Re: [Declude.JunkMail] Exclude BABEXT Notify for COM
Matt,
I have discussed this subject with Scott, who
explained a bit about how he developed this. It seems pretty straightforward,
although it is a little confusing why some bogus file types do not have the
banned notifications sent out and bogus COM files do. In any event, I am looking
into the actual code now to determine the precise source of the problem and I
should have a fix in the *very* near future.
David Franco-Rocha
- Original Message -
From:
Matt
To: Declude.JunkMail@declude.com
Sent: Monday, March 21, 2005 9:58
AM
Subject: Re: [Declude.JunkMail] Exclude
BABEXT Notify for COM
David,I posted some log snippets last week on the
Declude Virus list that show what is happening.Yes, the notifications
are being sent in error. These COM files are being detected by Declude
Virus as "Bogus", and the proper behavior is for the bogus identification to
override the banned extension, and disable the sending of the banname.eml
file. This is how other bogus files are handled. Essentially bogus
file detection should work exactly the same as vulnerabilities and disable
such notifications.What is happening currently that has exposed this
flaw is one active zombie spammer is randomizing the name of an image
attachment using a forged E-mail address, most of which end with COM.
Declude sees a COM extension but finds a GIF in the BASE64 code, which is not
a COM file and therefore bogus. Due to the volume and the fact that
these are tripping the banname.eml file, there is a huge volume of postmaster
bounces from undeliverable E-mail (I got over 200 in just 12 hours before
applying the workaround).
Log
Snippet===03/16/2005
00:00:31 Qbd6eb1a701040a54 MIME file: [text/html][quoted-printable;
Length=5395 Checksum=490002]03/16/2005 00:00:31 Qbd6eb1a701040a54 MIME
file: [EMAIL PROTECTED] [base64; Length=6414
Checksum=850887]03/16/2005 00:00:31 Qbd6eb1a701040a54 Banning file with
COM extension [image/gif].03/16/2005 00:00:31 Qbd6eb1a701040a54 Found a
bogus .com file03/16/2005 00:00:31 Qbd6eb1a701040a54 Scanned: Banned
file extension. [Prescan OK][MIME: 3 12614]03/16/2005 00:00:31
Qbd6eb1a701040a54 From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]03/16/2005 00:00:31
Qbd6eb1a701040a54 Subject: denigrate cosmetic scene
serge midshipmanMIME
Snippet===--=_NextPart_000_00QP_00N2764VQ_00Y.154D01N0Content-Type:
image/gif; name="[EMAIL PROTECTED]"Content-Transfer-Encoding:
base64Content-ID: [EMAIL PROTECTED]MattDavid
Franco-Rocha wrote:
Matt,
I would like to clarify one issue: Are you saying that the
specific issue is that notifications are erroneously being sent for bogus
COM files and that the issue is *not* whether bogus COM files are being
accurately detected? David Franco-Rocha - Original
Message - From: "Matt" [EMAIL PROTECTED] To: Declude.JunkMail@declude.com
Sent: Monday, March 21, 2005 8:16 AM Subject: Re: [Declude.JunkMail]
Exclude BABEXT Notify for COM
There seems to be a bug in all versions where a
bogus COM file is still bounced as a banned extension (unlike other
'bogus' types that are detected). The workaround is to add
"SKIPIFEXT COM" to the top of your bannotify.eml, however this will stop
all bounces for COM files regardless of whether or not they are found to
be 'bogus'. Matt Don Schreiner wrote:
I am getting a lot of postmaster rejects from
bad addresses after turning on BANEXT for COM attachments. I would
like to exclude notifications on my BANnotify.EML file. Can I do
this by inserting SKIPIFBANEXTNAMEHAS COM at the top of EML file? I
am just guessing based on feature to use SKIPIFVIRUSNAMEHAS
VIRUS_NAME. I am still sitting on 1.82 waiting until comfortable
with upgrade. I have looked for the Declude Manuals on the site but
see no reference other than the install manual? I got to tell you
guys the Declude site is a real pain in the rear finding the
manuals. I logged on to my account which is no use. It does not have
either of my 2 licenses listed. Nor does it have any links to the
manual. I even downloaded the most recent release version and I see
no readme.txt or manual there either. Ohh well... any assistance
on the BANEXT COM and excluding the notify for same on EML file
would be most appreciated. Thanks. -Don --- This
E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives ca
Re: [Declude.JunkMail] Exclude BABEXT Notify for COM
David, Thanks for the follow up. I did give some thought as to whether or not this might have been purposeful, and the only thing that I could come up with is behavior in Outlook that can at times attach Web pages using the domain name of the site (probably when you attach a Web site's home page based on the root reference). So sometimes these HTML attachments come as COM files by the name, but they aren't really COM files. Declude would ban them based on the extension despite the fact that they are legitimate. The problem was rare however, and the sender would get a bounce since bogus detection is fairly new to the product. Now that these bogus file types are being detected, it creates a new set of issues to deal with. If bogus files aren't bounced, then these Outlook attachment's senders won't know that they have been blocked, but on the other hand, now that a spammer has mistakenly used E-mail addresses for naming his image attachments, the volume of bounces is way too high to leave alone. I suppose that COM files that are encoded as images aren't actually dangerous and could be allowed through virus scanning, however COM files coded as Text/HTML could be dangerous and should be blocked if specified. I therefore don't think that better granularity would help here. So if allowing a bannotify.eml bounce was intentional before, the circumstances have now changed the way that should be treated. I did notice over the months that I had a disproportionate number of COM file bounces, but I never looked into it until this one spammer started hitting the bogus detection. Hopefully Microsoft will fix their issues with sending the occasional attachment with a COM extension as that is quite stupid in this day and age :) Matt David Franco-Rocha wrote: Matt, I have discussed this subject with Scott, who explained a bit about how he developed this. It seems pretty straightforward, although it is a little confusing why some bogus file types do not have the banned notifications sent out and bogus COM files do. In any event, I am looking into the actual code now to determine the precise source of the problem and I should have a fix in the *very* near future. David Franco-Rocha - Original Message - From: Matt To: Declude.JunkMail@declude.com Sent: Monday, March 21, 2005 9:58 AM Subject: Re: [Declude.JunkMail] Exclude BABEXT Notify for COM David, I posted some log snippets last week on the Declude Virus list that show what is happening. Yes, the notifications are being sent in error. These COM files are being detected by Declude Virus as "Bogus", and the proper behavior is for the bogus identification to override the banned extension, and disable the sending of the banname.eml file. This is how other bogus files are handled. Essentially bogus file detection should work exactly the same as vulnerabilities and disable such notifications. What is happening currently that has exposed this flaw is one active zombie spammer is randomizing the name of an image attachment using a forged E-mail address, most of which end with COM. Declude sees a COM extension but finds a GIF in the BASE64 code, which is not a COM file and therefore bogus. Due to the volume and the fact that these are tripping the banname.eml file, there is a huge volume of postmaster bounces from undeliverable E-mail (I got over 200 in just 12 hours before applying the workaround). Log Snippet === 03/16/2005 00:00:31 Qbd6eb1a701040a54 MIME file: [text/html][quoted-printable; Length=5395 Checksum=490002] 03/16/2005 00:00:31 Qbd6eb1a701040a54 MIME file: [EMAIL PROTECTED] [base64; Length=6414 Checksum=850887] 03/16/2005 00:00:31 Qbd6eb1a701040a54 Banning file with COM extension [image/gif]. 03/16/2005 00:00:31 Qbd6eb1a701040a54 Found a bogus .com file 03/16/2005 00:00:31 Qbd6eb1a701040a54 Scanned: Banned file extension. [Prescan OK][MIME: 3 12614] 03/16/2005 00:00:31 Qbd6eb1a701040a54 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] 03/16/2005 00:00:31 Qbd6eb1a701040a54 Subject: denigrate cosmetic scene serge midshipman MIME Snippet === --=_NextPart_000_00QP_00N2764VQ_00Y.154D01N0 Content-Type: image/gif; name="[EMAIL PROTECTED]" Content-Transfer-Encoding: base64 Content-ID: [EMAIL PROTECTED] Matt David Franco-Rocha wrote: Matt, I would like to clarify one issue: Are you saying that the specific issue is that notifications are erroneously being sent for bogus COM files and that the issue is *not* whether bogus COM files are being accurately detected? David Franco-Rocha - Original Message - From: "Matt" [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Monday, March 21, 2005 8:16 AM Subject:
Re: [Declude.JunkMail] Exclude BABEXT Notify for COM
There seems to be a bug in all versions where a bogus COM file is still bounced as a banned extension (unlike other 'bogus' types that are detected). The workaround is to add SKIPIFEXT COM to the top of your bannotify.eml, however this will stop all bounces for COM files regardless of whether or not they are found to be 'bogus'. Matt Don Schreiner wrote: I am getting a lot of postmaster rejects from bad addresses after turning on BANEXT for COM attachments. I would like to exclude notifications on my BANnotify.EML file. Can I do this by inserting SKIPIFBANEXTNAMEHAS COM at the top of EML file? I am just guessing based on feature to use SKIPIFVIRUSNAMEHAS VIRUS_NAME. I am still sitting on 1.82 waiting until comfortable with upgrade. I have looked for the Declude Manuals on the site but see no reference other than the install manual? I got to tell you guys the Declude site is a real pain in the rear finding the manuals. I logged on to my account which is no use. It does not have either of my 2 licenses listed. Nor does it have any links to the manual. I even downloaded the most recent release version and I see no readme.txt or manual there either. Ohh well... any assistance on the BANEXT COM and excluding the notify for same on EML file would be most appreciated. Thanks. -Don --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Exclude BABEXT Notify for COM
Don, The manuals are on the web site. Select Tech Support at the top of the page and you will be taken to links for the manuals. As for the bogus COM file issue, we understand that this is a problem and are looking into ways to resolve it. David Franco-Rocha - Original Message - From: Don Schreiner [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Monday, March 21, 2005 7:48 AM Subject: [Declude.JunkMail] Exclude BABEXT Notify for COM I am getting a lot of postmaster rejects from bad addresses after turning on BANEXT for COM attachments. I would like to exclude notifications on my BANnotify.EML file. Can I do this by inserting SKIPIFBANEXTNAMEHAS COM at the top of EML file? I am just guessing based on feature to use SKIPIFVIRUSNAMEHAS VIRUS_NAME. I am still sitting on 1.82 waiting until comfortable with upgrade. I have looked for the Declude Manuals on the site but see no reference other than the install manual? I got to tell you guys the Declude site is a real pain in the rear finding the manuals. I logged on to my account which is no use. It does not have either of my 2 licenses listed. Nor does it have any links to the manual. I even downloaded the most recent release version and I see no readme.txt or manual there either. Ohh well... any assistance on the BANEXT COM and excluding the notify for same on EML file would be most appreciated. Thanks. -Don --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Exclude BABEXT Notify for COM
Matt, This will work for the meantime and thank you very much! -Don -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, March 21, 2005 8:17 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Exclude BABEXT Notify for COM There seems to be a bug in all versions where a bogus COM file is still bounced as a banned extension (unlike other 'bogus' types that are detected). The workaround is to add SKIPIFEXT COM to the top of your bannotify.eml, however this will stop all bounces for COM files regardless of whether or not they are found to be 'bogus'. Matt Don Schreiner wrote: I am getting a lot of postmaster rejects from bad addresses after turning on BANEXT for COM attachments. I would like to exclude notifications on my BANnotify.EML file. Can I do this by inserting SKIPIFBANEXTNAMEHAS COM at the top of EML file? I am just guessing based on feature to use SKIPIFVIRUSNAMEHAS VIRUS_NAME. I am still sitting on 1.82 waiting until comfortable with upgrade. I have looked for the Declude Manuals on the site but see no reference other than the install manual? I got to tell you guys the Declude site is a real pain in the rear finding the manuals. I logged on to my account which is no use. It does not have either of my 2 licenses listed. Nor does it have any links to the manual. I even downloaded the most recent release version and I see no readme.txt or manual there either. Ohh well... any assistance on the BANEXT COM and excluding the notify for same on EML file would be most appreciated. Thanks. -Don --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- CompBiz.Net scanned for Virus' --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Exclude BABEXT Notify for COM
Matt, I would like to clarify one issue: Are you saying that the specific issue is that notifications are erroneously being sent for bogus COM files and that the issue is *not* whether bogus COM files are being accurately detected? David Franco-Rocha - Original Message - From: Matt [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Monday, March 21, 2005 8:16 AM Subject: Re: [Declude.JunkMail] Exclude BABEXT Notify for COM There seems to be a bug in all versions where a bogus COM file is still bounced as a banned extension (unlike other 'bogus' types that are detected). The workaround is to add SKIPIFEXT COM to the top of your bannotify.eml, however this will stop all bounces for COM files regardless of whether or not they are found to be 'bogus'. Matt Don Schreiner wrote: I am getting a lot of postmaster rejects from bad addresses after turning on BANEXT for COM attachments. I would like to exclude notifications on my BANnotify.EML file. Can I do this by inserting SKIPIFBANEXTNAMEHAS COM at the top of EML file? I am just guessing based on feature to use SKIPIFVIRUSNAMEHAS VIRUS_NAME. I am still sitting on 1.82 waiting until comfortable with upgrade. I have looked for the Declude Manuals on the site but see no reference other than the install manual? I got to tell you guys the Declude site is a real pain in the rear finding the manuals. I logged on to my account which is no use. It does not have either of my 2 licenses listed. Nor does it have any links to the manual. I even downloaded the most recent release version and I see no readme.txt or manual there either. Ohh well... any assistance on the BANEXT COM and excluding the notify for same on EML file would be most appreciated. Thanks. -Don --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Exclude BABEXT Notify for COM
David, I posted some log snippets last week on the Declude Virus list that show what is happening. Yes, the notifications are being sent in error. These COM files are being detected by Declude Virus as "Bogus", and the proper behavior is for the bogus identification to override the banned extension, and disable the sending of the banname.eml file. This is how other bogus files are handled. Essentially bogus file detection should work exactly the same as vulnerabilities and disable such notifications. What is happening currently that has exposed this flaw is one active zombie spammer is randomizing the name of an image attachment using a forged E-mail address, most of which end with COM. Declude sees a COM extension but finds a GIF in the BASE64 code, which is not a COM file and therefore bogus. Due to the volume and the fact that these are tripping the banname.eml file, there is a huge volume of postmaster bounces from undeliverable E-mail (I got over 200 in just 12 hours before applying the workaround). Log Snippet === 03/16/2005 00:00:31 Qbd6eb1a701040a54 MIME file: [text/html][quoted-printable; Length=5395 Checksum=490002] 03/16/2005 00:00:31 Qbd6eb1a701040a54 MIME file: [EMAIL PROTECTED] [base64; Length=6414 Checksum=850887] 03/16/2005 00:00:31 Qbd6eb1a701040a54 Banning file with COM extension [image/gif]. 03/16/2005 00:00:31 Qbd6eb1a701040a54 Found a bogus .com file 03/16/2005 00:00:31 Qbd6eb1a701040a54 Scanned: Banned file extension. [Prescan OK][MIME: 3 12614] 03/16/2005 00:00:31 Qbd6eb1a701040a54 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] 03/16/2005 00:00:31 Qbd6eb1a701040a54 Subject: denigrate cosmetic scene serge midshipman MIME Snippet === --=_NextPart_000_00QP_00N2764VQ_00Y.154D01N0 Content-Type: image/gif; name="[EMAIL PROTECTED]" Content-Transfer-Encoding: base64 Content-ID: [EMAIL PROTECTED] Matt David Franco-Rocha wrote: Matt, I would like to clarify one issue: Are you saying that the specific issue is that notifications are erroneously being sent for bogus COM files and that the issue is *not* whether bogus COM files are being accurately detected? David Franco-Rocha - Original Message - From: "Matt" [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Monday, March 21, 2005 8:16 AM Subject: Re: [Declude.JunkMail] Exclude BABEXT Notify for COM There seems to be a bug in all versions where a bogus COM file is still bounced as a banned extension (unlike other 'bogus' types that are detected). The workaround is to add "SKIPIFEXT COM" to the top of your bannotify.eml, however this will stop all bounces for COM files regardless of whether or not they are found to be 'bogus'. Matt Don Schreiner wrote: I am getting a lot of postmaster rejects from bad addresses after turning on BANEXT for COM attachments. I would like to exclude notifications on my BANnotify.EML file. Can I do this by inserting SKIPIFBANEXTNAMEHAS COM at the top of EML file? I am just guessing based on feature to use SKIPIFVIRUSNAMEHAS VIRUS_NAME. I am still sitting on 1.82 waiting until comfortable with upgrade. I have looked for the Declude Manuals on the site but see no reference other than the install manual? I got to tell you guys the Declude site is a real pain in the rear finding the manuals. I logged on to my account which is no use. It does not have either of my 2 licenses listed. Nor does it have any links to the manual. I even downloaded the most recent release version and I see no readme.txt or manual there either. Ohh well... any assistance on the BANEXT COM and excluding the notify for same on EML file would be most appreciated. Thanks. -Don --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkM
