Re: [Clamav-users] RE: Report infected mail to the user
Jan Pieter Cornet wrote: I believe it's way easier to do the opposite: list only viruses that do NOT fake the sender. The only ones you'd expect to find in email are things like eicar, joke and macro viruses. I just check for a small list (Mimail, Sober, etc.), plus anything that starts with Worm. or contains @mm. @MM is used by Norton, McAfee and others to indicate a worm that does its own mass mailing. Yeah, the criteria are slightly different -- it's looking for self-mailers and worms rather than specifically self-mailers that forge the sender -- but it does the job here. -- Kelson Vibber SpeedGate Communications, www.speed.net ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] RE: Report infected mail to the user
Michael wrote: But you do not know the sender. You only know an address that the virus presents as the sender address. And you trust the virus... Ok, i see you must have experience. Are there really so many virussender who specify a fake REAL EXIST mail address? YES! All major email viruses do that these days. The virus makes a list of email addresses, whether from an address book, cached web pages, local documents, a Google search, etc. Many viruses just pick two of those addresses at random and use one for the sender and the other for the recipient. Others just pick the recipient and choose a likely admin address for their domain, like [EMAIL PROTECTED], [EMAIL PROTECTED], etc. -- and those often exist. -- Kelson Vibber SpeedGate Communications, www.speed.net ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Triggering freshclam with procmail
Harry Phillips wrote: I was wondering if it is possible and if it is advisable to trigger freshclam when I receive a message that the daily database has been updated. I used to do this, but it's no longer necessary now that freshclam can check for updates via a DNS query. You can run it as a daemon, or hourly via cron and not put too much load on the update servers. Linking it to the mailing list no longer provides much of an advantage. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Downloading clam virus definition files automatically
At 02:13 AM 8/20/2004, Fajar A. Nugraha wrote: Nigel Horne wrote: Is it possible to use HEAD to reduce load? I believe it already uses RANGE, so traffic wise the load is greatly reduced. Wouldn't it be more efficient to use Etags and/or If-Modified-Since and let the server issue a 304 Not Modified response? HTTP has built-in methods to help clients avoid downloading duplicate files. (In theory, the server could issue this response without even opening the file.) Pardon me if this has been covered in one of the recent threads -- after a while they got so long that I gave up reading them. Kelson Vibber SpeedGate Communications www.speed.net --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] New virus/worm ???
At 10:58 AM 8/9/2004, Michael Brennen wrote: Just in the last few minutes I've started getting hit with several copies of a a zip packaged exe file from widely varying sources. The names are of the form 'price.*\.zip'. I've submitted a copy online and it was accepted. Anyone else seeing this? Tons of 'em. Run freshclam -- update 444 picks it up as Trojan.JS.RunMe. Kelson Vibber SpeedGate Communications www.speed.net --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Ethics Question
At 08:19 PM 6/10/2004, Bit Fuzzy wrote: At this point we are looking at 2 options. 1) Block offending IP's as they occur. -- Effective, but could be aggravating to potential customers For about a month, we've been adding virus-generating IPs to a local blacklist with a 4-day expiration. It's a compromise, since it's possible for the IP to get reassigned during that time, but it has helped cut down our server load, and we've had two customers discover they were infected when they couldn't send email. Then there was the one that tried to forward a virus message to an outside consultant asking Should we be concerned about this? I forget whether it had come in through another channel or just before freshclam picked up the signature, but they ended up on our blacklist because of the forward. So there are risks to anything. Kelson Vibber SpeedGate Communications www.speed.net --- This SF.Net email is sponsored by the new InstallShield X. From Windows to Linux, servers to mobile, InstallShield X is the one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] ERROR: You must specify at least one database mirror.
At 05:59 AM 5/12/2004, Marc wrote: It could be that freshclam.conf is installed in /usr/local/etc (which is the default for clamav) after installing clamav 0.70 manually. Also, wherever it is, check the permissions on freshclam.conf and the path leading to it. It should be readable by the user that is calling freshclam. Kelson Vibber SpeedGate Communications www.speed.net --- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Recommendation RedHat replacement
At 11:57 AM 5/10/2004, Bora wrote: Sorry, this may not be appropriate to post here, but I know many of you are using RH and are figuring new options as they are no longer offering free download for RH 7, 8 and 9. Actually, you *can* still download older versions of RH from their FTP site. Just pick a mirror and look in the pub/redhat/linux area. But I assume you meant getting updates... So the question is do you recommend moving to? SuSE, Mandrake? I want to use something similar so I don't have to learn new tools and admin task. We're keeping existing servers on Red Hat for now, and using updates from the Fedora Legacy project - www.fedoralegacy.org . Fedora Legacy intends to keep RHL 7.3 and 9 (and possibly 8) going as long as there is interest, and also to extend the update period of each Fedora Core version beyond its own official end-of-life. Another option for keeping older RHL systems running is the $5/machine/month Progeny Transition Service - http://transition.progeny.com/ As for what to put on new servers, we haven't decided yet here. I've had good experiences with Fedora Core 1 on workstations, but we'll probably avoid using it on servers for now. If you're interested, it's at http://fedora.redhat.com/ . FC1 really is Red Hat 10 renamed, so it has all the same tools you're used to, and most of the third-party packagers building for RHL have started building for Fedora Core as well. Plus it's the only distro you can upgrade a RHL system to without reinstalling. If you like the way Red Hat works, there are also several RH-based distros you can look at. The only one I've really checked out so far is White Box Enterprise Linux ( www.whiteboxlinux.org ) which is a fork of the GPL'ed code used in RHEL 3 - and since everything in Red Hat is GPL except the name and logos, it's basically the whole thing. (Well, fork isn't the best term, since the intent is to keep it as close as possible to RH without violating trademarks, copyrights, and licenses.) It uses the same packaging scheme and the same versions of everything, so third-party RPMs built for RHEL 3 should also work on WBEL. I installed it on a test box, and while I haven't done a whole lot with it, I haven't run into any problems with what I have tried. I hope this helps! Kelson Vibber SpeedGate Communications www.speed.net --- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users