[Declude.Virus] AVG reports "SPAM" as "VIRUS"!

2010-05-12 Thread Andy Schmidt 
Hi,

 

For the past few days, I'm seeing AVG suddenly reporting a virus "SPAM":

 

 


Virus Scanner Summary Report (Integrated AVG Scanner)


Total Messages Processed: 19,499
Virus Infected Messages: 232
Percentage Infected: 1.19%


VIRUS

# INFECTED

PERCENTAGE



SPAM

232

1.19%



 

resulting in these SMTP headers:

 

X-Declude-Virus: Detected Spam [from IP 41.218.0.202 ([No Reverse DNS])].

 

and these reports:

 

q061a000274936c02.smd AVG Reports VIRUS: Spam

q061a000274936c02.smd File(s) are INFECTED [Spam: 7]

q061a000274936c02.smd Scanned: CONTAINS A VIRUS [MIME: 1 424]

q061a000274936c02.smd From: bloodiest...@rcbassociats.com To:
elopre...@??? [incoming from 41.218.0.202]

q061a000274936c02.smd Subject: Please attention!

 

This causes a whole bunch of problems, e.g.

 

a)  I am unable to 'weigh' this "Spam" with other factors BEFORE it gets
blocked. 

b)  It bypasses the "WhiteList" feature (from the user's Webmail
Contacts)

c)   It's treated like a "Virus", hundreds of the configured virus
notices are being emailed, etc.

 

While I'm certainly in favor of any additional SPAM detection - but then it
needs to be PROPERLY IMPLEMENTED as part of Declude JunkMail not just
"dumped" into the regular virus handling!

 

If AVG reports to Declude the virus name "Spam", then Declude MUST recognize
that and NOT treat it like a virus (or at least give us a config option NOT
to.)

 

Best Regards,

Andy

 

 

 



---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] AVG reports "SPAM" as "VIRUS"!

2010-05-12 Thread David Barker 
Andy,

 

AVG is not integrated with Declude JM, this is AVG reporting the name of the
virus as spam. 

 

Now, something may have changed that AVG is now detecting spam in their
signatures however we were not made aware of this by AVG I will look further
into this.

 

As much as we do appreciate your feedback which helps Identify such
problems, in some things  it may be more helpful to first approach
 supp...@declude.com or myself
dbar...@declude.com before engaging everyone in the list, your assumptions
of  "PROPERLY IMPLEMENTED as part of Declude JunkMail not just "dumped" into
the regular virus handling!" and " Declude MUST recognize that and NOT treat
it like a virus" are rather harsh to be posting to without having all the
facts to begin with.

 

Thanks

 

David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
  dbar...@declude.com

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy
Schmidt
Sent: Wednesday, May 12, 2010 10:39 AM
To: declude.virus@declude.com
Subject: [Declude.Virus] AVG reports "SPAM" as "VIRUS"!
Importance: High

 

Hi,

 

For the past few days, I'm seeing AVG suddenly reporting a virus "SPAM":

 

 


Virus Scanner Summary Report (Integrated AVG Scanner)


Total Messages Processed: 19,499
Virus Infected Messages: 232
Percentage Infected: 1.19%


VIRUS

# INFECTED

PERCENTAGE



SPAM

232

1.19%



 

resulting in these SMTP headers:

 

X-Declude-Virus: Detected Spam [from IP 41.218.0.202 ([No Reverse DNS])].

 

and these reports:

 

q061a000274936c02.smd AVG Reports VIRUS: Spam

q061a000274936c02.smd File(s) are INFECTED [Spam: 7]

q061a000274936c02.smd Scanned: CONTAINS A VIRUS [MIME: 1 424]

q061a000274936c02.smd From: bloodiest...@rcbassociats.com To:
elopre...@??? [incoming from 41.218.0.202]

q061a000274936c02.smd Subject: Please attention!

 

This causes a whole bunch of problems, e.g.

 

a)  I am unable to 'weigh' this "Spam" with other factors BEFORE it gets
blocked. 

b)  It bypasses the "WhiteList" feature (from the user's Webmail
Contacts)

c)   It's treated like a "Virus", hundreds of the configured virus
notices are being emailed, etc.

 

While I'm certainly in favor of any additional SPAM detection - but then it
needs to be PROPERLY IMPLEMENTED as part of Declude JunkMail not just
"dumped" into the regular virus handling!

 

If AVG reports to Declude the virus name "Spam", then Declude MUST recognize
that and NOT treat it like a virus (or at least give us a config option NOT
to.)

 

Best Regards,

Andy

 

 

 


---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] AVG reports "SPAM" as "VIRUS"!

2010-05-12 Thread Andy Schmidt 
Dave,

 

I'm aware it's integrated in Declude Virus - that's why I chose the CORRECT
list to discuss this.

I referenced Declude Junkmail, because IF AVG is now reporting "SPAM", the
THAT part SHOULD be handled as part of Declude Junkmail NOT as Declude
Virus.

 

I choose to use the list, whenever I have expended some time to track down a
situation and realize that this will affect all users and thus will save
everyone time from working on the same issue. That's the whole point of the
list!

 

Consequently, whenever AVG stops working altogether (which was doubted both
times when I discovered it - until eventually it was determined to have been
a problem after all), I will continue to report this on the list, because
everyone needs to be aware that their internal scanner may be
non-functioning for extended periods of time. The alternative would be for
Declude to post an alert!

 

When I notice that the Sniffer implementation has objectively incorrect or
incomplete sample files, or have sample files that don't make it obvious
that some IP based results will be triple-counted, then I feel justified in
discussing this on the list as this will benefit OTHER users who don't have
to re-learn what took me days to figure out.

 

I will post on the list whenever I'm hoping to solicit feedback from a
broader audience, to see if a situation I encountered was "isolated" or
turns out to be more widespread.

 

I will contact support@ whenever I suspect that I may have an isolated
problem that needs to be analyzed first.

 

In my opinion, I usually use the appropriate "venue". But I accept that you
may disagree and prefer that the list is quiet.

 

Best Regards,

Andy

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Wednesday, May 12, 2010 10:59 AM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] AVG reports "SPAM" as "VIRUS"!

 

Andy,

 

AVG is not integrated with Declude JM, this is AVG reporting the name of the
virus as spam. 

 

Now, something may have changed that AVG is now detecting spam in their
signatures however we were not made aware of this by AVG I will look further
into this.

 

As much as we do appreciate your feedback which helps Identify such
problems, in some things  it may be more helpful to first approach
 supp...@declude.com or myself
dbar...@declude.com before engaging everyone in the list, your assumptions
of  "PROPERLY IMPLEMENTED as part of Declude JunkMail not just "dumped" into
the regular virus handling!" and " Declude MUST recognize that and NOT treat
it like a virus" are rather harsh to be posting to without having all the
facts to begin with.

 

Thanks

 

David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
  dbar...@declude.com

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy
Schmidt
Sent: Wednesday, May 12, 2010 10:39 AM
To: declude.virus@declude.com
Subject: [Declude.Virus] AVG reports "SPAM" as "VIRUS"!
Importance: High

 

Hi,

 

For the past few days, I'm seeing AVG suddenly reporting a virus "SPAM":

 

 


Virus Scanner Summary Report (Integrated AVG Scanner)


Total Messages Processed: 19,499
Virus Infected Messages: 232
Percentage Infected: 1.19%


VIRUS

# INFECTED

PERCENTAGE



SPAM

232

1.19%



 

resulting in these SMTP headers:

 

X-Declude-Virus: Detected Spam [from IP 41.218.0.202 ([No Reverse DNS])].

 

and these reports:

 

q061a000274936c02.smd AVG Reports VIRUS: Spam

q061a000274936c02.smd File(s) are INFECTED [Spam: 7]

q061a000274936c02.smd Scanned: CONTAINS A VIRUS [MIME: 1 424]

q061a000274936c02.smd From: bloodiest...@rcbassociats.com To:
elopre...@??? [incoming from 41.218.0.202]

q061a000274936c02.smd Subject: Please attention!

 

This causes a whole bunch of problems, e.g.

 

a)  I am unable to 'weigh' this "Spam" with other factors BEFORE it gets
blocked. 

b)  It bypasses the "WhiteList" feature (from the user's Webmail
Contacts)

c)   It's treated like a "Virus", hundreds of the configured virus
notices are being emailed, etc.

 

While I'm certainly in favor of any additional SPAM detection - but then it
needs to be PROPERLY IMPLEMENTED as part of Declude JunkMail not just
"dumped" into the regular virus handling!

 

If AVG reports to Declude the virus name "Spam", then Declude MUST recognize
that and NOT treat it like a virus (or at least give us a config option NOT
to.)

 

Best Regards,

Andy

 

 

 


---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus". The archives can be

RE: [Declude.Virus] AVG reports "SPAM" as "VIRUS"!

2010-05-12 Thread David Barker 
Andy,

 

My point was not that one shouldn't post to the list, we appreciate user
input no matter how we feel about it, an open forum is very important for
both Declude and users. All I am saying is if you had emailed us first then
we could stike the assumption that we "dumped" a new spam tests into virus
handling as you suggested.

 

"While I'm certainly in favor of any additional SPAM detection - but then it
needs to be PROPERLY IMPLEMENTED as part of Declude JunkMail not just
"dumped" into the regular virus handling!"

 

And then we could focus on the real issue of why is AVG reporting SPAM.
Working together to solve a problem is the goal, so let's rule out the
things we know it is not.

 

David

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy
Schmidt
Sent: Wednesday, May 12, 2010 11:35 AM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] AVG reports "SPAM" as "VIRUS"!

 

Dave,

 

I'm aware it's integrated in Declude Virus - that's why I chose the CORRECT
list to discuss this.

I referenced Declude Junkmail, because IF AVG is now reporting "SPAM", the
THAT part SHOULD be handled as part of Declude Junkmail NOT as Declude
Virus.

 

I choose to use the list, whenever I have expended some time to track down a
situation and realize that this will affect all users and thus will save
everyone time from working on the same issue. That's the whole point of the
list!

 

Consequently, whenever AVG stops working altogether (which was doubted both
times when I discovered it - until eventually it was determined to have been
a problem after all), I will continue to report this on the list, because
everyone needs to be aware that their internal scanner may be
non-functioning for extended periods of time. The alternative would be for
Declude to post an alert!

 

When I notice that the Sniffer implementation has objectively incorrect or
incomplete sample files, or have sample files that don't make it obvious
that some IP based results will be triple-counted, then I feel justified in
discussing this on the list as this will benefit OTHER users who don't have
to re-learn what took me days to figure out.

 

I will post on the list whenever I'm hoping to solicit feedback from a
broader audience, to see if a situation I encountered was "isolated" or
turns out to be more widespread.

 

I will contact support@ whenever I suspect that I may have an isolated
problem that needs to be analyzed first.

 

In my opinion, I usually use the appropriate "venue". But I accept that you
may disagree and prefer that the list is quiet.

 

Best Regards,

Andy

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Wednesday, May 12, 2010 10:59 AM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] AVG reports "SPAM" as "VIRUS"!

 

Andy,

 

AVG is not integrated with Declude JM, this is AVG reporting the name of the
virus as spam. 

 

Now, something may have changed that AVG is now detecting spam in their
signatures however we were not made aware of this by AVG I will look further
into this.

 

As much as we do appreciate your feedback which helps Identify such
problems, in some things  it may be more helpful to first approach
 supp...@declude.com or myself
dbar...@declude.com before engaging everyone in the list, your assumptions
of  "PROPERLY IMPLEMENTED as part of Declude JunkMail not just "dumped" into
the regular virus handling!" and " Declude MUST recognize that and NOT treat
it like a virus" are rather harsh to be posting to without having all the
facts to begin with.

 

Thanks

 

David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
  dbar...@declude.com

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy
Schmidt
Sent: Wednesday, May 12, 2010 10:39 AM
To: declude.virus@declude.com
Subject: [Declude.Virus] AVG reports "SPAM" as "VIRUS"!
Importance: High

 

Hi,

 

For the past few days, I'm seeing AVG suddenly reporting a virus "SPAM":

 

 


Virus Scanner Summary Report (Integrated AVG Scanner)


Total Messages Processed: 19,499
Virus Infected Messages: 232
Percentage Infected: 1.19%


VIRUS

# INFECTED

PERCENTAGE



SPAM

232

1.19%



 

resulting in these SMTP headers:

 

X-Declude-Virus: Detected Spam [from IP 41.218.0.202 ([No Reverse DNS])].

 

and these reports:

 

q061a000274936c02.smd AVG Reports VIRUS: Spam

q061a000274936c02.smd File(s) are INFECTED [Spam: 7]

q061a000274936c02.smd Scanned: CONTAINS A VIRUS [MIME: 1 424]

q061a000274936c02.smd From: bloodiest...@rcbassociats.com To:
elopre...@??? [incoming from 41.218.0.202]

q061a000274936c02.smd Subject: Please attention!

 

This causes a whole bunch of problems, e.g.

 

a)  I am unable to 'weigh' this "Spam" with other factors BEFORE it gets
blocked. 

b)  It bypasses the "WhiteList

RE: [Declude.Virus] AVG reports "SPAM" as "VIRUS"!

2010-05-12 Thread Andy Schmidt 
Dave - you are right! This appears to a matter of poor "labeling" by AVG -
and has nothing to do with Declude.

 

I have since looked through a large sample of held emails and they either
are well crafted short "Notices" about a supposed change in SMTP, POP
settings - which even lists the person's email address, and a warning to
"carefully" read the enclosed "instructions" before making changes. Then
there is a link to a ZIP file (which likely will be a virus).

 

The other group of emails deals with a supposed non-deliverable DHL package
that one needs to pick up at the post office after printing the attached
label (with the link to a zip file).

 

All appears to be emails with links to malicious pages. In that respect, one
can't argue that Declude Virus is the appropriate place to catch that (but
then it's inconsistent for AVG to detect it with a label "Spam").

 

You are further correct, that AVG has done a good job catching this one. I
ran it past ClamD and the latest McAfee hourly signature - and neither
flagged those emails.

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Wednesday, May 12, 2010 12:20 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] AVG reports "SPAM" as "VIRUS"!

 

Looks like it is part of their virus signatures, and the only line in the
email was:http://glunis.g**glegroups.com/web/setup.zip

 

We could request that they change the name. if not we will have to make an
translation in our code to accommodate this.

 

File 45710617.eml received on 2010.05.12 16:16:29 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND
STOPPED 

http://www.virustotal.com/img/loader.gif

Result: 1/41 (2.44%)



---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.<>