails from dynamic IP.
They are 99,99% spam.


No they aren't that rule causes quite a few of my customers a
headache, 

Thats the missing 0.01% i know.

as the (linux) mailserver I often install sends the email
direct, irrespective of whether there Ip is dynamic or static.
Some ISPs charge an arm and a leg for static IPs.

But most offer a smart host.
If not, you have the wrong ISP.

To be realistic:
It is already not wise to sent emails from a dynamic IP to
unknown recipients.
Too many ISP rejects such mails to, have to reject
as the worm traffic has already an unbeleavable amount.


Rainer

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[EMAIL PROTECTED](Todd Lyons)  16.05.05 10:14

Brian Read wanted us to know:

Block all mails from dynamic IP.
They are 99,99% spam.

Agreed.

No they aren't that rule causes quite a few of my customers a
headache, as the (linux) mailserver I often install sends the email
direct, irrespective of whether there Ip is dynamic or static.
Some ISPs charge an arm and a leg for static IPs.

You should make their ISP's mail servers be the smarthost or
relayhost for that customer's mail server.

Some ISP's don't allow you to relay mail through them if it's not for
@ispdomain.com.  In that case, you should offer them a value add
service to relay mail for them and then configure SSL (583) so that
they don't have that problem.

But very often the domain hoster relays mails for all domains 
he hosts (that's why he is called domain hoster? ;-)).
SMTP AUTH is required, but no problem today.

Rainer

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

On May 16, 2005, at 11:06 AM, Thomas Hochstein wrote:
Bart Silverstrim schrieb:
That address had been hammering us over and over for awhile with
sober.p.  Now it's become quiet.
Yes. Now the infected hosts are sending out spam containing (very)
right-wing political propaganda.
Don't read German, and haven't had the pleasure of the English versions 
(yet?)...so, I guess it's another case of I'm not the target 
audience.

(anyone know offhand how to use the access file for postfix to reject 
a
message by *sender* instead of recipient?)
Those senders are faked.
Thanks to someone else's posting, I found some regex lists to put into 
the header_check file for postfix...should put a stop to it.

I HATE that solution simply because it's too easy to forget about it 
and people who may send such headings in the subject line are blocked 
as well (there are courses here where you never know...the German 
course may have someone send info on Dresden in 1945...).

I also know there can be collateral damage from it.  Weigh...invalid 
bounce, or silently dropping messages that may be legit...hmm...

Some days it's just not worth using the Internet anymore.
-Bart
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

On May 16, 2005, at 1:41 PM, John Jolet wrote:
This email, for instance was sent from a properly configured mta 
running antispam and antivirus scanning in BOTH directions, from a 
dynamic ip.  If my wife sends email from her computer, it goes to the 
isp's mta, which does inbound only scanning.  I have several rules in 
place for postfix to force it to use my isp's mta for domains that 
refuse traffic from dynamic or residential ip addresses.  The price 
for a non-residential ip from my isp is nearly double that for 
residential.  Do I get any added-value service for that?  No, in fact, 
I lose the ability to take faulty equipment directly to the service 
center for replacement, instead of waiting for a service call.  I 
think more people running mtas would take the tack of examining the 
TRAFFIC, not the IP it came from.  That's just laziness.
Also...what if you don't trust your provider?  What if you want to have 
more control over the spam filtering, the virus handling...data 
retention...remember, in the US, your ISP records can be searched now 
without them being able to notify you, and your messages logged from 
their mail server.

Yes, there are ways around it, but why make it really easy for the 
people the tin-foil-hat brigade fears?

And what if you believe that people willing to take responsibility for 
their connections should be allowed to do so?  It's the irresponsible, 
the lazy, and the foolish that are setting up open relays today.  If 
someone is willing to take the time to wear the sysadmin hat and do it 
right, they should be able to run their own mail service.  The ISP 
should be just that.  Internet Service Provider.  Gimme my connection 
and leave the rest to me, thank you! :-)

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

On May 16, 2005, at 1:54 PM, Rainer Zocholl wrote:
[EMAIL PROTECTED](Bart Silverstrim)  16.05.05 11:05
I did enter it in when I first discovered it, but there were no hits.
Ok, next time mention it ;-)
Here I thought it was common sense now! :-)
Apparently it will be very hard to block if it's just text without
extra spammer tricks in it to bypass filters...
There is a list of known subjects which can be feed into
spamassasign.
But in a few days that spam will stop.
I used someone's advice from the list to add to the header_check file 
for postfix.  Seems to have stemmed the spam.  I'm gonna be ticked if 
it stops now that I just got that all set up... :-/

I thought it was odd that our hammering from particular sober.p
infections were consistent in IP.
I scanned out logfile today:
there where
?  Missing part of that?
If they were spoofing (this was from the logs that I extracted that 
grep),
then why wouldn't I have 16000 different sober.p sources instead of a
few of them over and over?
They use 16000 different home PCs infected before.
That one IP showed up in the log as hitting us 16000 times.  Unless 
you're saying there were 16000 pc's all spoofing that same IP.  If so, 
I pity the owner of that IP lease.

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] database number

Rainer Zocholl wrote:

 There are two flaws IMHO:
  - Gray should only be used for *un*important infos, but
 it is used for important infos and worse main titles(!) too. 

 And I thought I rambled on about irrelevant things.


  - Important infos should be visible with out scrolling.
If you click one item at top, nothing seems to change,
because all changes are shown below...


 My, would you like someone to volunteer to press the down button for you?
For goodness sake, someone has gone to the pain and trouble of designing
the site, writing the documentation and making it all available, and your
complaining about colours and having to scroll?


Matt
___
http://lurker.clamav.net/list/clamav-users.html

RE: [Clamav-users] database number

2005-05-16 Thread Samuel Benzaquen


Matt Fretwell wrote:


 Rainer Zocholl wrote:

  There are two flaws IMHO:
   - Gray should only be used for *un*important infos, but
  it is used for important infos and worse main titles(!) too.

  And I thought I rambled on about irrelevant things.

I don't see it as irrelevant as you do. The web page it's the face to people
that don't know about the product.
A well presented web page can attract users just like any other quality of
the product.


   - Important infos should be visible with out scrolling.
 If you click one item at top, nothing seems to change,
 because all changes are shown below...

  My, would you like someone to volunteer to press the down button for you?
 For goodness sake, someone has gone to the pain and trouble of designing
 the site, writing the documentation and making it all available, and your
 complaining about colours and having to scroll?


Don't go criticizing clamav.net's next volunteer web designer ;)

No, really... Maybe I don't feel what your talking about because I have a
17 monitor with a resolution of at least 1024x768, but people on 800x600
could have problem noticing that the page actually changed (without the
#pagestart anchor). Maybe a smaller header could do the trick.

-Samuel

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

John Jolet said:
 Matt Fretwell wrote:



 This email, for instance was sent from a properly configured mta running
 antispam and antivirus scanning in BOTH directions, from a dynamic ip.
 If my wife sends email from her computer, it goes to the isp's mta,
 which does inbound only scanning.  I have several rules in place for
 postfix to force it to use my isp's mta for domains that refuse traffic
 from dynamic or residential ip addresses.  The price for a
 non-residential ip from my isp is nearly double that for residential.
 Do I get any added-value service for that?  No, in fact, I lose the
 ability to take faulty equipment directly to the service center for
 replacement, instead of waiting for a service call.  I think more people
 running mtas would take the tack of examining the TRAFFIC, not the IP it
 came from.  That's just laziness.

Most of the spam I've gotten the last three days is from comcast.net.
Apparently they allow their customers to send out to port 25. They should
lock that down so that spam goes out through their own servers so they can
feel the pain when they are blacklisted for incompetence. If you need to
run your own stand-alone mail service you should pay the price for the
privilege.

Nobody should send mail directly unless it is filtered outbound. In fact,
that would be a good blacklist: real-time-morons.org. I'd even toss in
systems that NDR after the connection is closed as they have no idea at
that point whe the sender is.

dp

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Jef Poskanzer

that would be a good blacklist: real-time-morons.org. I'd even toss in
systems that NDR after the connection is closed as they have no idea at
that point whe the sender is.

Which means all sites running qmail!  Yay!
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread John Jolet

On Monday 16 May 2005 04:43 pm, Dennis Peterson wrote:
 John Jolet said:
  Matt Fretwell wrote:
 
 
 
  This email, for instance was sent from a properly configured mta running
  antispam and antivirus scanning in BOTH directions, from a dynamic ip.
  If my wife sends email from her computer, it goes to the isp's mta,
  which does inbound only scanning.  I have several rules in place for
  postfix to force it to use my isp's mta for domains that refuse traffic
  from dynamic or residential ip addresses.  The price for a
  non-residential ip from my isp is nearly double that for residential.
  Do I get any added-value service for that?  No, in fact, I lose the
  ability to take faulty equipment directly to the service center for
  replacement, instead of waiting for a service call.  I think more people
  running mtas would take the tack of examining the TRAFFIC, not the IP it
  came from.  That's just laziness.

 Most of the spam I've gotten the last three days is from comcast.net.
 Apparently they allow their customers to send out to port 25. They should
 lock that down so that spam goes out through their own servers so they can
 feel the pain when they are blacklisted for incompetence. If you need to
 run your own stand-alone mail service you should pay the price for the
 privilege.

 Nobody should send mail directly unless it is filtered outbound. In fact,
 that would be a good blacklist: real-time-morons.org. I'd even toss in
 systems that NDR after the connection is closed as they have no idea at
 that point whe the sender is.

 dp

 ___
That was my point.  My mail IS filtered outbound.  So I should have to pay 
double for the privilege of controlling my own email?  How about this...I 
send an email to a client via my isp's mta.  There's a problem, but I don't 
find out about it for 5 days.  I lose business.  On the other hand, I send 
the email direct, I've got my installation set to notify me of problems after 
minutes, not days.  I can do that because I'm my only customer.  I know 
nearly every email that gets sent out and can be very responsive to problems.  
I should double my fee for that single advantage?  Not sure I buy that.  
That's a microsoft-type business plan.
-- 
John Jolet
Technology Solutions
Your On-Demand IT Department
512-762-0729
www.jolet.net
[EMAIL PROTECTED]
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

Dennis Peterson wrote:

 Nobody should send mail directly unless it is filtered outbound. In
 fact, that would be a good blacklist: real-time-morons.org. I'd even
 toss in systems that NDR after the connection is closed as they have no
 idea at that point whe the sender is.


 That, I cannot argue with :) Although if I remember correctly, there are
some on this list who are guilty of not filtering outbound.

 I think, (was it Julian who accused us of it?), misanthropic.admins.org
might be a good name :)


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

Matt Fretwell said:
 Dennis Peterson wrote:

 Nobody should send mail directly unless it is filtered outbound. In
 fact, that would be a good blacklist: real-time-morons.org. I'd even
 toss in systems that NDR after the connection is closed as they have no
 idea at that point whe the sender is.


  That, I cannot argue with :) Although if I remember correctly, there are
 some on this list who are guilty of not filtering outbound.

  I think, (was it Julian who accused us of it?), misanthropic.admins.org
 might be a good name :)


 Matt

I like it when they admit it - it helps me populate my access_db file.

dp

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

John Jolet said:
 On Monday 16 May 2005 04:43 pm, Dennis Peterson wrote:
 John Jolet said:

 Nobody should send mail directly unless it is filtered outbound. In
 fact,
 that would be a good blacklist: real-time-morons.org. I'd even toss in
 systems that NDR after the connection is closed as they have no idea at
 that point whe the sender is.

 dp

 ___
 That was my point.  My mail IS filtered outbound.  So I should have to pay
 double for the privilege of controlling my own email?  How about this...I
 send an email to a client via my isp's mta.  There's a problem, but I
 don't
 find out about it for 5 days.  I lose business.  On the other hand, I send
 the email direct, I've got my installation set to notify me of problems
 after
 minutes, not days.  I can do that because I'm my only customer.  I know
 nearly every email that gets sent out and can be very responsive to
 problems.
 I should double my fee for that single advantage?  Not sure I buy that.
 That's a microsoft-type business plan.
 --
 John Jolet

How am I to know that you are filtering your mail? If your IP is in the
middle of a block of dynamic IP's you are fair game for me to block. The
world experience is that Windows drones on dialups or cable/dsl are a
major source of spam/viruses. Nothing distinguishes you from them. You get
out of that mess by purchasing a fixed IP from an ISP that keeps track of
non-dynamic IP's for all of our benefits. Nobody said this was easy or
cheap.

In Microsoft's plan there would be no room for you to make money.
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

Dennis Peterson wrote:

  That was my point.  My mail IS filtered outbound.  So I should have to
  pay double for the privilege of controlling my own email?

 How am I to know that you are filtering your mail? If your IP is in the
 middle of a block of dynamic IP's you are fair game for me to block. The
 world experience is that Windows drones on dialups or cable/dsl are a
 major source of spam/viruses. Nothing distinguishes you from them. You
 get out of that mess by purchasing a fixed IP from an ISP that keeps
 track of non-dynamic IP's for all of our benefits. Nobody said this was
 easy or cheap.

 That is coming back to the dynamic elitist viewpoint. Just as a sideline
question on this, how many corporate machines, on static IP ranges, are
running outdated, security wise, IIS machines which are guaranteed to spew
crap as soon as anything hits? [ price != competence ]

 Also, this does not take into account the fact that quite a large amount
of dynamic ISP accounts are practically static, except in name. I have no
problem with blocking a /24 range if attempts are seen from that block of
addresses, (static or otherwise), but I still cannot see the point of
penalising dynamic IP's just because they are dynamic, without good cause.
If one was going down the OS fingerprinting route tallied to a dynamic IP
check, then that might be feasible, but a straight block with no absolute
reason?


Matt

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

Matt Fretwell said:
 Dennis Peterson wrote:

  That was my point.  My mail IS filtered outbound.  So I should have to
  pay double for the privilege of controlling my own email?

 How am I to know that you are filtering your mail? If your IP is in the
 middle of a block of dynamic IP's you are fair game for me to block. The
 world experience is that Windows drones on dialups or cable/dsl are a
 major source of spam/viruses. Nothing distinguishes you from them. You
 get out of that mess by purchasing a fixed IP from an ISP that keeps
 track of non-dynamic IP's for all of our benefits. Nobody said this was
 easy or cheap.

  That is coming back to the dynamic elitist viewpoint. Just as a sideline
 question on this, how many corporate machines, on static IP ranges, are
 running outdated, security wise, IIS machines which are guaranteed to spew
 crap as soon as anything hits? [ price != competence ]

We do what we can with what we have, one step at a time.


  Also, this does not take into account the fact that quite a large amount
 of dynamic ISP accounts are practically static, except in name. I have no
 problem with blocking a /24 range if attempts are seen from that block of
 addresses, (static or otherwise), but I still cannot see the point of
 penalising dynamic IP's just because they are dynamic, without good cause.
 If one was going down the OS fingerprinting route tallied to a dynamic IP
 check, then that might be feasible, but a straight block with no absolute
 reason?

Here's how it works, Matt - if you have a dynamic IP, even one that has a
long life time, other people will still block mail from your IP block.
That seldom happens if you have a true fixed IP, all other things being
equal. And you know what? You have no say in it. It is out of your
control. And if the number of Windows drones continues to grow at the
current rate you can expect to be blocked pretty damn soon as there's just
about nothing else left to do. And I'm ok with that.

dp
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

Dennis Peterson wrote:

 Here's how it works, Matt - if you have a dynamic IP, even one that has
 a long life time, other people will still block mail from your IP block.
 That seldom happens if you have a true fixed IP, all other things being
 equal. And you know what? You have no say in it. It is out of your
 control. And if the number of Windows drones continues to grow at the
 current rate you can expect to be blocked pretty damn soon as there's
 just about nothing else left to do. And I'm ok with that.


 Just for later 'discussion' purposes, as your headers for this mail will
prove, I am on a static IP range.

 I am not in the same boat as John, but I still would not dream of
penalising without a proven, (with regards to what my own logs say),
reason. The really annoying thing is, it is easy to set up an automated
system to add offending IP's or IP blocks to your own local rbl's, so any
IP, whether it be dynamic or static has a one shot chance. There is no
need to block outright from the outset.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

Matt Fretwell said:
 Dennis Peterson wrote:

 Here's how it works, Matt - if you have a dynamic IP, even one that has
 a long life time, other people will still block mail from your IP block.
 That seldom happens if you have a true fixed IP, all other things being
 equal. And you know what? You have no say in it. It is out of your
 control. And if the number of Windows drones continues to grow at the
 current rate you can expect to be blocked pretty damn soon as there's
 just about nothing else left to do. And I'm ok with that.


  Just for later 'discussion' purposes, as your headers for this mail will
 prove, I am on a static IP range.

I'm using you in the generic sense for discussion. Not refering to you,
Matt. I could have been more clear on that.


  I am not in the same boat as John, but I still would not dream of
 penalising without a proven, (with regards to what my own logs say),
 reason. The really annoying thing is, it is easy to set up an automated
 system to add offending IP's or IP blocks to your own local rbl's, so any
 IP, whether it be dynamic or static has a one shot chance. There is no
 need to block outright from the outset.

As I mentioned earlier, I'm getting slammed from comcast.net from relays
all over the US. It is far easier to block by obvious dsl/cable host
identifiers than to spend hours trying to figure out what /24 IP ranges to
tweek. I see the problem as comcasts, not mine. Your milage may vary - I
know mine did.

dp
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

Dennis Peterson wrote:

 There is no need to block outright from the outset.

 As I mentioned earlier, I'm getting slammed from comcast.net from relays
 all over the US. It is far easier to block by obvious dsl/cable host
 identifiers than to spend hours trying to figure out what /24 IP ranges
 to tweek. I see the problem as comcasts, not mine. Your milage may vary
 - I know mine did.


 The point with the above is different. Comcast had the initial, with you,
opportunity and made a mess of it. With that level of abuse, if its
related to their network in any way or form, it would be blocked. Even I
wouldn't bother with a /24 block for that level of abuse. By that point, I
would merrily block their entire network, rhsbl and rbl, without giving it
a second thought.

 There is no need to blanket ban every other providers dsl yet, though :)


All the best,

Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

Matt Fretwell wrote:


  There is no need to blanket ban every other providers dsl yet, though
  :)


 Just as a side note, here are a couple of links for Postfix header checks
for this german spam outbreak. 


http://archives.neohapsis.com/archives/postfix/2005-05/1377.html

http://www.heise.de/newsticker/foren/go.shtml?read=1msg_id=7992046forum_id=78695


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] /dev/console Permission in ClamAV 0.85

2005-05-16 Thread imacat

The /dev/console permission problem seems to be solved in the
just-released ClamAV 0.85.1.  Thank you.

On Mon, 16 May 2005 12:12:09 +0800
imacat [EMAIL PROTECTED] wrote:

 Sorry, I did not noticed that I had disbled this list, and am
 wondering why there is no response on my previous post.  And while I'm
 reading the archive I did not notice that search box is at the button. 
 So I browse several pages and decided to write a more diagnostic mail
 and maybe with a patch to it in replace of my previous rush one.
 
 Sorry for the bothering and thanks that it is solved in CVS.
 
 On Sun, 15 May 2005 22:54:24 -0500 (CDT)
 Damian Menscher [EMAIL PROTECTED] wrote:
 
  On Sun, 15 May 2005, imacat wrote:
  
   [EMAIL PROTECTED]:~# /dev/console: Permission denied
  
  It's considered polite to at least look at the past week's worth of 
  subject lines before posting to an email list with hundreds of 
  recipients.
  
  Damian Menscher
  -- 
  -=#| Physics Grad Student  SysAdmin @ U Illinois Urbana-Champaign |#=-
  -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=-
  -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=-
  -=#| [EMAIL PROTECTED] www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=-
  -=#| The above opinions are not necessarily those of my employers. |#=-
  ___
  http://lurker.clamav.net/list/clamav-users.html
 
 -- 
 imacat ^_*'
 [EMAIL PROTECTED]
 PGP Key: http://www.imacat.idv.tw/me/pgpkey.txt
 
 Tavern IMACAT's http://www.imacat.idv.tw/
 Woman's Voice http://www.wov.idv.tw/
 TLUG List Manager http://www.linux.org.tw/mailman/listinfo/tlug

--
Best regards,
imacat ^_*' [EMAIL PROTECTED]
PGP Key: http://www.imacat.idv.tw/me/pgpkey.txt

Woman's Voice News: http://www.wov.idv.tw/
Tavern IMACAT's: http://www.imacat.idv.tw/
TLUG List Manager: http://www.linux.org.tw/mailman/listinfo/tlug


pgpj6Ea2SMpWS.pgp
Description: PGP signature
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Bill Taroli

Brian Read wrote:

Block all mails from dynamic IP.
They are 99,99% spam.
No they aren't that rule causes quite a few of my customers a 
headache, as the (linux) mailserver I often install sends the email 
direct, irrespective of whether there Ip is dynamic or static.  
Some ISPs charge an arm and a leg for static IPs.

I wind up blocking mail from people like that  for an entirely different 
reason. Basic DNS checking against the HELO string to be sure it 
resolves to the IP address the connection's actually coming from. I 
couldn't imagine how much spam I don't even have to waste cycles 
filtering as a result. :-) Mind you,  I wind up having to send your 
mailserver isn't configured right messages to some sites. But the 
reduction in the noise is well worth it.

This attack, for example, would all but be completely blocked without a 
single invocation of SpamAssassin. :-) Unless of course they luck out 
and infect a PC that has a proper mail config. :-\

Bill
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Bill Taroli

Matt Fretwell wrote:
Brian Read wrote:
 

Block all mails from dynamic IP. They are 99,99% spam.
 

No they aren't that rule causes quite a few of my customers a 
headache, as the (linux) mailserver I often install sends the email 
direct, irrespective of whether there Ip is dynamic or static.  Some
ISPs charge an arm and a leg for static IPs.
   

[...] This bumph about people shouldn't be
allowed to run a direct MTA to MTA setup unless they have static IP's is
nonsense. One might even say that it is MTA (elitism|snobbery). There are
plenty of legitimate MTA setups running on dynamic IP's. [...] What
really does amaze me though, is that these are generally the admins who
will turn around and say, 'Don't block (variable), you will lose too
much legitimate mail'. Where is the logic in that? They will allow a
crappily configured multinational corporation or ISP to connect, yet not
give dynamics the slightest chance to prove their reliability.
 

I don't think it's a matter of reliability... it's more an issue of 
accountability and traceability. How can one trace back to a dynamically 
IP'ed MTA when it's dynamic? DynDNS doesn't prove itself in the majority 
of cases, or isn't even used. Some of these are even worse because the 
mail is coming from a NAT'ed host from behind a dyn IP firewall, which 
won't even allow return messages -- and I suspect this is extremely 
common. Kind of like an inverse roach motel for email.

I don't disagree that there may well be many people running wholesome 
MTAs on dynamic IP's that suffer for the rest. But it's that rest we're 
all concerned with. I honestly wonder whether an authorization framework 
such as SPF would be the salvation of such setups... permitting them to 
prove themselves worthy without the need for static IP addresses.

But until that time comes, any host who appears to lie about it's 
identity by giving a host name that doesn't match it's visible IP 
address is getting the door slammed in it's face by my MTA.

YMMV.
Bill
Matt
___
http://lurker.clamav.net/list/clamav-users.html
 

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread jef moskot

On Mon, 16 May 2005, Matt Fretwell wrote:
 Dennis Peterson wrote:
  The world experience is that Windows drones on dialups or cable/dsl
  are a major source of spam/viruses.
  That is coming back to the dynamic elitist viewpoint.

I agree with both of you, actually.  In theory, of course, Matt is right.
If you're doing everything properly, you shouldn't be punished.

On the other hand, given a limited amount of time to mess with e-mail,
blocking all dynamic traffic proves to be an incredibly effective,
efficient, and accurate means of blocking spam.

If you configure your error messages properly and have a decent exception
policy, smart, competent people like Matt are going to be able to work
around the system with a minimum of fuss while Dennis is still protected
from those other 99.9% of users.

A lot of idealism goes down the tubes when confronted with the real world,
but there are compromises you can make that, while imperfect, get you to a
place where everything functions reasonably.

-jef
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Jef Poskanzer

Bill Taroli:
I wind up blocking mail from people like that  for an entirely different 
reason. Basic DNS checking against the HELO string to be sure it 
resolves to the IP address the connection's actually coming from.

There are a few different ways to do DNS checks.  I haven't seen
this particular one suggested before.

The correct check is:  fDNS(rDNS(IP)) == IP
However, this check doesn't actually do very much; it just ensures that
the IP address exists in the DNS system.

The typical broken check is:  rDNS(fDNS(HELO)) == HELO
This is wrong for a number of reasons, the main one being that not everyone
has control of their reverse-DNS mapping.

And in this terminology, you're doing:  fDNS(HELO) == IP
That's a little better than the broken version, since you're comparing
IP addresses.  But it's still a bad idea to use HELO.  For example,
what if the mail sender likes to masquerade as example.com even though
it is actually mail.example.com?  If those two names have different
IP addresses, then your check will reject the connection.

Anyway, how many connections/day are you using this check on?
I find DNS checks to be fairly expensive due to how long they take,
on the average.  Most of them return quickly but a substantial
minority go to a broken DNS server and take the full time-out period.
Because of this I use DNS-based anti-spam measures late in the
checking process, while it sounds like you are using this as your
first line of defense.

And finally, if you want to run a check on the HELO string, I find
that just rejecting outside connections that claim a HELO of your own
hostname gets rid of a very high proportion of crapmail.  This
very simple check is successful enough that I'll probably publish
a notme_milter at some point after spfmilter gets out of beta status.
---
Jef

 Jef Poskanzer  [EMAIL PROTECTED]  http://www.acme.com/jef/
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?