[Clamav-users] FreeBSD and log rotation

2004-03-15 Thread Bart Silverstrim 
I'm running clamscan / ClamAV version 0.67-1 on FreeBSD 4.9 (clamav 
from ports collection), using clamd to scan incoming email for viruses. 
 I have seen some people on the list say that clamd will stop working 
if the maximum logfile size is hit?

Is there anyone using newsyslog to rotate the logs for clamd, and if so 
what is  your conf file line to do it?  Is there something that has to 
be changed in clamav.conf also?

Thanks,
-Bart


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] FreeBSD and log rotation

2004-03-16 Thread Bart Silverstrim 
On Mar 16, 2004, at 12:55 AM, Odhiambo Washington wrote:
 I have seen some people on the list say that clamd will stop working
if the maximum logfile size is hit?
Well, that was discussed, but they also gave solutions with the use of
logrotate.
I was hoping not to add another rotation system to FreeBSD unless it 
was really the only way to do it; my understanding was that FreeBSD 
prefers to have newsyslog handle the rotation of logs.  Also it seemed 
as if some people had the problem of it stopping but others didn't; I 
didn't find a definitive "if you run version X this happens, if you run 
version Y this happens instead..." type of response and there were 
simply too many posts to sort through to get the summary extracted of 
the problem so I thought I'd just ask now that I hoped the dust had 
settled :-)


Is there anyone using newsyslog to rotate the logs for clamd, and if 
so
what is  your conf file line to do it?
BTW, there are new versions on the website, so go for them. There is an
entry in the Changelog from the CVS checkout I just did a few minutes
ago:

And this is only set up on the CVS version, the sighup support, correct?

I wonder when that will make it's way into the ports.  I rely primarily 
on the portupgrades procedure to keep things in sync with updates; if 
we have too many things fragmented (whose network isn't if you have 
more than five users? :-) then updates get overlooked or fixing systems 
can get complicated. :-/


PS: I use daemontools to monitor clamd, and I use other methods to
rotate my log file, so don't blame me if the above approach makes
your box to go up in flames ;)
Shoot, no fire suppression in the server room either...this sucks.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Freshclam died

2004-03-17 Thread Bart Silverstrim 
On Mar 16, 2004, at 10:13 PM, Steven P. Donegan wrote:

Fajar A. Nugraha wrote:

Steven P. Donegan wrote:

Hmmm, I just do a freshclam from chron rather than let it run as a 
daemon - as a new user (I just downloaded, installed, integrated 
with my anti-spam/anti-virus proxy - home built, today). Is doing 
this in any way a negative thing?

Not if you set it to run on random minute (e.g. not 0). If you set it 
up as

0 * * * * /usr/local/bin/freshclam

then you might be among those people who floods database mirrors 
during update checks :)

Better change the 0 to something random (e.g. 19, 34, etc).

Regards,

Fajar
Well, on general principles I do that anyway :-) But thanks for the 
response.

This is assuming everyone's clocks are set in sync? :-)



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Virus ID

2004-03-23 Thread Bart Silverstrim 
Silly question time...

While I suppose the questions about the standard naming sequences may 
help, I would propose one other idea (along with asking for help with 
my question :-)

First: I see a hit in my logfiles for Exploit.HTML.Bagle.Gen-4-eml; is 
this the variant I've read about where if a user on Windows *previews* 
a mail message (no attachment), they can get infected?

Second: is there a database for clamav with descriptions of the 
viruses?  I wondered if some kind of user-supplemented database could 
be used online, and *there* have the aliases, rather than bulk up the 
antivirus database with aliases and pseudonyms.  If you see a virus 
hit, you could refer to the online site and check for AKA's of the 
virus name (as well as information of what the viruses are capable of). 
 Just an idea...



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus ID

2004-03-24 Thread Bart Silverstrim 
On Mar 24, 2004, at 12:01 PM, Lars Kristiansen wrote:

Could it be an idea to request possibility to list an alias in the 
output.
For example if one is running both f-prot and clamav, and want one
statistic. Then you might want to tell clamav to list the f-prot alias 
in
log.

If it were a vote, I'd prefer separating the aliases from clamav's 
database.  Either allow the ability to integrate them (conf file 
setting?) at runtime, or have a web database that an admin could refer 
to for a full "encyclopedia" of info.

I'd bet that to make it all useful, having all the known aliases with 
each virus included in the database would really bloat it...and with 
the number of people downloading from the servers via cron jobs, 
wouldn't it save a bit of load on the clamav servers?

Could this be achieved by having a table for aliases for the different
av-tools?
Do "they" assert IP rights over the names of viruses?  Or will they in 
the future?  I don't know if other vendors would be overly irritated 
with other vendors using their names as AKA's for viruses (it would 
really be helpful if there were a central naming authority...)



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: Yet another TESTVIRUS.org result !!

2004-03-26 Thread Bart Silverstrim 
On Mar 26, 2004, at 11:10 AM, Jesse Guardiani wrote:

Dilip M wrote:

[...]

Only improvement is Test # 12 was detected ?

Where as all other Viruses,ie
Test # 19,21,23,25
came through :(
That is exactly what I'm getting with qmail-scanner-1.21 and 
clamav0.70-rc
(and the CVS version from 2004/03/25).

I think there was a discussion about these last four items a few weeks 
ago.
Some people complained that ClamAV is not a 'vulnerability/exploit' 
scanner,
but a virus scanner. This makes sense (and helps to avoid code bloat), 
but if
this is the concensus then I hope that qmail-scanner will soon address 
the
above 4 items internally, or that someone else will create a program
dedicated to this task. Exploit scanning may not belong in ClamAV,
but it needs to be addressed somewhere.

Hmm...when I just tested it (postfix, clamav, amavisd-new) tests 8, 12, 
24, and 25 got through.  Am I missing something in my config?

How worried should I be about those viruses getting through? :-/



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: Yet another TESTVIRUS.org result !!

2004-03-26 Thread Bart Silverstrim 
On Mar 26, 2004, at 2:35 PM, Trog wrote:

On Fri, 2004-03-26 at 18:35, Bart Silverstrim wrote:

Hmm...when I just tested it (postfix, clamav, amavisd-new) tests 8, 
12,
24, and 25 got through.  Am I missing something in my config?

How worried should I be about those viruses getting through? :-/
#8 was blocked with current CVS (didn't test other versions)
#12 is blocked if you tell clamscan to detect password protected files
That (#12) is only in the CVS version as well, no?

I've been waiting until the latest version is in the ports tree 
(FreeBSD 4.9) so I wouldn't end up with a mix of ports and tarballed 
apps on the server, so latest updates could be taken care of via 
portupgrade... :-/

#24 and #25 don't contain any viruses, so it's not surprising they
aren't detected.
This was supposed to test a potential infection vector?



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] database update-less sigs?

2004-03-30 Thread Bart Silverstrim 
Was there a drop in the number of signatures in the database recently? 
After what seemed like a slow update, the number of viruses appears to 
be only near 20,600...I thought it was at 20,800 range before that 
update, but my memory may be playing tricks on me.  I updated from two 
different computers and the numbers matched in the 20,600 range.  Can 
others verify that I'm just being overly paranoid? :-)

Below is the output from my freshclam cron job.

ClamAV update process started at Tue Mar 30 08:12:00 2004
Reading CVD header (main.cvd): OK
main.cvd is up to date (version: 22, sigs: 20229, f-level: 1, builder: 
tkojm)
Reading CVD header (daily.cvd): OK
Downloading daily.cvd [|]
Downloading daily.cvd [/]
Downloading daily.cvd [-]
Downloading daily.cvd [\]
Downloading daily.cvd [|]
Downloading daily.cvd [/]
Downloading daily.cvd [-]
Downloading daily.cvd [\]
Downloading daily.cvd [|]
Downloading daily.cvd [/]
Downloading daily.cvd [-]
Downloading daily.cvd [\]
Downloading daily.cvd [|]
Downloading daily.cvd [/]
Downloading daily.cvd [-]
Downloading daily.cvd [\]
Downloading daily.cvd [|]
Downloading daily.cvd [/]
Downloading daily.cvd [-]
Downloading daily.cvd [\]
Downloading daily.cvd [|]
Downloading daily.cvd [/]
Downloading daily.cvd [-]
Downloading daily.cvd [\]
Downloading daily.cvd [|]
Downloading daily.cvd [/]
Downloading daily.cvd [-]
Downloading daily.cvd [\]
Downloading daily.cvd [*]
daily.cvd updated (version: 225, sigs: 414, f-level: 1, builder: acab)
Database updated (20643 signatures) from database.clamav.net 
(24.73.112.74).
Clamd successfully notified about the update.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] database update-less sigs?

2004-03-30 Thread Bart Silverstrim 
On Mar 30, 2004, at 9:51 AM, Antony Stone wrote:

On Tuesday 30 March 2004 3:34 pm, Bart Silverstrim wrote:

Was there a drop in the number of signatures in the database recently?
After what seemed like a slow update, the number of viruses appears to
be only near 20,600...I thought it was at 20,800 range before that
update, but my memory may be playing tricks on me.  I updated from two
different computers and the numbers matched in the 20,600 range.  Can
others verify that I'm just being overly paranoid? :-)
--  Forwarded Message  --

Subject: [Clamav-virusdb] Update (main: 22)
Date: Mon, 29 Mar 2004 23:57:25 +0200
From: Tomasz Kojm <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
ClamAV database updated (2004.03.29 21:55 GMT): main.cvd, viruses.db
Version: 22
All signatures for Office 97 files have been removed (proper signatures
that use the VBA macro decoder must be created).
Thanks!



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus Names

2004-04-07 Thread Bart Silverstrim 
On Apr 6, 2004, at 3:23 PM, Diego d'Ambra wrote:

-Original Message-
From: [EMAIL PROTECTED] [mailto:clamav-users-
[EMAIL PROTECTED] On Behalf Of jef moskot
Sent: 6. april 2004 19:08
To: [EMAIL PROTECTED]
Subject: Re: [Clamav-users] Virus Names
On Tue, 6 Apr 2004, Eric Rostetter wrote:
If netsky is Worm.SomeFool, then why is it not labeled as
Worm.SomeFool?
But when something is this much of a phenomenon, why not just change
the
name?  I know it's been done for other worms in the past.

And that is what we'll (try to) do in the future (if a common name has
been established).
With all due respect, this may be a bad idea, if I understand you 
correctly...you're saying that when a virus is found by the clamav team 
and it's called foo, then other companies get ahold of it and call it 
bar, the clam team should call it bar also, correct?

This would mean that floating around out there in googleland (and for 
awhile unupdated databases) would be the name foo.  People researching 
will find extremely short-lived virus names floating around because it 
is one that was renamed...

I'm sure there's  a simple solution and I'm probably just worrying too 
much over it, but I would still think it would be better to have a wiki 
or some kind of knowledge base set up where people could put in 
information on the virus.  The ClamAV name, and a list of aliases from 
other companies, and maybe a breakdown of the behavior/payload/etc. of 
the virus, when it was added to the clamav database, etc. and just 
reference it that way.  It would mean minimal changes to clamav, a 
volunteer group (or the whole user community) could contribute 
separately from the programming team...would that work?

-Bart



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus Names

2004-04-07 Thread Bart Silverstrim 
On Apr 6, 2004, at 4:31 PM, Eric Rostetter wrote:

Quoting jef moskot <[EMAIL PROTECTED]>:

On Tue, 6 Apr 2004, Eric Rostetter wrote:
But changing the name after the fact would just confuse people more.
I completely disagree.  Hardcore Clam users are more likely to 
understand
the reality of the situation and realize that the ClamAV team has to 
call
the viruses SOMETHING.  Usually, that's the same name everyone else 
uses,
but sometimes it isn't.
Great for netsky since almost everyone uses it.  But what about viruses
that have multiple names from the other vendors and the media?  For the
first week, SCO (clamd) was called novarg by most, until the media took
off with mydoom and that became the new name.  Should clamav have 
migrated
along from SCO to NOVARG to MYDOOM just because the others came along
later and in that order?
That is the name that is popularized by the media after the fact...I 
think many "larger" AV vendors put the aliases in their virus 
encyclopedias online, don't they?


There's maybe a small amount of confusion for a couple days, and 
that's
that.
Most viruses don't last for more than a few days anyway, so this only
applies to the rare cases (like lately with the virus wars over netsky
et al).
Tell that to my web server...I still see hits from blaster...

But we are constantly being asked by casual (or new) users why ClamAV
doesn't pick up Netsky
Yes, but the user is just being stupid.  They are not getting infected
with netsky, so obviously it is picking it up.
Hardly.  Sometimes when justifying to the PHBs that ClamAV is just as 
good, if not better than, other solutions you need to answer the 
questions the PHBs get when they watch the evening news.  It would be 
helpful if you could point them to a knowledge base article or 
encyclopedia from Clam saying "it's an alias for virus FooBarsays 
so right here, added on ya ya ya in database version X...and we're 
protected because our signature version is Y."

what the heck "SomeFool" is, etc.  Many of those
You don't think you'll get that question even if you use the more 
common
name for viruses?

It's not the question, it's enabling users to easily find the answer.  
The question will still get asked, but seeing that most of the admins 
running ClamAV are hopefully a little more skilled than the average 
user, most of the questions should be answered at the local 
administrator level rather than the Clam team level.  If the answer 
were a simple site lookup of an entry for a virus name that was 
cross-referenced (or put on a separate server that could be CVS'd or 
Rsynced for a local copy...)

On top of that, we have our database being freshclammed several times a 
day.  Since most of the Windows viruses are now fully automated, what 
happens in the hours between a virus getting released and then 
discovered then added to the database then our server getting 
refreshed?  Not everyone is running freshclam on the mail 
server...we're using it to scan incoming mail then forward the mail to 
our internal mail server.  That means that if the WindowsDeath virus 
comes in before our database holds it, it will get to our internal 
servers...where a "backup scanner" has to catch it.  Then we get into 
the aliases of viruses problem...we get a report of virus WindowFool 
being in the message. Are we protected now, it was just something that 
slipped in between updates?  Or is it something we need to worry about? 
Or...?

The process becomes more time-consuming to verify than it needs to be.  
That's just the price to pay for a solution as flexible as ClamAV...

Other than some kind of issue with logging things by virus name, are 
there
any sensible reasons to not use the same name everyone else in the
computer community is using?

It adds overhead to a volunteer project.  Let the other vendors have 
their fun renaming things with the proprietary name games.  It would 
probably be easiest if the Clam group responded by just making an alias 
encyclopedia, in my opinion...

Also, as I've pointed out, not all the AV vendors agree on the names.  
It
usually isn't clamav against the world (as it appears with netsky).  
It is
more normal that there are 2, 3, or 4 other names for the virus.  And 
you
never know which will become the most popular until days or weeks after
you name it.

worse are the games where a minor minor variant comes out, they slap a 
new name on it, and then promote their product as catching x,000 
viruses while neglecting to mention that 200 of them are the same 
virus, only instead of having "screw you" embedded in it it has "screw 
you!", "No, screw YoU!",...etc. etc. etc.

Oh well.  That's my view, anyway...

-Bart



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3

[Clamav-users] x-reference list

2004-04-08 Thread Bart Silverstrim 
Recent discussions on other names...what about an improved version of
http://www.nfllab.com/projects/cvnr/
Maybe adding an encyclopedia of virus information to each name?



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] virus names (any reference?)

2004-04-14 Thread Bart Silverstrim 
On Apr 13, 2004, at 7:16 PM, jef moskot wrote:

On Wed, 14 Apr 2004, Jesper Juhl wrote:
I've been working on a website to allow users to do exactely that, but
due to being overworked and various other issues it has not progressed
as fast as I had hoped - still working on it when I have a chance
though, so expect something like that in the future.
I think if the website just said "What we call 'SomeFool' others call
'Netsky'," 95% of all questions would be covered.
Personally, I don't understand why this particular name has not been
changed, given the prevalence of this worm.  A comprehensive web site
would certainly be a nice feature, but I think it's really overkill 
while
resources are limited.
Statistics being broken, it would create "transient" viruses that in 
reality were just renamed, adds to the cruft of multiple names floating 
around in lists and search engines,

A central repository of cross-references would probably be the best and 
most resilient solution. I think this is what the "big boys" do in the 
corporate AV world...you look up the virus in their knowledge bases and 
it can list the aliases (although I see the quality of their knowledge 
bases/encyclopedias seem to be rapidly going downhill in the past 
couple years...)



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] revisit question about passworded zips

2004-04-15 Thread Bart Silverstrim 
I've seen this batted back and forth for awhile about the bagle 
variants that use password-protected ZIPs and detecting them; I gleaned 
a bit of ambiguity in the answers because at the time the answer always 
seemed to be "Yes it detects it" (zips or passworded zips?), no it 
doesn't (nothing scans inside zips) , or "yes it does in the latest CVS 
version..."

Sooo my question is that at this point, does clamav have the ability to 
pick up the passworded zip file sent by a specific bagle variant, while 
passing others along undetected?  the testvirus.org password protected 
zip gets through :-( So I wondered if just the bagle virus with the 
passworded zip has a specific signature attached.

My config:
running clamscan .70-rc
grep -v "#" clamav.conf | strings | sort
AllowSupplementaryGroups
ArchiveMaxCompressionRatio 200
ArchiveMaxFileSize 10M
ArchiveMaxFiles 1000
ArchiveMaxRecursion 5
ClamukoIncludePath /home
ClamukoMaxFileSize 1M
ClamukoScanArchive
ClamukoScanOnClose
ClamukoScanOnExec
ClamukoScanOnOpen
DatabaseDirectory /usr/local/share/clamav
FixStaleSocket
LocalSocket /var/run/clamav/clamd
LogFile /var/log/clamav/clamd.log
LogFileMaxSize 5M
LogTime
MaxConnectionQueueLength 30
MaxDirectoryRecursion 15
MaxThreads 15
PidFile /var/run/clamav/clamd.pid
ScanArchive
ScanMail
ScanOLE2
ThreadTimeout 500
Thanks!
-Bart


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: revisit question about passworded zips

2004-04-15 Thread Bart Silverstrim 
On Apr 15, 2004, at 12:22 PM, Virgo Pärna wrote:

On Thu, 15 Apr 2004 09:55:08 -0400, Bart Silverstrim wrote:
Sooo my question is that at this point, does clamav have the ability 
to
pick up the passworded zip file sent by a specific bagle variant, 
while
passing others along undetected?  the testvirus.org password protected

 Yes it does - "sigtool --list-sigs | grep pwd" will show you a
list of crypted archive variants specificaly detected. But in newest
versions it is possible to just block all crypted zip's.
Okay, I was just looking for the "authoritative answer" to whether 
those viruses were getting caught, which I thought they were but the 
testvirus.org would indicate otherwise...so I thought I'd ask if those 
*particular* passworded zip files would get caught...which it 
apparently does.

I don't want to block out *all* encrypted zips, because there are 
instances where it could be valid to send a short encrypted attachment 
(small ones!), and I'd rather not discourage users from using something 
like encryption with sensitive information simply because we have had 
to take drastic steps to reduce virus propagation.

I also needed this as both reassurance to me and to the Powers That Be 
to whom I must answer that the filter is indeed functioning adequately 
in light of advertising pitches from vendors :-)

Thanks!
-Bart


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Clamav and microsoft exchange.

2004-04-19 Thread Bart Silverstrim 
On Apr 18, 2004, at 11:00 PM, Wiltshire, Michael wrote:

I'm supposed to set up clamav to scan mail going to our Microsoft 
Exchange 5.5 .  From the documentation I've seen I don't see how that 
can be done.  Can someone help me out on how to do this, or point me 
in the direction where I can find information on the topic?

For us the best solution was a gateway (just sent a previous mail on 
another thread saying this :-)

The scanning machine didn't need to know anything about the accounts; 
it just blindly scans the mail and if SpamAssassin passes it and the 
virus scanner passes it the message gets blindly forwarded to the 
internal server.

We used a FreeBSD system to handle it; took the scanning load off the 
Exchange server.  We also had enough funding to get a different AV 
scanner on the Windows machine to "double scan" email, although I'll 
say that the scanner on the Exchange box does nothing but slows it 
down...I rarely see anything caught on it, and when I did, it was 
something that slipped in between ClamAV updates.  Our gateway solution 
has been working very well for our users...

-Bart



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] SMTP proxy

2004-04-19 Thread Bart Silverstrim 
On Apr 18, 2004, at 7:07 AM, Ian Armstrong wrote:

 I am looking for an SMTP proxy to use with Clamav. Can anyone 
recommend one?

I'm not sure what you're trying  to configure exactly, but we're using 
postfix+amavisd-new and clamav on FreeBSD 4.9 for use as an SMTP 
gateway to scan incoming mail before handing it to an internal mail 
server.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Remote clamav implementation

2004-04-22 Thread Bart Silverstrim 
On Apr 21, 2004, at 5:04 PM, Tom Walsh wrote:

I know that Tomasz had mentioned that the clamav developers were 
working
on the ICAP (i-cap.org) implementation of clamd back in March. I have
not heard anything about the status of this recently and was curious to
see where this is at.

I am really interested in offloading my clamd scanning to a dedicated
box.
Any information would be appreciated.

I don't know about the ICAP implementation, but on way to achieve this 
is to create a gateway server through which mail is scanned then 
forwarded to the actual email server...

Just an idea to consider if this is a matter that's becoming pressing 
in your situation.  It's worked well for us and it's transparent to our 
users (we're only scanning incoming mail though, to shield the Exchange 
server we're currently using...)



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Fw: [Bug 105169] Filter for Attachments

2004-04-22 Thread Bart Silverstrim 
On Apr 22, 2004, at 1:03 PM, Jon Roland wrote:


As for Linux and Windows, eventually "there can be only one". I prefer 
it be Linux or its descendant.

As for Chevy and Ford, eventually "there can be only one".  I prefer it 
be Chevy or its descendant.

Doubtful.  There will always be diversity in computing, and as long as 
users don't care one way or the other, Windows will always exist and 
probably will hold the desktop for a LNG time.  Which is fine.  
I don't ~want~ Linux abstracted for "ease of use" until it no longer 
works :-)

-Bart



---
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] clamav and postfix

2004-04-30 Thread Bart Silverstrim 
On Apr 29, 2004, at 3:03 PM, Jim Maul wrote:
Hi:
I have a question about the setup of clamav and postfix:
Use two instances of postfix is the only way to integrate clamav with
postfix?
Thanks.
I don't know if it's the *only* way, but it's how we use it (first 
instance listens for incoming mail and injects it to amavisd-new which 
hands it over to spamassassin and clamav...then it injects the mail 
into a second private instance of postfix whose only job is to forward 
it to an internal SMTP mail server).

We have kind of high hardware installed with relatively light mail 
load, but even with Squid and SquidGuard running on this machine, it's 
swap is only 4k used in 50 days of uptime :-)



---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE. 
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Temp file issues

2004-05-05 Thread Bart Silverstrim 
On May 5, 2004, at 10:00 AM, Matthew Myers wrote:

Is there a way to auto delete the temp files created when scanning?  
My system (v 0.70) hung yesterday due to the temp files not being 
deleted...they tend to grow and grow and grow.  Today I already have 
over 10,000 temp files, and although it may take a month or so, this 
will eventually become an issue again.  Any help you can provide to 
resolve this matter is appreciated.
 
Is it running with debug enabled?  disable that and it won't create 
those tempfiles anymore.



---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g.
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id149&alloc_id66&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] /temp directory

2004-05-06 Thread Bart Silverstrim 
On May 6, 2004, at 1:54 AM, Cecilia Mtz wrote:

Hello

I noticed that space used on my server went up more than 1 GB in two 
days. I
searched for possible causes and found that on the /temp directory 
there are
hundreds of folders with names like:

/clamav-32a04d8981dc9029
/clamav-64c3234be1ab21c8
/clamav-97724bb815cf6a6d
/clamav-cd4876490bf92691
/clamav-32c0801d981cdb60
/clamav-64c9409eac801901
/clamav-978c3d0a247cf62b
/clamav-cd50cd0972aef749
Are you running with the debug option enabled?



---
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to 
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] can't repair infected files ??

2004-06-14 Thread Bart Silverstrim 
On Jun 14, 2004, at 5:06 AM, Kent Emia wrote:
i just browse thru my pc and found this file and wondered what would be
the use of anti-virus if this won't clean infected file???


when would these be implemented ... btw im using clamav for my windows 
and linux pc ...
Many AV today seem to not do this anymore.
Back in the day, viruses used to append themselves to executables; an 
AV could strip it out and salvage the original executable.

Today, the vast vast majority of wild viruses either:
A) ARE the executable
B) mangle the executable until the attempt to disinfect would destroy 
the original file.

This would also lead to more support, as the number of less tech-savvy 
users seem to be rapidly increasing and the number of interactions 
among programs on Windows grows as well...a mistake with disinfecting a 
DLL or EXE file could potentially have ramifications for other programs 
on the computer, and the user screams bloody murder about it until the 
IT department (or user) ends up reinstalling the programs anyway.

The support issues and practicality (seeing as most of the wild viruses 
found more today are spyware and are emailed viruses themselves, rather 
than parasites on legit executables/dll's) makes it more problem than 
it's worth to simply disinfect anything but a macro virus.

That's my .02 about it, anyway...
-Bart

---
This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the
one installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Idea for more timely virusdb updates

2004-08-10 Thread Bart Silverstrim 
On Aug 10, 2004, at 5:57 AM, Jeremy Kitchen wrote:
Mitch (WebCob) wrote:
Just a few ideas...
hey, brainstorming is good, it's just the ideas aren't always ;)
Another stupid idea...how about a mechanism where clam can have updates 
"pushed" to it, so servers controlled by the clam team can distribute 
mini updates to them.  The admins would have to subscribe to it, like a 
listserv, only instead of through email, it's done through this 
theoretical mechanism.  There wouldn't be traffic spikes (as big) for 
times where there *aren't* updated db's available, only when there are 
updates, and the updates are sent out as the clam servers are able to 
handle the load.

Maybe like a modified GPG-signed listserv system only on it's own "clam 
update daemon" port...take a little more configuration since the people 
installing clam would have to subscribe and install a GPG key or 
something like that in the process, but that shouldn't be something 
back-breaking to figure out.

Maintenance would have to be done for the subscription mechanism, etc., 
like a listserv would, but it may be something that could be done.  May 
even be extendable so that a master server for a network could receive 
the updates from the clam site (pushed from clamserv) then in turn be 
told to push them out to machines on the internal network.  (I know 
this could already be set up, but it may be easier through this type of 
model to set up and maintain...)

I'm probably overlooking something obvious, but again...just an idea, 
right? :-)

-Bart

---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Idea for more timely virusdb updates

2004-08-11 Thread Bart Silverstrim 
On Aug 10, 2004, at 2:30 PM, Jeremy Kitchen wrote:
On Tuesday 10 August 2004 12:23 pm, Damian Menscher wrote:
The gpg-signature prevents spoofing.  And the sequence numbers
keep everyone current.  The major problems I see are getting clamd to
recognize a message targeted for it, and the obvious problems of DoS
attacks (someone sending spoofed messages that would suck CPU time
decoding the gpg signature).
yes, that's an unfortunate problem with this idea, however, if you 
used, as I
stated, a special address that uses program delivery, you'd have to 
hack the
listserver to get everyone's 'subscription' address to be able to do 
this.
Instead of having this piggyback on email, I was thinking more along 
the line of a separate protocol just *modeled* after email.  Separate 
port, separate server daemon for it...maybe it would lessen the chances 
of your updates getting filtered by spam filters and/or targeted for 
probes and overflow attacks in the process.

That way it isn't hacking the MTAs out there to do work that isn't 
meant or related to them...never liked the idea of bending programs 
backwards to tack on added functionality.  Seems to be another vector 
for bug creep :-)


[I haven't given up on DNS updates yet, but it's hard to come up with 
a
clean way to distribute >256 bytes of data that way, which means even
single rules don't always fit.]
I wouldn't distribute the rule in DNS, however, a timestamp of sorts 
in dns
isn't a bad idea.
While DNS is an interesting idea, I'm worried more about what kind of 
bugs and glitches this is going to uncover in the process (or what kind 
of attacks would be crafted should this idea catches on.)  Let's say 
the idea does become popular, and clam and other programs out there 
start taking advantage of it...I don't know about all of you, but I 
didn't set up a DNS server on a system meant for constant hits from 
other sources querying it; it's just a little system that can handle 
the load of a small network and that's pretty much it :-)  And what 
about systems that restrict querying to certain IPs?  If a service 
starts getting abused, that tends to be when (clueful) admins start 
taking steps to lock things down; many places with NTP servers, for 
example, will host a "public" site until too many people start hitting 
and if it starts to become a burden, the time server suddenly 
disappears. :-(

-Bart

---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Idea for more timely virusdb updates

2004-08-11 Thread Bart Silverstrim 
On Aug 11, 2004, at 10:32 AM, Martin Konold wrote:
Am Mittwoch, 11. August 2004 13:53 schrieb Bart Silverstrim:
Hi Bart,
the idea does become popular, and clam and other programs out there
start taking advantage of it
DNS was developed exactly for this kind of purpose.
Storing non-DNS related information for retrieval?  As I understand the 
proposition (and the original lecture that this idea was based on), 
it's was for hiding information in a very small records area of DNS for 
propogating information...I don't think the designers for DNS had 
spreading AV signatures (or files or other things that have been 
proposed, non-Clam related) in mind at the time.  Also I was worried 
about the fact that DNS servers usually got traffic for updates from 
peers and client/server lookups, not spreading files...that would boost 
their hits and bandwidth.

...I don't know about all of you, but I
didn't set up a DNS server on a system meant for constant hits from
other sources querying it
Sorry, I dont want to sound impolite but please try to become familiar 
how DNS
works in todays internet.
Prefacing it with not wanting to sound impolite still makes it sound 
impolite but that's okay :-)

I'm not a DNS expert by any means.  It's been five years or so since I 
set up a bare linux system as an authoritative DNS server, other setups 
I've made were all in-house caching servers.  I'll make no claim to 
knowing how things work exactly or the pitfalls of trying this out, or 
the effect it would have on the servers.

But I *have* had enough experience to say that if I have these 
questions, chances are someone else on the lists has them too, 
vocalizing them or not...and they'll hopefully get an education from 
the answers I get as the result of my chiming in :-)

; it's just a little system that can handle
the load of a small network and that's pretty much it :-)
Your little DNS server will only get queries from you very own clamav
installation but not from _anyone_ else.
The proposal is just to have a few DNS servers, the authoritative ones, 
seeded with the info then?  Others would just cache it?  Duh.  Makes 
sense.

And what
about systems that restrict querying to certain IPs?
?? This makes no sense. If you system is able to do http with using 
fqdn then
it is also able to use the DNS.
I think at the time I was thinking about DNS servers updating from 
peers, distributing the load of the records that are spread piecemeal.

Funny enough: The protocol ideas you are proposeing are putting _more_ 
load on
the DNS(*) than the direct DNS idea.

(*) it is save to assume that your protocol ideas don't use static ip 
numbers
but use DNS to do gethostbyname() resolving.
You would be correct; it would be the load made by any listserv though. 
 any spreading of an "email like" server's load would increase lookups 
(unless assisted by local caches heavily).

It's not necessarily the load on the server I think I was worrying 
about, per se...it's trying to shoehorn the protocol to do more than it 
was supposed to.  It's probably a misunderstanding of the idea for 
spreading the information through DNS, but I would think that the DNS 
idea would hit a wall or block that would be imposed by the 
restrictions of DNS itself and the way it works, so a new mechanism 
would have to supplement it or some other clever hack.  I would think 
that it would be better to start a propagation idea from scratch rather 
than a neat idea (I'm not trying to disregard it...heck, I'm probably 
missing something obvious and am worrying about a non-issue) for 
extending a protocol meant for task A being extended to also be able to 
do task B.

-Bart

---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Idea for more timely virusdb updates

2004-08-12 Thread Bart Silverstrim 
On Aug 11, 2004, at 1:22 PM, Martin Konold wrote:
Am Wednesday 11 August 2004 16:19 schrieb Bart Silverstrim:
Hi Bart,
DNS was developed exactly for this kind of purpose.
Storing non-DNS related information for retrieval?  As I understand 
the
proposition (and the original lecture that this idea was based on),
it's was for hiding information in a very small records area of DNS 
for
propogating information...I don't think the designers for DNS had
spreading AV signatures (or files or other things that have been
proposed, non-Clam related) in mind at the time.
Please be aware of the fact that I don't think that DNS is the correct 
tool to
distribute files but for distributing something like a serial number 
it fits
perfectly.

The actual download of the data has to be done outside of the DNS 
system.
Okay, this would be where my misunderstanding was entering the picture 
:-)  I was thinking DNS would be the distribution engine, not the 
notification engine.

Sorry for the confusion!
Abusing the DNS to directly transfer files etc is not appropriate as 
the DNS
infrastructure is not ready for such kind of "abuse".
Give it time...someone's going to do it.
I'm surprised someone hasn't found a hole in DNS that would allow it to 
act as a way to distribute viruses via DNS records yet...

-Bart

---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Idea for more timely virusdb updates

2004-08-12 Thread Bart Silverstrim 
On Aug 11, 2004, at 10:40 AM, Damian Menscher wrote:
On Wed, 11 Aug 2004, Lionel Bouton wrote:
Since some time I am thinking of a bittorrent approach too. Bittorrent
is quite efficient at distributing files and there are implementations
allowing multiple trackers to distribute the remaining server-side 
load.
Please take this as a question rather than a criticism of the approach:
My experience with bittorrent has been with downloading huge things,
like Fedora. 
I've never used bittorrent so I'm afraid I can't comment there.
With regard to all the other ideas:  Please remember to keep this
*simple*.  Here's where I, IMHO, think we stand:
Opening a new port on a mailserver so updates can be pushed to it is a
BAD idea.  As a sysadmin, I would not allow such a thing on my
production machines.  It creates a huge security risk, since now you
have one more opening to a remote root vulnerability.
Just a clarification of what I accidentally proposed earlier: it 
wouldn't be so much a mail server doing this, just a daemon and 
application modeled after mail.  I think it's pretty clear thanks to 
SPAMmers all around the Internet that email protocols are broken, but 
the basic simplicity of the model behind SMTP could be applied to send 
out a subscription of encrypted and signed updates to people who sign 
up for it...it would be more like a whitelisted email system in 
*concept* only.  I was proposing that only because the basics are 
already out there in framework in the form of email...but we don't want 
something that accepts random or additional info.  Just updates for our 
Clam programs.

Yes, it could be another root vulnerability, and it would be a bigger 
target because AV kiddies are usually the kind that are more likely to 
attempt DOS attacks against servers if there's a central target to hit.

I'm really starting to like the idea of a mailing list that can have
dedicated (and random for each site) subscription addresses and pipe 
the
list straight into "sigtool --add".  It means we'd have to find someone
to host the list, but that's probably no more difficult than finding
someone to host a mirror.  Presumably there could even be multiple
"mirrors" sending the list, to improve speed (taking an idea from
spammers who use open relays to do the hard part).

One thing to add to the mailing list approach: there needs to be some
sort of "heartbeat" or "dead man's switch" -- a way to know that the
mailing list is functional, but there are no needed updates, rather 
than
that the mailing list has broken.  I suppose this might be a use for
that latest-db-version.clamav.net idea.
Here's a second idea to combine with the first...use a freenet model.  
At least I think that's the name...

It's P2P and anonymous; and (my memory is foggy...can someone confirm 
the details?) it is kind of like a mesh "network within a network".  It 
was originally meant as a totally free and distributed way for P2P 
transfers of information.  Everyone shares information and it gets 
distributed on computers, and you as a client/server have no control or 
idea what is in your allocated "sharing space".  Could be illegal 
material, could be shakespeare, you don't know (Freenet, that is).

 If we had a meshed system of a "live network within a network" of 
updates with this model, it may be an interesting infrastructure not 
only for rapid updates, but impossible (improbable?) denial of service 
attacks, and the possibility of even tagging exe's for analysis 
later...they could just be swept up in the "grid" and analyzed when 
they reach the appropriate team members. The sigs could be updates and 
swept into the grid where they'd be distributed to sysadmins.

Again, probably impractical, but just enjoying the brainstorming that's 
going on on the list recently.  :-)  It would be more complicated that 
previous ideas, yes, but it may lay groundwork for future features or 
ideas, like maybe a way to monitor virus activity and send out 
statistics to users who wish to setup that ability for monitoring 
outbreaks in certain regions of the Internet.

-Bart

---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] OS X with ClamAV

2004-08-15 Thread Bart Silverstrim 
I'm in the prelim stages of assembling a new mail server with OS X 
(using regular OS X Panther, not OS X Panther Server).  I'd like to use 
the Postfix daemon (already with Panther) and ClamAV (which I can get 
installed via Fink).  Is there a simple way to get Postfix to hand off 
email to ClamAV for scanning?

Anyone running OS X with ClamAV?
-Bart

---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Mac OS X installation?

2004-08-18 Thread Bart Silverstrim 
On Aug 18, 2004, at 6:03 AM, Derek Tom wrote:
Hello,
Mac OS X is listed as a supported platform but beyond that, there's no 
info on actually getting ClamAV installed on OS X. I looked through 
the FAQ, binary packages and ports (OS X not even listed), 
documentation, WikiWiki, and did a quick mailing list archive search 
but could not find an answer.

Would very much appreciate some basic info on getting it installed on 
OS X.
Best way I've found is to install Fink and install ClamAV using Fink 
(Fink Commander).  VERY easy to keep updated to the latest ClamAV using 
Fink (although you do need to keep running freshclam separately...Fink 
only upgrades ClamAV, not definitions)

-Bart

---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Mac OS X installation?

2004-08-20 Thread Bart Silverstrim 
On Aug 19, 2004, at 9:24 PM, Randall Perry wrote:
on 8/18/04 8:55 AM, Bart Silverstrim at [EMAIL PROTECTED] 
wrote:

Best way I've found is to install Fink and install ClamAV using Fink
(Fink Commander).  VERY easy to keep updated to the latest ClamAV 
using
Fink (although you do need to keep running freshclam separately...Fink
only upgrades ClamAV, not definitions)

-Bart
Hmmmif I 'fink list | grep clam' I get nothing. Fink was my 1st 
choice,
but, not finding clamav, I installed with darwinports .
How many packages do you have?  I have 3841 currently on my list, with 
the encrypted and unstable ports.

ClamAV is in version .75-1 of utils, maybe because it's less than 1.0 
you would need the unstable tree?  I see it listed right now in my copy 
of FinkCommander as installed...package info states that it is in 
stable with no unstable version available.

-Bart

---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Downloading clam virus definition files automatically

2004-08-21 Thread Bart Silverstrim 
On Aug 20, 2004, at 7:21 PM, <[EMAIL PROTECTED]> wrote:
Rajanikanth P wrote:
Hello D.J. Fan,
But i have a problem here. Assume that clam updates are published at
6:10 Pm. I check for new updates at 6:05 so the next time i gonna
check is at 7:05 it just means that after 55 mins i got the updates.
And within this 55 minutes thousands and thousands of say ..a worm
which is in wild arrives to my mailserver and clam does not detect it
& it passes out what do i do ?
This is where "phone-tree" solutions become interesting - the first 
person to hear something calls the head of the phone tree.  They call 
five pre-set people.  Each of those people calls five more people.  
Etc., etc.

Get together with five other organizations that use ClamAV.  Each of 
you check at one of :05, :15, ... :55.  If any one of you realizes 
that there's a new version, tell the other four.
Viral antivirus propagation?

---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] postfix+clamav without amavisd-new

2004-08-25 Thread Bart Silverstrim 
On Aug 24, 2004, at 10:39 PM, Ajay wrote:
Hi,
What are some other ways to get clamd support in postfix without using 
amavisd-new because I don't need all the features of amavisd-new.

My setup is really basic where everyone has a shell account so in 
order for everyone to have their own bayes databases, I need to run 
spamassassin outside of amavisd-new.  If there aren't any decent 
alternative then I'll just run amavisd-new without the spamassassin 
settings.
You can use amavis and shut off the spamassassin settings, that would 
be one way.

I'm in the process of researching the setup of a Mac OS X (client) 
system to be used as a mail server, and am leaning towards using 
Postfix (since it comes with Panther) in conjunction with procmail, 
feeding the mail messages to s script that scans the messages and if 
they're re-headered as infected a procmail recipe will quarantine them. 
 There's a couple scripts meant to work with procmail off the ClamAV 
site.

-Bart

---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] clamav and procmail

2004-09-14 Thread Bart Silverstrim 
Hello,
I'm trying to integrate a clamav with a simple sitewide procmail recipe 
to run clamscan-procfilter then take action if the headers contain the 
virus tag (X-CLAMAV).  The first part of the recipe in the script makes 
sense...
*
#   :0fw: virus1.lock   
   #
#   |/usr/local/bin/clamscan-procfilter.pl  
   #
*

But the second one just rewrites the subject, as I understand it.

#   :0fw: virus2.lock   
   #
#   * ^X-CLAMAV 
   #
#   |/usr/bin/formail -i "Subject: [CLAMAV VIRUS ALERT]"
   #


What I would like for procmail to do is not just rewrite the subject, 
but also change the recipient so the recipient never sees the virus 
message and instead another user (like [EMAIL PROTECTED]) 
would get the email and attachment, and that will keep the end user 
from having to ever create filter rules.

Is there a way to do this?  Thanks!
-Bart

---
This SF.Net email is sponsored by: thawte's Crypto Challenge Vl
Crack the code and win a Sony DCRHC40 MiniDV Digital Handycam
Camcorder. More prizes in the weekly Lunch Hour Challenge.
Sign up NOW http://ad.doubleclick.net/clk;10740251;10262165;m
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] clamav and procmail

2004-09-15 Thread Bart Silverstrim 
On Sep 14, 2004, at 10:32 PM, Steve Lenti wrote:
man procmailex
What I was looking for was some clarification, since it looked like 
most of the examples close to what I wanted were for *copying*, not 
*redirecting*.  I've looked through the man pages and some examples 
online, and even the example reply I got in email from someone was to 
copy the postmaster while still sending a notification to the original 
recipient.  One of the recipients will be 12 years old; I don't think 
they care about incoming viruses.  The person administrating it, 
however, will be.

Perhaps I'm overlooking the example that I need; very possible...it was 
a long day and material gets blurry as the day wears on.  I thought 
maybe someone already had something like this whipped up as a two or 
three line recipe.

-Bart

---
This SF.Net email is sponsored by: thawte's Crypto Challenge Vl
Crack the code and win a Sony DCRHC40 MiniDV Digital Handycam
Camcorder. More prizes in the weekly Lunch Hour Challenge.
Sign up NOW http://ad.doubleclick.net/clk;10740251;10262165;m
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] clamav and procmail

2004-09-15 Thread Bart Silverstrim 
On Sep 15, 2004, at 9:45 AM, Paul Bijnens wrote:
I was hoping >12 year old could could at least change a few bytes
here them selves.  Like this:
Thank you, and I apologize for sounding quite so terse earlier.  It's 
one of those mornings again and I was a little irked at the summary 
"man this", "man that" that I've already gone through.  But I shouldn't 
have replied the way I did.

I think I became too focused on a particular solution because what I 
was expecting was something along the lines of using formail to rewrite 
a header and then allow the MTA to continue processing the message as 
it was without rewriting it, in case I didn't want it to be sent to a 
local folder for delivery but rather a remote system and through the 
man pages yesterday it looked like formail was the way to do it (and I 
didn't want processing to continue for the original so it would still 
be delivered to the original recipient).

What I had hoped to do was just slip the original message to the 
postmaster instead of the original person (not a cc, not a bcc, the 
original recipient would never see it at all) and postmaster or whoever 
I designate by email address, local or remote, would get the original 
message content, completely, so I could allow my local mail client to 
redirect based on a local ruleset.  Basically just have procmail 
rewrite a header (and subject, perhaps) and redirect the message so 
instead of foo it goes to postmaster, otherwise the original mail, 
content and attachment, are unaltered.  I didn't see this type of 
recipe in the man page using formail and didn't know if procmail even 
could rewrite a header and have the mail agent continue processing 
without it being delivered to the original recipient by editing the 
headers.

Perhaps the correct solution would be to find a way to use the mail 
command to send it to postmaster with all the mail content/attachments 
to postmaster and then dump the original into null; redirect the 
message instead of rewriting the headers to have it delivered.

-Bart

---
This SF.Net email is sponsored by: thawte's Crypto Challenge Vl
Crack the code and win a Sony DCRHC40 MiniDV Digital Handycam
Camcorder. More prizes in the weekly Lunch Hour Challenge.
Sign up NOW http://ad.doubleclick.net/clk;10740251;10262165;m
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: Re: Windows port ?

2004-09-22 Thread Bart Silverstrim 
On Sep 22, 2004, at 5:33 AM, Ralph Angenendt wrote:
He has to link the database *somehow* into his program. Look up what
the GPL has to say about that.
And: Hey, if you do not like the license of a program - do not use it.
It is simple as that. If you want to use it - fulfill the license.
I think he believed he *was* fulfilling the license.  He was, like some 
other companies apparently are doing, redistributing the database 
portion only.  The "source" is open for anyone to look at (the 
database), and he made no attempt to hide where it came from and 
actively advertised that it was the ClamAV database.  He was only 
creating (as I understand it) a gui and engine that compared files 
against the database in a way he wanted to keep proprietary.

The actual database he kept open for anyone to use or examine.
The problem, from the sounds of it, isn't "you're not following the GPL 
so you have to stop", it's "I thought I was following the GPL but your 
interpretation is different..."

I guess the only definitive answer would have to come from the database 
maintainers.

Personally I think the intent of the database's license was to keep it 
"open", not be stolen into other projects (or commercial projects).  
The fact that the person writing this is openly advertising where the 
database comes from and is trying to do good by the ClamAV team shows 
that his intent isn't to steal other people's work, but to expand its 
usage to people who ordinarily wouldn't be exposed to the ClamAV 
project.  He's trying to work with the ClamAV people.

At any rate, this should probably be resolved soon...this type of 
argument is one of the criticisms of the GPL, that if any code is used 
then it opens the whole project to becoming open source.  The database 
is a distinct entity in this project that can be ripped out and another 
database substituted instead; why can't a distinct portion of a program 
be GPL and held under GPL?  The BSD license allows people to 
*integrate* the open code into proprietary projects and claim it as 
your own.  This windows project isn't attempting to do that.


---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: Re: Re: Windows port ?

2004-09-22 Thread Bart Silverstrim 
On Sep 22, 2004, at 12:01 PM, Brian Bruns wrote:
Security through obsecurity...  How comforting.
Misguided yet implemented by so many...
Either use the DB as the authors tell you you can use it, or don't use
it at all.  It is very simple to understand.  How would you like it if
you were the ones writing the virus defs and I did the same to you
after you told me that it was against the license?
Ouch.
I thought the question was *whether* he was breaking the license and 
what the interpretation actually is.  It's not like he was trying to 
steal the work of others...he was quite open in acknowledging it and 
sounded like he wanted to work with the ClamAV people on resolving it.  
There's enough other companies out there doing this *without* even 
extending that courtesy, as I understand it.

Unless you are the maintainer of the database with the license in 
question?  (I honestly don't know)  Who is in charge of it, the 
"owner"?  Best bet is to have that person make the decision.

-Bart

---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] clamav 0.8 rc2 installation tentative on Mac OS X

2004-09-24 Thread Bart Silverstrim 
On Sep 24, 2004, at 7:55 AM, Joël Brogniart wrote:
Hi there.
I'm trying to install clamav on an Apple XServer with Mac OS X 10.3.5 
(and all updates today).

My first try is with september 2003 dev tools installer. A second try 
with XCode Tools 1.5 gave the same result. The third gave better 
result but...

Here are the results for my 2 first tries. When I
./configure
somewhere in the log I get the following warning;

I have had the best luck with clamav by installing it via Fink; while 
not necessarily the most cutting edge release, it does tend to stay 
somewhat close to the latest release and the installation is largely 
automated (and updates are largely automated as well).  Bonus: Fink has 
lots and lot and lots of other ported software to install and use too 
:-)

-Bart

---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] ERROR: JPEG.Comment

2004-09-30 Thread Bart Silverstrim 
On Sep 29, 2004, at 11:09 PM, Dennis Peterson wrote:
Anyone got a plan for when encrypted zip'd jpeg files start showing up?
I'm switching my userbase to OS X and Linux. :-)
-Bart
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ERROR: JPEG.Comment

2004-09-30 Thread Bart Silverstrim 
On Sep 30, 2004, at 3:26 AM, Damian Menscher wrote:
On Wed, 29 Sep 2004 [EMAIL PROTECTED] wrote:
... It's interesting that viruses are finally starting to implement 
what
we were joking about in 1995 at high school...
I'm impressed with how far we've come.  Less than a year ago, I could 
most email viruses with simple procmail scripts.  Now even antivirus 
products are having difficulty keeping up with the threats.
But for the jpeg threat, as I understand it, patching systems *should* 
fix this so even if a "virus" does get loose on your system (jpeg 
virus), it shouldn't have an effect.  The problem is with the way it's 
interpreted by some libraries in Windows.  Slightly different than 
running an executable (who would have thought a few years ago that 
spreading a virus would be as simple as an anonymous email with a .exe 
attached saying, "This is neat, UsEr!  Run this program!"...AND THEY 
DO!?? AARGH!).

Once all bazillion Windows machines are patched by all the users on the 
planet who know more about their computer than where the on/off switch 
is, this "jpeg virus" threat will be a minor footnote in computer 
history.



You do realize, of course, in several years there's a distinct 
possibility that this will turn into a "minefield" with otherwise 
harmless jpegs (to some platforms) winding up on web pages for viewing. 
 Some people patch, some don't, eventually...*foom*...infected on those 
systems the user never patched.  This will be happening five years from 
now.

The only way to really "fix" it is to either A) fix the libraries with 
the problem or B) create a screen program that processes EVERY jpg, 
resaving them in a "stripped" form so the executable code won't exist 
in the new copy, and forward it or present it to the user...this would 
have to be done like some kind of web browser plugin or something of 
that nature.

At least, those are two ideas I see as possible.  The second one would 
be a real PITA, though.  Both require users to update their systems or 
antivirus programs or spyware programs  Here's another 
thing...what's with spyware and viruses mixing now?  Five years ago 
viruses were viruses, slimy company advertising was slimy company 
advertising.  Now, my Windows antivirus is picking up "trojan" adware 
and viruses and my spybot is searching for Bagle?!?  This is getting 
bloody crazy.  Now that virus vectors are coming through email rather 
than just sharing programs, and are increasingly shifting towards 
infection via web browsing, how long before Clam will need to be run 
with some sort of web proxy plugin via Squid??  But now I'm just 
ranting...

-Bart
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ERROR: JPEG.Comment

2004-09-30 Thread Bart Silverstrim 
On Sep 30, 2004, at 8:32 AM, Samuel Benzaquen wrote:
As I remember... there IS a plugin for using Clam on Squid =P
Methinks it isn't as widely deployed as it may become, or there'd be 
more mentions of it and howtos...and we'd probably have to be running 
it by now, and the ClamAV team would be hounded with requests to find 
more spyware sigs on the fly...

This world is not getting any easier... but if it were we would be
unemployed =).
Two ways to look at it...
A) I'd rather be out of this field due to an honorable cause 
(everything is happy and runs with self-healing hardware and software 
and OS's are easy to use and bug/glitch free...) than hold on to it by 
crippling the users intentionally so I'd have a job...and
B) it will never happen...I can replace my own brake shoes on the car, 
but it's still worth it to me to pay the mechanic to do it in less time 
with less hassle.  Same will always be true for computers.  Especially 
since most users don't *care* and don't *want* to learn about how they 
work or why they shouldn't randomly click on every picture in their 
email inbox.

-Bart
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] JPEG Vulnerability Question

2004-09-30 Thread Bart Silverstrim 
On Sep 30, 2004, at 1:08 PM, ralf bosz wrote:
I have just upgraded to the latest version of ClamAV that is said to 
be able
to detect the new JPEG vulnerability. I'm using ClamAV with 
MailScanner to
scan e-mail. How can I test to see if ClamAV is indeed detecting the 
JPEG
exploit?
Download an example here: http://www.easynews.com/virus.html (watch
it, it's a real virus, don't open it on unpatched system, it may crash
your pc) and scan it, or check the logging for Exploit.JPEG.
This bug enabling the exploit is only affecting Windows, correct?  Just 
to be clear.  I thought I read some chatter about the buffer overflow 
being possible on other platforms, but I may have been 
mistaken...there's so much of this stuff flying around these days...

Currently about 20 hits a day for possible exploit.jpeg's.
This is the part that worries me.  Are these verified as exploit, or 
are they possible FP's?  And is there a way to check if a system has 
been compromised?

-Bart
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] a beginner's question

2004-10-05 Thread Bart Silverstrim 
On Oct 5, 2004, at 6:08 AM, gillian wrote:
Thank you so much for your response, but boy, now I am confused. Are 
you
saying I should be using amavis not clamav? This is the 2nd response
with an amavis url in it.
Amavis is a program that can work in conjunction with ClamAV.
Most UNIX systems work in a "black box" philosophy (although this seems 
to be starting to drift away, unfortunately).  Tasks are done with 
components.  When one "box" is done with a task, it hands it off to the 
next.  That's why there are so many system commands and such a love of 
scripting from old hat UNIX users...there are so many small, 
specialized programs that can be chained together to achieve a 
particular goal.

ClamAV is a virus scanner.  It will scan for and identify viruses.  It 
will not clean them, it will not delete them (although Clamscan can be 
told to, iirc).

The most common setup for Clam users is to use it on mail servers.  
Why?  It goes like this.

Your incoming MTA gets a message (postfix, sendmail, whatever).  That 
program is told to hand it off to a processor of some sort...for many 
people, amavisd.  Amavis is a set of scripts that will take that mail 
message and wring it through a virus scanner (you can configure the 
scanner(s) to scan with).  When the scanner hands it back to amavis, it 
tells it "yes, it's infected with X" or "Clean!".  Amavis then, if the 
message is clean, can scan the mail message with Spamassassin to score 
it for spam.  If it doesn't hit the spam threshold, it returns it to 
your mail delivery system for delivery to the intended recipient.  If 
the message was returned to Amavis as "infected", amavis can quarantine 
the message or delete it and/or alert the system administrator with a 
warning message.

So you can see...clam is flexible and can be used as a component in a 
larger system.  This is also why you would use the daemonized clamd to 
scan things...for email.  Amavis just throws the message to clamd and 
it doesn't keep reloading the database on a medium or heavily loaded 
system.

Clam also includes the per-file scanner, clamscan.  Same database and 
scan engine, but meant for a user to call it for scanning a directory 
or file manually.

I believe there are people using Clamzuko or some other program to try 
running as-you-access scanning...you know, constantly scanning files as 
the system uses them.  Kind of resource intensive and, in my opinion, a 
waste, since on Linux/OS X there's been what, two viruses if even that? 
 Clam is more effective at scanning and quarantining viruses on their 
way to Windows systems, especially since OS X and Linux/FreeBSD are 
immune.  I wouldn't want access scanning anyway, since I keep some of 
the wonderful self-emailed samples on my laptop for testing the mail 
server when reconfiguring or upgrading to make sure it's still catching 
the little boogers.  I've already had some Windows scanners that keep 
trying to delete an archived installer file of a Windows antivirus 
because it has the eicar test in it...finds it whenever I copy the 
installer to a machine to install the antivirus from.  Stupid catch-22. 
 @#$!%

-Bart
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Old ClamAV workaround

2004-10-25 Thread Bart Silverstrim 
On Oct 24, 2004, at 3:29 PM, Mark Adams wrote:
Matt wrote:
What's the worst that can happen? It fails to compile, and you still 
need
to find a packaged version. You'll be no worse off than you are now.


The worst that can happen?  I descend once again into dependency hell 
and spend hours loosing my mind over this.  I totally alienate my 
sense of well being and take up arms on a shooting spree that 
threatens everyone in a 400 mile circle leaving my children without 
any parents.

Fortunatley, that didn't happen.  I snagged a copy of source and it 
compiled smoothly.  It seems to be working just fine for now.
Stupid question (I've got TONS of them :-) ...
When you only install programs from source, how do you know when 
upgrading them that there aren't remnants of binaries or libraries 
scattered around the OS?  I grew up having to use Windows, so please 
forgive the question; I had one too many instances of uninstallers 
getting rid of the program then having old DLL's and older registry 
entries left behind (and before that, old .ini files).  So when using 
source compiles, I have this ingrained flinch towards the idea of just 
running a compile and installing the results then trying to do an 
upgrade if there's no version control, etc. built into it (which I 
suppose is why RPM and apt-get and all the other packagers are so 
popular...supposedly they help prevent conflicts from upgrades)

-Bart
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing and othersocial engineering attacks

2004-11-14 Thread Bart Silverstrim 
On Nov 14, 2004, at 9:26 AM, Steve Basford wrote:

since ClamAV reached v0.80, I am using it to scan and reject e-mail
messages.  Today I noticed that ClamAV also detects phishing attacks.
Phishing is pure social engineering and poses no threat whatsoever in 
a
technical sense.
I'm certainly *very* happy that ClamAV team have added more phishing
detections (thanks Trog et all).
Yes, you're correct it's social engineering but it doesn't stop 
users clicking on the links
and downloading the keylogging trojan, from the remote site that the 
phish email takes them to.

I don't personally think we need a "--no-phishing" option in ClamAV 
but someone might ;)
I think, unless someone can posit some good counter-arguments, I'd like 
to voice a "Phishing detection" nay as well.  It's a slippery 
slope...we can't protect users from every idiot scheme coming out.  And 
do we (admins) begin to accept responsibility for when these things get 
through and Johnny User is the victim of fraud because he didn't stop 
to verify that it wasn't a scheme before clicking around and giving 
away private information?

Phishing is more of a spam attack than anything else.  Let Spamassasin 
and Procmail rules stop the phishing if that's what admins want to also 
take the responsibility for stopping.  There seemed to be almost an 
underlying hostility towards suggestions in the past that Clam be moved 
beyond any role than virus detection on mail servers (indeed, I'd 
almost think ClamAV isn't really and *antivirus* and much as a *virus 
detector*...it doesn't be default do anything other than notify of the 
presence of a virus so other programs can handle it as they will, and 
it makes no attempt to disinfect) and moving into spam detection 
territory is definitely a step outside of that realm.  When Clam starts 
detecting and warning of  mails that are just clicktraps for people who 
should know better, that's more a job from the handbook of 
SpamAssassin, and I would think the developers have much more to do 
than try to keep up with signatures to keep up with every permutation 
of Nigerian schemes and "Verify your password with our web5ite" bank 
scam.

Just my .02.
-Bart
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing and othersocial engineering attacks

2004-11-14 Thread Bart Silverstrim 
On Nov 14, 2004, at 9:32 AM, Joe Maimon wrote:

Steve Basford wrote:

since ClamAV reached v0.80, I am using it to scan and reject e-mail
messages.  Today I noticed that ClamAV also detects phishing attacks.
Phishing is pure social engineering and poses no threat whatsoever 
in a
technical sense.

I'm certainly *very* happy that ClamAV team have added more phishing
detections (thanks Trog et all).
Yes, you're correct it's social engineering but it doesn't stop 
users clicking on the links
and downloading the keylogging trojan, from the remote site that the 
phish email takes them to.

I don't personally think we need a "--no-phishing" option in ClamAV 
but someone might ;)

Perhaps a way to disable certain signatures or patterns of signatures 
would be better?
wouldn't this also still encourage spreading or altering Clam's role in 
what it should and shouldn't detect and at the same time increase the 
burden on the developers...?  Someone would still have to classify what 
each signature is and what fits what categories...

(granted, the proposal now is just virus vs. phishing, but slippery 
slope would say it would be only a matter of time before another option 
is added to further separate them, like new viruses vs. old database 
viruses so admins could separate them out for statistics or something 
like that...add more flags to headers for analysis by stats programs or 
something).

-Bart
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing andother social engineering attacks

2004-11-14 Thread Bart Silverstrim 
On Nov 14, 2004, at 10:01 AM, John Jolet wrote:
On the issue of manually reviewing the mails to submitisn't this 
the
purpose of the quarantine directory?  When it detects a phishing 
malware,
look at the file in the quarantine directory.
I think he's thinking that this is more time and labor 
consuming...before Clam only concentrated on "Here's a malware 
binary...into the quarantine with you!", whereas now it's also 
detecting things that only affect users if they are the kind to not 
stop and think before acting.

How many phishing permutations are out there?  How accurate are the 
signatures, I.e., how many phish attacks get through by changing just a 
couple details that alter the signature significantly?

-Bart
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-15 Thread Bart Silverstrim 
On Nov 14, 2004, at 9:14 PM, Jason Haar wrote:
This is a "me too". I am ABSOLUTELY in love with ClamAV due to the 
fact it has gone beyond what most commercial AV players are doing, and 
is incorporating scanning for phishing and spyware.

If you follow the industry, you will see that most AV vendors are 
bringing out *separate* products to detect spyware - i.e they want us 
the consumers to pay TWICE to gain full protection.

I think it's a crock - and I'm glad to see the ClamAV developers do 
too. Viruses/trojans/phishing/spyware - it's all rubbish I would 
rather was not in my end-users mailboxes.
If it is incorporated, I also think it should be something that can be 
disabled as well.  I think I'd prefer not having false positives caused 
by spam blocking and the heuristics going wonky.  Clam is very reliable 
when it comes to stopping viruses, but I've never found something that 
can stop all the spam crap flowing on the Internet; the UNIX philosophy 
has always been one of modularity and creating programs for doing 
focused tasks and combining different "modules" for a solution.  We've 
been happy with our virus solution for the mail server, and I'd prefer 
not having to justify it when the spam level that it may start 
promising to stop is instead letting things through or mis-quarantining 
it.

phishing attacks should be handled by things like Spamassassin and the 
bayes filters...also free, focused on stopping those specific problems 
and having administrators needing to check two separate quarantines or 
lists (one from Clam and one from their spam solution) to hunt down a 
possible mislabeled message.

One question though...if it is going to block spam and phishing 
attacks, how are signatures going to be instituted?  I mean, how 
accurate would the signature system be...with all the spam out there, 
is it going to recognize a general pattern so one sig would stop maybe 
four or five common spams, or will the virus definitions suddenly 
balloon up in size to cover every p3nis, pen1s, pen is variation out 
there hitting the mail servers?  If there were some way of knowing how 
flexible and accurate the signatures are, maybe it could alleviate some 
of my fears personally.  I just find it hard to believe that signatures 
would be a good solution to phishing and spam, or systems like 
SpamAssassin would probably have moved to it by now.

-Bart
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing andother social engineering attacks

2004-11-15 Thread Bart Silverstrim 
On Nov 15, 2004, at 8:26 AM, jef moskot wrote:
On Mon, 15 Nov 2004, Trog wrote:
For example, the last Bagle (or Bofra) outbreak simply sent an email 
to
it's target victims, who then have to click on a link to download the
Worm. According to your definition, that is a 'social' attack, and
should not be blocked.
I was going to make this same point.
I understand what Julian is trying to say, and I don't object to a 
ClamAV
option that would allow him to receive all the unwanted garbage he 
wants,
but I don't really buy his logic.

He says some people might want to receive 419 scams and such, but some
people might also want to receive viruses.  Sys admins often make the 
call
that people can't have free access to viruses, for the good of the
community, and I see granting people easy access to spread malware 
(either
accidentally or purposely) or encourage phishing falling into the same
category.
It becomes a question of degree, though.  Yes, it's harmful if you're 
dumb enough to give your life's savings to a stranger in another 
country.  It's stupid to buy p3n1s enhancements from UBE.  But we can't 
protect users from every single scam out there.  There's already 
programs that administrators can use to try to fight that available, 
and they have quite a bit of lead time on ClamAV in that respect.  It's 
a whole other fight...you can protect users from binary attachments of 
malware, but you can't protect them from stupidity.  I'd say leave it 
to the antispammers to hammer out, and to the people who focus on bayes 
filters...let the Clam team focus on analyzing the latest binaries 
floating around out there.

The binaries are one thing...it's easier to find those attachments and 
create sigs for them.  If it were easy to break spam and assorted 
click-here-for-her-pleasure mails into signatures I'm sure SpamAssassin 
and it's brethren would have stamped out the bulk mail business a long 
time ago.  At least with viruses, the Clam team can stamp them out as 
they crawl from the woodwork while spam is more like a bottomless can 
of prank peanut brittle.  The spam just keeps coming no matter what 
defense is put in place.

I appreciate the intellectual argument that ClamAV should remain
"modular", but in basic practice, anyone who is preventing users from
receiving all the viruses their inboxes can handle isn't doing them a
disservice by closing off another malware avenue.
May be doing them a disservice if the signature mismatch a legit mail, 
though.  Or introduce more bugs because the coding for the scanning 
engine gets more complex.  The tools are out there already to fight 
spam, it may be better to support their efforts instead of bolting more 
functionality to ClamAV.  Bolting more functions to a program, 
extending it beyond the original design, is a good way to start 
introducing problems and losing focus of the project.

I'd beg people who want more anti-phishing/spam functions to instead 
support the teams that are already waging that war...contribute recipes 
and code to the SpamAssassin teams or another OSS filtering team.  Make 
ClamAV the best virus blocker available for working *with* those 
programs to provide a solid anti-malware platform.

Personally, I don't think much of SpamCop, but I do see that as 
Julian's
most compelling argument.  I think that warrants a ClamAV option, but I
also think it would be ill-advised to use it.
I think a lot of the the proposal should probably be tabled unless the 
core Clam team expresses an interest in tackling this type of 
direction, and also could provide some tests to show how accurate it 
is...how much benefit there is to doing it this way versus how much of 
a system cost it would impose (database size, scan time, 
etc.)...keeping in mind that some people also use Clam to scan files on 
a hard drive.  Why add scanning for phishing attacks on a .doc file 
saved in my file share?  If you want to allow classification of code as 
phishing vs. virus vs. social engineering, how will this impact the 
team's time efforts and efficiency of scanning files on the hard disk?  
It would be nice to know just what kind of a performance hit this will 
introduce, especially after the recent discussions on new ways to ease 
the load on the servers for downloading signatures and distributing 
update notices via DNS servers...how big will the database get if there 
is a "spam signature repository" added?

Most solutions that I've found on the Internet for ClamAV scanning mail 
already include spam filtering and spam scanning via another OSS 
project...Amavisd-New expects that separation of virus vs. spam 
functionality precisely because it fights with different methods and 
spammers are notoriously clever at circumventing signatures.

-Bart
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishingandothersocial engineering attacks

2004-11-15 Thread Bart Silverstrim 
On Nov 15, 2004, at 10:40 AM, Dennis Skinner wrote:
Julian Mehnle wrote:
 Besides, if mail servers started
using SPF (or similar authentication techniques) to verify envelope 
sender
addresses, whoever publishes SPF records for his domains would be
Not to start another flame war, but I find it interesting that you 
take such a hard-nosed approach to what is and is not technically a 
virus, but are willing to use something that is considered by some 
hard-nosed types to be a bastardization of the SMTP and DNS protocols.
I didn't think this was becoming a flamewar...anyone else?I thought 
this might be an interesting discussion.

It is not a hard nosed approach to protocols or what is or isn't a 
virus, it's (to me) the possibility that taking on spam with signatures 
is losing focus of the objective to Clam.  When projects lose focus, 
the quality degrades, and there's greater chance of bugs being 
introduced.

I think (julian's?) original problem was that he didn't see why a virus 
scanner should shoulder the responsibility for every message that goes 
out saying "Hey, click here for k3wl new deals on Mort Gage rat3s!  
Yoove been approved!", when it's not a virus, it's something that is 
enticing people who should know better to click on it for free crap and 
more spam.

The "bastardization" of protocols is a response to the fact that 
administrators are quickly getting overwhelmed...people want a "free 
internet" but none of the unhappy stuff that comes with it, and 
administrators are getting saddled with the complaints.  It's wearing 
people down.  As patience grows thinner and complaints increase to a 
dull roar, the only "solution" would ultimately be whitelisting all 
mail servers that are "certified known good" and if you're not on that 
list, well, sorry buddy.

People recoil at that and are shocked...that would stifle the Internet 
and my access!!  Well...that's where the compromise of "bastardized" 
protocols is being explored.  So much time and resources are being 
poured into maintaining systems with so many people on them that the 
burden of fighting spam, viruses, spiruses, and now users that 
apparently lack enough sense not to respond to the low MoRtg Age rate 
mails and pleas to save Abu Demar's ailing sister with the promise of 
several million dollars to an offshore account that administrators are 
going to have to do SOMETHING radical before the signal to noise ratio 
on the Internet makes it, in the end, utterly useless to everyone and 
it all burns down into a useless pile of digital slag.

Oh,..and ClamAV and the Clam team have done a wonderful job so far with 
the antivirus thing.  Please keep up the good work on that.  But I'd 
still beg people favoring the idea of the spam fighting integration to 
instead volunteer to help the teams behind Spamassassin or other OSS 
spam filtering software efforts...they've been trying for quite some 
time more than the Clam team has, and that is precisely what their 
focus always has been.  Otherwise, maybe consider a fork of code for 
ClamAV and another for ClamSpam or something like that, to show that 
this idea *could* be done without hurting the quality of the antivirus 
scanner or getting too many false positives or killing performance.  I 
just see too much overlap between functionality between what people are 
proposing and what is already heavily used out there, and I'm sure the 
current anti-spam project teams would welcome volunteers who may have 
ideas on how to improve their programs in the war on 
idiots...er,...spammers.

-Bart
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing andother social engineering attacks

2004-11-15 Thread Bart Silverstrim 
On Nov 15, 2004, at 11:14 AM, jef moskot wrote:
On Mon, 15 Nov 2004, Bart Silverstrim wrote:
I'd say leave it to the antispammers to hammer out, and to the people
who focus on bayes filters...
In my case, if Clam has a chance to see the phishing e-mail, the 
anti-spam
tactics have already failed.  So, from my point of view, this is extra
protection which would not otherwise have been offered.
In your case, surebut it is supposed to be a flexible solution for 
a myriad of implementation methods.

I'm not going to comment on the technical aspects of blocking these
messages, except to say that I've always found the ClamAV team to be
incredibly competent, and if they've chosen to take up this task, then
they probably think they can do it effectively.
They have been, yes, very competent and Clam is wonderful.  One of my 
points has been that it is working very well, so if you're going to 
start moving it into another direction, it may be best to fork that and 
leave the original recipe alone until the new direction, off-focus from 
the original intent, can be shown to work well...as well as or better 
than the current incarnation.

May be doing them a disservice if the signature mismatch a legit mail,
though.
This is true of any pattern-matching system.
Yes.  Definitely...and currently, I can tune my settings through 
SpamAssassin and Amavisd-New as to how to handle things and how I'd 
like it reported.  That's the modular aspect of these programs...they 
focus on doing a particular task very well.  Clam is excellent against 
viruses.  Spam...if it were that easy to tackle through signatures, 
they'd probably have done it by now.  Social engineering...good luck 
finding sigs against all those.  Will these efforts water down or bog 
down the virus scanner or make Clam lose focus?

Bolting more functions to a program, extending it beyond the original
design, is a good way to start introducing problems and losing focus 
of
the project.
I agree, but I think the basic usage of ClamAV is as a mailscanner, so
this is hardly a stretch.  For the same reason, I think your argument
about scanning Word docs for phishiness being a waste is not really 
that
persuasive.
It's popularly used as a mail scanner, I agree.  But one of the 
components that comes with it is clamscan for scanning home directories 
on shared folders, and I use it for analyzing things as they come in.  
Some mail scanners can also be configured to run clamscan on files.  
It's not a stretch.  Some messages talk about using "real time 
scanning" on file access...would that have use of scanning for phishing 
attacks on home directory contents?

Also, in the big picture here, it looks like they're only adding very
prevalent phishing schemes.  This doesn't seem to be a proposed 
anti-spam
solution or even a method for stamping out all phish traffic.  The
"slippery slope" argument is something to keep in mind, but it also
shouldn't prevent simple no-brainer solutions to easily solved problems
from being made available.
I'm not trying to rain on people's ideas...just point out some 
counter-arguments that maybe people didn't think of.  Personally I 
don't like the idea of protecting users from their own stupidity when 
tackling that kind of message...something that could so easily reject 
messages accidentally...is outside the original focus of Clam.  Right 
now I have at my site, as I'm sure many other admins have, a setup I 
like at the moment for filtering.  It's adequately divided that I can 
search for messages and diagnose where a breakdown occurred.  If it's 
in the spam rules that a message is "lost", I know where it would have 
happened.  I don't want to have to diagnose whether it's in spam 
quarantine or virus quarantine when it wasn't a virus problem, and I 
don't need to determine if there's a problem with the virus scanner 
that uncle phil's message was lost because he put too much of that rich 
text HTML crap in his message and it match a signature for some other 
message.

The work that would be added in trying to get clam to stop spam is 
already being done in other projects...maybe their efforts are worth 
contributing to instead of changing the focus of Clam.  Just something 
I was throwing out there for people to mull over... :-)

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-15 Thread Bart Silverstrim 
On Nov 15, 2004, at 11:48 AM, Julian Mehnle wrote:
Matt [EMAIL PROTECTED] wrote:
The problem is that, as yourself and others have mentioned, the
distinction between the different categories are dependant upon 
personal
interpretation. What one classes as social engineering, someone else 
may
class as, for example, malware. Even though they can technically be 
the
same thing, perceptions vary, thereby making it a nigh on impossible
question to answer.
Following that logic, any distinction between spam and malware would be
artificial, too.  Sorry, but I don't subscribe to this sort of 
nihilism.
;-)
Because there is still a difference..."commonly accepted definitions" 
are watering them down though :-)

Malware...bad software with bad intentions.
I think the line is pretty easy to find between viruses/worms and 
trojans and spam/UCE/UBE and social engineering attacks.  The lines 
blur as they start using each other to their own advantage (viruses 
spreading spam from infected machines, for example) but it's clear 
enough that the actual virus or worm is the executable code or script, 
while the "click here for amazing rates!" is simply spam, and the 
techniques for fighting spam can be quite different from those used to 
stop an infectious file attachment.

I have not tried to make a distinction between social engineering and
malware.  Those are orthogonal concepts.  But there definitely is a
distinction between technical attacks and social engineering attacks, 
even
though they're somewhat overlapping.
Very correct.  There's a difference between me taking your wallet and 
me telling you about a wonderful investment opportunity where you can 
double...no...triple your money in two weeks!

If it takes advantage of a bug in the OS or contains executable code or 
scripts that carry the intention of "infecting"...spreading/running 
without the user's knowledge...then I would think it's Clam's job to 
stop it.  If it's someone trying to triple my money or beg for a place 
to hide a billion dollars while the sender's government falls, it's 
SA's job to stop it.  If I wanted overlap, I'd install multiple spam 
filters and multiple virus filters, I don't need multiple spirus 
filters to try to diagnose and maintain :-)

-Bart
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-15 Thread Bart Silverstrim 
On Nov 15, 2004, at 11:48 AM, Trog wrote:
Not one of the Clam developers have proposed adding general spam
detection to ClamAV.
You're right.  This was an idea being proposed, I thought...a 
suggestion.  Isn't this something worth going over on a "users" list as 
discussion?

Sorry if not... :-/
-Bart
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-15 Thread Bart Silverstrim 
On Nov 15, 2004, at 11:54 AM, Brian Morrison wrote:
On Mon, 15 Nov 2004 17:48:35 +0100 in
[EMAIL PROTECTED] "Julian Mehnle"
<[EMAIL PROTECTED]> wrote:
 But there definitely is a distinction between technical attacks and
 social engineering attacks, even though they're somewhat overlapping.
I can't see logically how things that are distinct can also be
overlapping. Is that really the description you want to use?
You get a mail...
If it has an attachment that will run in the background on your 
computer for the express reason of propagating itself, it's for clam.

If it has an attachment that will spread to other computers to cause 
harm, it's for clam.

If it was sent to you by a worm with itself as a payload, it's for clam.
If viewing the message takes advantage of an OS bug to alter the 
computer without your knowledge, it's for clam.

If it's a bunch of flashy graphics telling you to visit a website for 
fantastic deals on hiding money from third world countries while 
getting fantastic mortgage rates on your pen1s enlargement ointment, 
it's for a spam filter.

If it only does harm if you follow a link and then consciously give 
your account information, be it ebay or bank or paypal, to a third 
party site, it's for the spam filter.

howzat? :-)
-Bart
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-15 Thread Bart Silverstrim 
On Nov 15, 2004, at 12:25 PM, Chris Meadors wrote:
On Mon, 2004-11-15 at 12:12 -0500, Bart Silverstrim wrote:
If it's a bunch of flashy graphics telling you to visit a website for
fantastic deals on hiding money from third world countries while
getting fantastic mortgage rates on your pen1s enlargement ointment,
it's for a spam filter.
If it only does harm if you follow a link and then consciously give
your account information, be it ebay or bank or paypal, to a third
party site, it's for the spam filter.
howzat? :-)
How about an e-mail that contains a link that takes one to a webpage
that exploits the web browser to install a program that will intercept
the account information the next time the actual site is visited?
Hmm...if it is scripted so no user intervention is necessary for it to 
run, it's an executable script, so it's clam.

If it is something like "click here to see Anna Kournakova NUDE!" and 
is just a plain URL, no exploit, then it's spam.

Otherwise, you're talking about something that makes just as much sense 
to integrate Clam into Squid to scan all traffic streaming through the 
web proxy...keep users from being able to view this site, it contains 
harmful code for their computer!  Actually if this is a threat, maybe 
more work should be put into making the file-access-scanner daemon more 
stable and keeping definitions on the users Windows machine updated for 
their Windows AV scanner.

The actual harm to the computer in your example still came from the 
user doing something beyond reasonable safety...being duped into going 
to a website.  The mail itself was harmless.  The bug should be patched 
in the browser so it shouldn't happen.  The program getting on the 
system is no different from any other spyware vector installation.

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-15 Thread Bart Silverstrim 
On Nov 15, 2004, at 12:29 PM, Daniel J McDonald wrote:
clamav kills bad things - that's good, and I'd like it to be able to
continue to kill bad things in the same expedient manner that it has in
the past.
That's not entirely true.  There are people who installed it on Windows 
and Windows still booted afterwards.

:-)
-Bart
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-15 Thread Bart Silverstrim 
On Nov 15, 2004, at 12:32 PM, Dennis Skinner wrote:
How little user interaction is required before it is considered a 
"technical" enough?  Require the user to open the attachment?  Require 
the user to pop their mail?

Technically, most viruses these days are social engineered in some 
way.  Unlike the the boot sector viruses that seem to have gone the 
way of the floppy disc.

Given the new push for integration between the internet and local 
computers, limiting an AV scanner to only protecting against viruses 
physically included in an email is a bit short-sighted in my opinion. 
It's getting to the point where users are unable to distinguish 
between what is remote and local content.
Well...how about this counterproposal...
Let's make ClamAV into a filter that takes ALL mail, strips HTML, 
converts it into plain text, and strips all scripting out of the 
message whatsoever, as well as attachments?  It could move them to a 
configured "mail website" where you click a link that Clam inserts into 
the mail message (plain old URL) if you're interested in getting it, 
and you can browse whatever graphics or attachments were meant for that 
message and were instead stripped?  Of course this would mean setting 
up a web server and database server, but those tools exist already.  
This way it doesn't matter what new threat comes out, your mail is 
already defanged, demangled, demimed and sanitized for the user's 
protection!  It could protect from click traps, malware attachments, 
script exploits...users just lose their dancing icons and pretty pretty 
backgrounds.  It could also make previously hidden text visible from 
spam.

On one hand, it's sarcastic as heck.  On the other, it might not be a 
bad idea.

-Bart
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

2004-11-15 Thread Bart Silverstrim 
On Nov 15, 2004, at 12:43 PM, Matt wrote:
 If the standard database was segregated, some people would inevitably
cock up their configs and run with partial protection. This can cause
problems not only for themselves, but others, in the case of 
propogation.
Whitelist all traffic you want to allow! Mail servers, web 
sites...there must be a way.  After reading how Lexmark is apparently 
having their *drivers* phone home, and the number of emails from 
spammers that may link to pages where users happily click away their 
lifesavingsand...there's just getting to be too much.  It is 
getting utterly hopeless to have some kind of order arise from the 
UBE/UCE/Spam/Spim/trojan/virus/worm/scammer/ad content/spyware/etc. 
muck and mire we're currently dealing with.

I need a new career :-(
 There is also the fact, and I am sure that I am not alone, in being 
very
draconian. You control the machines, the users get what they are given 
:)
This is why UNIX had the "modular black box" model, as I recall...take 
the app, make it focus on it's task, and if you need other 
functionality, it was done in another app.  Chain together.  Repeat as 
necessary.

Some...many...ISPs would want a scoring system for spam so users can 
have an opportunity to filter themselves or decide their tolerance and 
training levels.

Others, like my school, need to make decisions FOR everyone because 
there's too many users that just don't take the time to learn how to 
use it.  We have too much user turnover and it's impractical with our 
human resources to keep people up to speed when they really don't give 
a hoot about such things.

Some people don't like their messages being filtered at all...they 
prefer it done by themselves at the desktop.  Some people combine it, 
some at the server, some at the desktop.

The modular model makes all these possible with ClamAV without ClamAV 
being twisted or bent to fit.  It plugs in and does it's job, nothing 
more nothing less.

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing andother social engineering attacks

2004-11-15 Thread Bart Silverstrim 
On Nov 15, 2004, at 2:02 PM, jef moskot wrote:
On Mon, 15 Nov 2004, Bart Silverstrim wrote:
...if you're going to start moving it into another direction, it may 
be
best to fork that and leave the original recipe alone until the new
direction...
I think you're overstating what the ClamAV team is trying to accomplish
here.  Forget the "slippery slope" and look at what they're actually
doing.
Since I don't know any of the developers and I don't know if any have 
commented on this aspect...we can let this part drop :-)  They'd have 
to answer that.

Personally I don't like the idea of protecting users from their own
stupidity...
As a sys admin, this is part of my job.  A large portion of my 
userbase is
unsophisticated, and a philsophical argument about why they need to 
learn
to protect themselves wouldn't fly with the boss.
Then that's your job description.  Some people are in the position 
where they need to coach users not to touch hot stovetops.  Others have 
users who resent it...ie, ISP customers.  They would not always 
appreciate having mail tampered with.

Again, I don't have any problem with Julian's basic premise, but I 
think
this discussion has shown that we can't even agree on what "social
engineering" means.
Getting a user to do something by merely tricking them?
Social engineering involves asking and posing as something you're not 
to get something.  If the message asks you to click something, you can 
ignore it or click it.  Either way the message is *harmless* in itself. 
 It is just text.  It can be saved, forwarded, scanned, whatever...it 
doesn't *run* anything, and it doesn't take advantage of an OS flaw.

It relies *entirely* on user stupidity.  "We're from your bank, and we 
have a database problem so we need you to verify your name, social 
security number, account number, how much money is in your checking 
account and your address at this handy website! CLICK HERE!" The 
message *does* nothing.  It relies on the user to do something, and 
it's entirely cross platform because there's no executable script or 
binary attachment.

If you want to argue "well, a virus tells you to click the icon in 
order to run,..." yes, that's social engineering.  It's also a binary 
attachment containing harmful code.

All squares are rectangles, but not all rectangles are squares.  
Viruses can use social engineering, but not all social engineering  
involves viruses.  I think he was referring to "the subset with the 
code right here...a blob of binary that if I run it it will infect my 
PC..." as technical.  The other is nothing but text, nothing but a 
fishing line asking the user to hook their finger.  It is no more 
dangerous than an email that gives detailed instructions on how to 
disable the safety on my microwave and stick my head in and start 
baking for 20 minutes because it gives a "real rush".  It's harmless 
until I'm stupid enough to go through the effort to hurt myself.  
That's purely social engineering.

Given that, maybe adding a flag that allows you to
ignore signatures with certain prefixes makes sense, but I don't see 
the
benefit of putting too much effort into being overly specific about the
specific path a virus takes from unsolicited e-mail to user hard drive.
After seeing the lengths users will go to to avoid learning something 
and how hard they work to hurt their systems sometimes, methinks the 
best thing to do is just whitelist email servers and block everything 
else at the rate we're going.  There's just too much to ask in the 
effort to protect users from themselves, and while some admins (I truly 
pity them) have that in their job descriptions (to protect people from 
themselves), I think there's only so much we can do and just so far we 
can go before it can be a detriment to the project we're discussing.

I find it interesting though that I've yet to hear from anyone 
commenting on my proposal to create a filter that will extract and 
convert all emails into pure text, or reformat it so only certain 
things can get through as an attachment with a pure text message so it 
would be "defanged" of scripts, web content, potential scripting 
exploits, etc...I'm honestly beginning to wonder how hard that would be 
to make and whether it may be of use for some sites.  Draconian, yet it 
would be extremely handy in stopping the maliciousness of viruses or 
spam tricks...dynamically rewriting all email to a "standard" format.

Anyone?  Does this already exist?  A prefilter thing...not halfway to 
the task, like using MIMEDefang, but a whole "here's the email stripped 
of HTML and in a standard format for the mail system" type filter...

-Bart
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishingandothersocial engineering attacks

2004-11-15 Thread Bart Silverstrim 
On Nov 15, 2004, at 2:41 PM, Ken Jones wrote:
Phising poses a threat to your users. The line between malware and 
virus'
is a very grey one.
Phishing is a threat if they supply information.  How do you stop 
people from voluntarily giving information over?  Scan every mail for 
text or formatting that may look like it's asking for you to click a 
link and visit a site for inputting information?

that sounds like what SA does.  The phishing email doesn't do anything, 
doesn't carry an attachment that is dangerous, and doesn't carry a 
payload.  It's asking a user to do something foolish or takes advantage 
of their ignorance.  If I get an email from my friend asking for my 
credit card number and I email it to him and he spends a lot of my 
money, whose fault is it?  Or if I mail it and it bounce to an admin at 
a different site...whose fault is it when the information leaks?

Knowing two "freinds" that have responded to phising emails and what it
took afterwards to correct the problem . they would beg you to 
remove
the possability of this threat.
I would hope they now know not to trust these messages.  I've tried 
telling users not to do things before and some will anyway.  I can't 
guarantee anything about blocking it, only that I will try to keep SA 
updated enough to catch them.

The key here is not whether or not we should block these messages.  The 
discussion was about Clam having this added.  Philosophically, there 
are those who want it and those who don't.  You want more spam 
checking, alter your spam checker with SA to use all the rules and 
bayes the heck out of mail servers.  Use SPF.  Use reverse mapping.   
Personally, I want Clam to fight viruses.  Focus on those, focus on 
doing it well.  if people want to improve fighting spam, contribute to 
SA and various rule sets that are out there, and not duplicate efforts.

Having cross-over of functionality can / is in many cases a good thing.
Then that is a philosophical difference...I'd rather not duplicate 
efforts on the same system.  Otherwise there's no reason to pretend it 
is a virus scanner...it's some mutant spirus scanner or malware 
detector.  Then there comes the slippery slope of what it should and 
shouldn't detect.  I'd rather just filter and rewrite every message to 
plain text and then we wouldn't need to worry about the viruses or 
malware, would we?  We'd make it more work for the users to go through 
the hassle of getting themselves into trouble.

The other day, a virus made it by clamav. It made it past McAfee on the
users machine. By the time they opened the mail and it started spamming
the network with email, clamav had updated their defs and it was 
stopped.
It took a few more hours before McAfee had a new defs file out. In this
case, multiple virus scanners was a good thing.
Multiple fronts are fine. BUT you are running multiple virus scanners.  
Run multiple spam slammers if that's your prerogative.  But I'd rather 
have a virus scanner that scans for viruses and a spam filter that 
filters for spam without needing to overlap the two.  A virus scanner 
for viruses, a spam filter for spams; if it works well, keep it.  If it 
doesn't, yank that module/program and put in another.  I am looking for 
a good virus scanner, not a good virus scanner that is also a mediocre 
spam blocker and may or may not complicate the flow of mail by adding 
different headers or putting it into a different quarantine folder when 
users ask where a message from "x" went because it was incorrect.  You 
have the sig for a particular spam?  Send it to the SA team.

Please don't think I am saying I want clamav to become a spam filter as
well, but adding in the sigs for items like the phising mail I think is
great.
I think it's heading down a road that leads to losing focus for the 
team.  Ultimately though it's their call :-)

-Bart
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishingandothersocial engineering attacks

2004-11-15 Thread Bart Silverstrim 
On Nov 15, 2004, at 4:27 PM, Dennis Skinner wrote:
Dave Goodrich wrote:
My preference has been stated. I would prefer SpamAssassin do the 
puzzle solving of message bodies, headers, URI lookups, message 
obfuscation, etc and let ClamAV do the signature matching of 
attachments.
SA uses many more resources than ClamAV.  Clam is going to scan the 
msg anyway.  The more dangerous email I can reject before it gets to 
SA, the better, IMO.
That implies you're going to have it go through SA anyway.  Why not 
have Clam scan for every known spam and see how many resources it 
starts to take up on top of what used to be just scanning for known 
viruses?

SA has been asked about viruses.  they say "that's viruses...use clamav 
or some other AV.  We do spam."  Why move the project into their 
territory?

If these are known spam, known attacks, it would already be in SA's 
arsenal.  Or if it's already known put it through procmail recipes to 
reject before it hits SA.

Wouldn't these also work?
-Bart
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishingandothersocial engineering attacks

2004-11-15 Thread Bart Silverstrim 
On Nov 15, 2004, at 4:39 PM, Kevin W. Gagel wrote:
If I could use a single package to virus scan, spam scan and
protect my users and company against phishing attacks then I
would gladly use it (provided of course it was reliable).
If I could use one operating system free from most bugs and glitches 
and flaws that allow exploits to run by viewing messages, and uses junk 
filtering that is 99.9 percent accurate and effective against spam, 
adware, and viruses, I'd use it.

Problem is it doesn't exist.  well, actually, what I'm using is pretty 
close...OS X with Mail.app's junk filter.

I think the programers that volunteer their time to the
clamav project have done an excellent job of providing an
opensource alternative to high priced slow updates and poor
service "paid for" packages.
Most heartily agree.
I bet they are more than
qualified to gradually add scanning for any threat. All the
framework is in place for them to add it so in my view "why
not?".
I'm not on the team so I can't comment, but I can say I've seen plenty 
of examples of projects having one focus, shift it to add 
functionality, and in the process losing focus and adding security 
problems and bugs.

-Bart
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing andothersocial engineering attacks

2004-11-15 Thread Bart Silverstrim 
On Nov 15, 2004, at 4:41 PM, <[EMAIL PROTECTED]> wrote:
Bart Silverstrim wrote:
I find it interesting though that I've yet to hear from anyone
commenting on my proposal to create a filter that will extract and
convert all emails into pure text, or reformat it so only certain
things can get through as an attachment with a pure text message so it
would be "defanged" of scripts, web content, potential scripting
exploits, etc...I'm honestly beginning to wonder how hard
that would be to make and whether it may be of use for some sites.
Microsoft SMTP Server allows this via CDO.Message
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ 
cdosys/html/_cdosys_imessage_htmlbody.asp

"When... you set the HTMLBody property, Microsoft Collaboration Data  
Objects (CDO) automatically sets the TextBody property to the plain  
text equivalent."
Ironically it's MS's interpretation of HTML that usually leads to  
problems... :-)

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing andother social engineering attacks

2004-11-15 Thread Bart Silverstrim 
On Nov 15, 2004, at 5:35 PM, Nigel Horne wrote:
On Monday 15 Nov 2004 9:23 pm, Bart Silverstrim wrote:
Since I don't know any of the developers
You can find our names in .../AUTHORS.
-Bart
-Nigel
Well...I still don't *KNOW* you :-)
Nice to kinda sorta meet you though.  You and the rest of ../AUTHORS 
are doing a wonderful job with ClamAV, BTW :-)

-Bart
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing andother social engineering attacks

2004-11-15 Thread Bart Silverstrim 
On Nov 15, 2004, at 4:44 PM, Dave Goodrich wrote:
Bart Silverstrim wrote:
I find it interesting though that I've yet to hear from anyone 
commenting on my proposal to create a filter that will extract and 
convert all emails into pure text, or reformat it so only certain 
things can get through as an attachment with a pure text message so 
it would be "defanged" of scripts, web content, potential scripting 
exploits, etc...I'm honestly beginning to wonder how hard that would 
be to make and whether it may be of use for some sites.  Draconian, 
yet it would be extremely handy in stopping the maliciousness of 
viruses or spam tricks...dynamically rewriting all email to a 
"standard" format.
Anyone?  Does this already exist?  A prefilter thing...not halfway to 
the task, like using MIMEDefang, but a whole "here's the email 
stripped of HTML and in a standard format for the mail system" type 
filter...

I was listening ;^) and I like the idea. I am highly in favor of all 
ascii email, not even attachments. The enormous amount of bandwidth I 
could regain would be a money saver.

I would have to look, but given the amount of customization I've been 
able to do already I would think MailScanner could do this, if not get 
darn close to it.
I'd love a program that can be daemonised so I could use it to filter 
incoming mail as a pre-filter...ESPECIALLY from the bloody Exchange 
server.  Talk about mangling.

It there was an easy way to do this I'd love to do it.  If it could 
reformat incoming mail to eliminate top posting as well I'd probably 
pay the developer to do it :-)

-Bart
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Good job ClamAV team!

2004-11-16 Thread Bart Silverstrim 
On Nov 16, 2004, at 12:52 PM, Minica, Nelson (EDS) wrote:
1024 viruses blocked in the last month (after 152,000 emails blocked 
by RBL's,etc)
 68 were phishing attacks my users appreciated not seeing
 Then SpamAssassin flagged 1500 and Mimedefang removed 1300 
attachments…

Overlapping products and multiple lines of defense are a great idea.  
I'd much rather have overlap than "underlap".  :)
Although I agree with the subject line sentiment, I thought the 
discussion/argument/etc. over philosophy and ideas was declared over 
and pointless?

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Are we safe - WORM_BAGLE.AZ

2005-01-27 Thread Bart Silverstrim 
On Jan 27, 2005, at 10:13 AM, <[EMAIL PROTECTED]> wrote:
Craig Daters
Wow, that was some time ago, and TrendNet is only just now putting out
an update! That's scarry!
Thanks Trog
What concerns me (if it is true that ClamAV has detected this specific
variant since November) is that ClamAV is not performing due diligence
and sharing samples to protect users of other products on the Internet.
AV teams working together is a good thing, and I personally share all 
of
my samples with over 20+ AV vendors.
I know there are lots of people that keep sharing samples.  ClamAV is 
blocking them from our mail server every day.

And AV teams do NOT necessarily share their samples all the time.  
Otherwise they lose their competitive edge over one another (and you 
wouldn't find disparate names and number of detected viruses among 
different vendors).

Last, if they want to get to Clam's signatures, it's open source...I'm 
sure they can (and probably do) get updates of Clam's database.   It's 
not the ClamAV team's responsibility to help boost some other company's 
profit margin.

-Bart
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Phishing Questions

2005-01-27 Thread Bart Silverstrim 
On Jan 27, 2005, at 10:25 AM, Damian Menscher wrote:
There was a discussion about this several months ago.  Unfortunately, 
many people (including part of the signature-generation team) are too 
dogmatic about their feelings that "phishing is bad, so we should 
block it" to look at it logically.
Can I submit win.com for inclusion as a signature? :-)

-Bart
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Phishing Questions

2005-01-27 Thread Bart Silverstrim 
On Jan 27, 2005, at 10:33 AM, Tomasz Kojm wrote:
No problem. As a bonus we will create a signature for your domain name
;-)
Just kidding!  Honest!  I'd NEVER think of having Windows thought of as 
a virus... :-)

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Phishing Questions

2005-01-27 Thread Bart Silverstrim 
On Jan 27, 2005, at 11:29 AM, Tomasz Kojm wrote:
On Thu, 27 Jan 2005 11:27:00 -0500
Adam Tauno Williams <[EMAIL PROTECTED]> wrote:
Just my two cents - I agree with the other guy.  CLAM should blocks
virii and worms, and leave SPAM to something else.  Just think of the
Phishing IS NOT spam! Is that really so hard to understand?
As I understand it it doesn't execute code on the computer or spread to 
other systems without intervention either.

This entire thread is degenerating...it was hashed and rehashed 
already.  The ultimate decision goes to the Clam developers, and I 
believe they already decided it.  Everything that's bad would be 
blocked, so end users could live with it or use a different product.  
Our Windows computers are slowly being migrated to static images using 
Deep Freeze, and if users decide to hand out their bank account info 
without stopping to think that maybe they shouldn't give out sensitive 
information we couldn't really stop them.

I would have thought it would be more of a burden eventually to keep up 
with HTML messages going out to people asking for info along with the 
binary executables containing viruses so the scanner could catch them 
both, but oh well.  Maybe the UNIX-ish philosophy of specialized 
applications working together to accomplish goals is giving way to the 
more common Windows throw-everything-together mindset.  Maybe it's 
overlapping jobs.  This is certainly the way commercial AV's go about 
it now.  I've seen all sorts of hits on crap from the web cache on 
Windows machines...why?  Because the AV is hitting stuff the latest 
update to Spybot is hitting now.  And Ad-Aware/Spybot/etc. are hitting 
some mail viruses.  But it doesn't matter.  The Clam people made their 
decision, and the end user benefits from it, even if it does overlap 
with other systems in place for guarding against phishing/spam.  If a 
developer really resents it, they could fork the project.  Personally, 
I see having three programs doing the same thing as just bloat; 
phishing is annoying, hit delete or configure the spam filter to get 
it.  Others see it as having three systems increasing the chances of 
catching new crap as it comes out.  I'm tired of fighting with it and 
tired of the "administrators" who never turn off their collateral 
damage-causing "you sent me a virus!" notifications.  End users don't 
see any difference though, so companies pander to this mindset of 
protecting people from all that's potentially bad, period.

Regardless, If the developers wish to get input from users on the issue 
and are considering it one way or the other, then maybe a thread like 
this would be useful.  As it stands, discussing it again accomplishes 
nothing, and will inevitably lead to flames and arguments that 
still...accomplish...nothing.  Except sarcastic comments like mine 
about submitting win.com as a signature.

If all this crap has evolved to the point where 
spyware/trojans/phishing/spam are now one thing (magical MalWare!  
Software that's just *bad!*), then maybe someone should come up with a 
new email network that can truly work so we don't get this junk 
anymore, period.  Email was never meant for the five meg "look at the 
pictures!" attachments.  It wasn't meant for emailing programs to one 
another.  Does it really need to be a proxy for web pages by emailing 
people all this html-formatted crap that makes dancing images appear 
while compromising Explorer?  We can't even get people to stop with top 
posting or formatting email in a way that makes it easy to read, 
without twenty embedded sigs or munged headers.  We even have these 
sigs saying that the contents of the message are confidential meant 
only for the named recipient and if you get it in error...huh?  I 
already read the message!  What good is that?!  It's not even been 
tested in the courts as binding!  Why are you wasting ten lines of 
space at the end of every message telling me this?? It's the EULA of 
email...no one even reads them anymore.  Start an email network that 
uses clients with embedded encryption.  Voila', no more accidental 
reading.  Even makes it safer in transit.

Whew...I'm going to go lay down before I have an aneurism.
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Very good (short) Article on New Technique by Virus Authors

2005-01-31 Thread Bart Silverstrim 
On Jan 31, 2005, at 1:35 PM, Sam wrote:
Came across this and thought many of you may enjoy it.
http://www.eweek.com/article2/0,1759,1756636,00.asp? 
kc=ewnws013105dtx1k599
Is it better than the previous one I didn't think we'd ever see as  
working?

Write virus
email to random people with subject line "Run me!"
infect!
repeat...
:-)
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] clamav on gateway + sniffer to intercept mail attachments

2005-02-16 Thread Bart Silverstrim 
On Feb 16, 2005, at 3:13 PM, vaida bogdan wrote:
Hy, I use postfix+mailscanner on my mail server to block a lot of
virii comming from my internal network. I would like to implement a
solution to block virii traffic on the internal gateway. The network
looks like this:
WIN-
WIN-   GW1-   -MAIL SERVER-   -GW2
WIN-
One WIN is infected but I don't know which of the 30 computers on the
network. I receive virused attachments on the MAIL SERVER from the
GW1's ip. WIN are on the internal network.
My first ideea would be to extract mail traffic passing through the
gateway in mbox format and scan it with clamav. I'm looking for better
ideeas/implementations. Also, please tell me which tool should I use
to sniff mail on GW1 or if there is a better solution.
ethereal or ettercap are my favorites for packet sniffing on UNIX 
systems.

Sometimes you can see things by sniffing traffic and see what machine 
is sending a lot of ARP queries for seemingly random IP's.

I found one infected system on our network once by seeing a huge number 
of cached routes on our Linux Squid gateway for a client computer.

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] virus incident response?

2005-02-17 Thread Bart Silverstrim 
On Feb 16, 2005, at 7:04 PM, John Madden wrote:
In any case, Clam is a user supported project. ALL viruses are  
submitted
by
end users. So, the only way response will get any better is if you  
submit
new viruses you receive that get by clam.

It's not going to 'improve' any other way.
Well, that'd be my assumption as well.  What I'm poking for is the
potential for a means of making the process more formalized, like  
having a
team of officials per continent who volunteer to be on the spot for  
given
hours of the day?  Are [vendor] forums where outbreaks are discussed?
Does anyone watch releases from the major vendors to be able to develop
signatures for ClamAV?  Things like this have probably been mentioned
before, I suppose.

If ClamAV is to compete with companies who do nothing but develop virus
signatures, I would think we'd have to find a way of tapping into the  
same
resources or methodology somehow.
They get samples submitted or they arrive at their honeypots, they  
disassemble them, and integrate them into their signature databases.

Try searching for how long commercial vendors do updates.  I typically  
get updates every couple of hours from ClamAV, and have been extremely  
pleased with the timeliness of their updates.  Other vendors are NOT  
necessarily ahead of Clam.

Read up on it for some examples.
http://www.av-test.org/down/papers/2004-02_vb_outbreak.pdf
http://www.dslreports.com/forum/ 
remark,12249908~mode=flat~days=~start=20

There is a wide variation in vendor releases and their updates are not  
immediate to threats.

Timing is everything -- we don't have
to be the first, but we have to beat the outbreak.
There's always someone infected "first" and there's always more people  
getting infected in the time between discovery, analysis, updates,  
dispersing the update...

If you're in a situation where this is a gargantuan problem, run  
multiple AV's on your system.  Educate your users about checking email  
frequently and keeping their AV's up to date, use mime-defang, don't  
accept messages with executables attached...greatly restrict what can  
be attached to incoming messages and you have most of the battle won  
there.

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Report Phishing attacks?

2005-03-21 Thread Bart Silverstrim 
On Mar 21, 2005, at 1:20 PM, Brian Morrison wrote:
On Mon, 21 Mar 2005 18:07:31 +0100 in
[EMAIL PROTECTED] "Julian Mehnle"
<[EMAIL PROTECTED]> wrote:
Matthew van Eerde wrote:
Sounds like a feature request to me... "can we have a user.cvd file"
(in addition to main.cvd and daily.cvd)
Probably more like: can we have 'technical-threats.cvd' and
'non-technical-threats.cvd' instead of 'main.cvd'?
You don't give up do you?
Worked for Buzz Lightyear...
-Bart
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Report Phishing attacks?

2005-03-22 Thread Bart Silverstrim 
On Mar 21, 2005, at 5:10 PM, Brian Morrison wrote:
On Mon, 21 Mar 2005 20:06:02 +0100 in
[EMAIL PROTECTED] "Julian Mehnle"
<[EMAIL PROTECTED]> wrote:
Brian Morrison wrote:
Julian Mehnle wrote:
Probably more like: can we have 'technical-threats.cvd' and
'non-technical-threats.cvd' instead of 'main.cvd'?
You don't give up do you? ;-)
Not until someone convincingly explains to me why my request for a
practical option to distinguish between technical and non-technical
threats (i.e. exploitation of technical flaws in software vs.
exploitation of end-user naiveté) is inappropriate.
I'm not commenting on your correctness, merely on your staying power.
For a moment I thought this was spam...
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Report Phishing attacks?

2005-03-22 Thread Bart Silverstrim 
On Mar 22, 2005, at 6:35 AM, Dennis Davis wrote:
On Tue, 22 Mar 2005, Rob MacGregor wrote:
From: Rob MacGregor <[EMAIL PROTECTED]>
To: ClamAV users ML 
Date: Tue, 22 Mar 2005 09:58:17 +
Subject: Re: [Clamav-users] Report Phishing attacks?
Reply-To: ClamAV users ML 
On Mon, 21 Mar 2005 17:01:48 -0400, Samuel Benzaquen 
<[EMAIL PROTECTED]> wrote:
I can also say that they don't want to compete against
commercial AV vendors as I have read here 2^32 times that we
should use not _only_ clamav, but a list of AVs to improve the
chances to catch malware.
Best practice for security always involves defence in depth.
Basing all your protection on a single AV product, given that
*none* of them are 100% effective, would be short sighted (and
particularly given the current spate of attacks on AV products).
I believe this is what the commercial anti-virus company,
MessageLabs, does.  When I spoke to them a few years ago, they had
licenses for five anti-virus products.  Messages were fed through
the three they considered the best.
You're saying a commercial AV vendor is using competitor's AV products 
in addition to their own to protect their systems?

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Report Phishing attacks?

2005-03-22 Thread Bart Silverstrim 
On Mar 22, 2005, at 4:58 AM, Rob MacGregor wrote:
On Mon, 21 Mar 2005 17:01:48 -0400, Samuel Benzaquen 
<[EMAIL PROTECTED]> wrote:
I can also say that they don't want to compete against commercial AV 
vendors
as I have read here 2^32 times that we should use not _only_ clamav, 
but a
list of AVs to improve the chances to catch malware.
Best practice for security always involves defence in depth.  Basing
all your protection on a single AV product, given that *none* of them
are 100% effective, would be short sighted (and particularly given the
current spate of attacks on AV products).
Personally, my gripe is that the product is called ClamAV.  If it's 
expanding it's mission to protect people from everything called 
"malware", I'd change the name to something that indicates it's a 
malware detector and not a virus detector.  Phishing scams are *not* 
viruses.  Maybe change it's name to ClaMal.  It'll make the O'Reilly 
book cover look interesting, too.

But this would probably never happen.  *shrug*
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Report Phishing attacks?

2005-03-22 Thread Bart Silverstrim 
On Mar 22, 2005, at 8:05 AM, Dennis Davis wrote:
On Tue, 22 Mar 2005, Bart Silverstrim wrote:
From: Bart Silverstrim <[EMAIL PROTECTED]>
To: ClamAV users ML 
Date: Tue, 22 Mar 2005 07:40:18 -0500
Subject: Re: [Clamav-users] Report Phishing attacks?
...
I believe this is what the commercial anti-virus company,
MessageLabs, does.  When I spoke to them a few years ago, they
had licenses for five anti-virus products.  Messages were fed
through the three they considered the best.
You're saying a commercial AV vendor is using competitor's AV
products in addition to their own to protect their systems?
They aren't, as far as I'm aware, a commercial AV vendor.  Instead
they offer a managed email service which provides anti-virus and
andti-spam facilities.  See:
http://www.messagelabs.com/
for details.  Note that:
http://www.messagelabs.com/services/antivirus/detail/ 
default.asp#features

includes:
  Anti-Virus combines Skeptic's predictive technology with multiple
  commercial scanners to detect and combat against viruses entering
  and leaving your organization
Oops! My bad :-)
Thanks for the info!
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Report Phishing attacks?

2005-03-22 Thread Bart Silverstrim 
On Mar 22, 2005, at 9:43 AM, BitFuzzy wrote:
Bart Silverstrim wrote:
Personally, my gripe is that the product is called ClamAV.  If it's 
expanding it's mission to protect people from everything called 
"malware", I'd change the name to something that indicates it's a 
malware detector and not a virus detector.  Phishing scams are *not* 
viruses.  Maybe change it's name to ClaMal.  It'll make the O'Reilly 
book cover look interesting, too.

But this would probably never happen.  *shrug*

I can't believe this is still going on! This got old "fast" the last 
time it was discussed.

This isn't about detecting messages concerning Viagra, or getting 
27,000,000 by helping some yutz in Nigeria.

The way I see it, any item regardless of it's delivery method that has 
the potential to do harm financially or otherwise should be stopped 
(IMHO) by the AV.
These messages are running out of control. They are clever, and when 
used in conjunction with their associated websites are very hard to 
identify it from the real thing.

ClamAV isn't the only agent that detects "Phishing" attempts. Mcafee, 
PcCillin, etc detect these attempts why would anyone expect ClamAV to 
do less

I may be thinking of something else here, but if memory serves the dev 
team will be providing a method for you (or anyone) not wanting these 
detected, to disable it.

and with that the debate should be ended.
Please, calm down.  I wasn't arguing one thing or the other.  I just 
expressed an opinion.  Why should it be that just because you don't 
like to hear the opinion that anyone who shares it must "shut up", when 
this list is monitored by people who may or may not want feedback from 
the users?  You're implying that I should shut up with my opinion then 
you go on to express your own.  Geez.

I wasn't even saying disable it.  I had said, consistent with the 
participation in the past mail list war, that if ClamAV were going to 
start detecting non-virus attacks and stop things that were aimed at 
people who should generally know better by now than to fall for 
scammers and baiters, then it would be better aesthetically if you 
didn't advertise as an anti-VIRUS and instead as an anti-MALWARE 
program, as that is what it was migrating it's role to.  Saying the 
neighbors are doing the same thing doesn't help either, since I've 
griped about that as well.  If you're a malware detector, do the search 
engines a favor and advertise the program as such.  It's bad enough 
that people are sloppy with terminology and concepts go way over users 
heads without making it worse by contributing to the fuzzy definitions.

No debate.  Opinion.  As I also stated in the past it's ultimately up 
to the developers.  Getting a bug up your butt about it will only give 
you a stroke or heart attack.  I'm not a developer and lack the skill 
to fork the project and even if I could, I lack the resources to host 
it...so I use what the developers offer.  They do a very good job in 
the first place.  Doesn't mean I don't differ in opinion once in awhile 
with how things are done, but oh well!

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Can phishing be considered one kind of spam ?

2005-04-15 Thread Bart Silverstrim 
On Apr 15, 2005, at 9:39 AM, Joanna Roman wrote:
Can phishing be considered one kind of spam ?
Please no...please please no
___
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] false hits

2005-04-15 Thread Bart Silverstrim 
Hello all...
Question...I recently tried booting up with the Ultimate Boot CD that 
included INSERT Linux as one of the images.  I booted to INSERT, ran 
freshclam, then proceeded to scan a hard disk on which Windows 98 was 
installed.  I had a number of hits showing up within the Windows/system 
directory.  A subsequent scan with a standalone utility from an AV 
vendor showed no sign of the viruses in that directory.

I was wondering if someone else could reproduce these hits to confirm 
that I wasn't dreaming this up...I'd submit the false hits, but the 
system has since been wiped to install NT and I didn't want to try 
extracting those files from the hard disk and sending them in if other 
people could get the same results.  These appeared to be regular 
Windows dll's that it was getting hits on...

Thanks,
-Bart
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] false hits

2005-04-15 Thread Bart Silverstrim 
On Apr 15, 2005, at 10:45 AM, BitFuzzy wrote:
Bart Silverstrim wrote:
I had a number of hits showing up within the Windows/system directory.
Heh, didn't Norton detect windows as a virus at one time?
I remember there was something that reported Windows as a virus.  I 
thought it was some old AV that was made for OS/2.  The Clam team 
doesn't have a sense of humor...they refused my offer to send Win.com 
in for a signature addition :-)

A subsequent scan with a standalone utility from an AV vendor showed 
no sign of the viruses in that directory.
This doesn't necessarily mean anything.
What I would do is do a online scan (I highly recommend 
http://housecall.trendmicro.com)
If you are indeed compromised, there's a chance your AV may be as well
Hope not.  It was a standalone bootable utility to scan hard disks for 
viruses (well, I used the ultimate boot disk to boot to FreeDOS to run 
the scan).  The Clam scan session was also done from a bootable CD with 
the latest definitions.

I do agree with the online scanner, I often use it.  This was more of a 
scanning-an-odd-acting-system that probably had some form of corruption 
before we formatted and reinstalled an OS.

I was just wondering if anyone else had resources to try running the 
scan via a bootable Linux CD (like the INSERT CD) and scan a Windows 
system to see if they were getting oddball false hits.  I just 
dismissed the results initially because it seemed from my many lurking 
sessions (and participation sessions) in the mailing list that Clam was 
and is primarily a mail scanner aimed at getting mail viruses, not the 
"old school" viruses like Brain...perhaps the signatures were just 
picking up oddball patterns on the drive and misreporting it.

I miss the old days when there was a clear delineation among viruses 
and malware and just plain social engineering hoaxes and whatnot. Today 
it's just getting easier for administrators to simply label every file 
that's not approved as unrunnable and do away with AV.  The best move 
we've been taking in months is to adopt Deep Freeze on systems.  Go 
ahead and infect it...we reboot, the infection goes away, along with 
all the chaff and crud that the users have carelessly installed. :-)

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] false hits

2005-04-15 Thread Bart Silverstrim 
On Apr 15, 2005, at 12:54 PM, Tomasz Kojm wrote:
On Fri, 15 Apr 2005 09:53:11 -0400
Bart Silverstrim <[EMAIL PROTECTED]> wrote:
Hello all...
Question...I recently tried booting up with the Ultimate Boot CD that
included INSERT Linux as one of the images.  I booted to INSERT, ran
freshclam, then proceeded to scan a hard disk on which Windows 98 was
installed.  I had a number of hits showing up within the
Windows/system  directory.  A subsequent scan with a standalone
utility from an AV  vendor showed no sign of the viruses in that
directory.
Make sure your INSERT Linux contains the latest stable version of 
ClamAV
(0.83). There were some issues with MS05-002 exploit detection in 0.82.
Good point...I don't know what version it was.  It is the default with 
the latest version of UBCD...

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] possible new virus?

2005-04-19 Thread Bart Silverstrim 
On Apr 19, 2005, at 1:56 PM, Daniel J McDonald wrote:
On Tue, 2005-04-19 at 11:52 -0600, lists wrote:
How should I submit this to see if it is a virus?
Make certain detectbrokenexecutable is enabled.
Stupid question but I thought I might as well ask anyway...going in on 
my own system to enable this option, I saw the following above it:

# By default clamd uses scan options recommended by libclamav. This 
option
# disables recommended options and allows you to enable selected ones 
below.
# DO NOT TOUCH IT unless you know what you are doing.
# Default: disabled
#DisableDefaultScanOptions

Do I want to remove the hash before DisableDefaultScanOptions in order 
to get the

# ClamAV to perform a deeper analysis of executable files and it's also
# required for decompression of popular executable packers such as UPX, 
FSG,
# and Petite.
# Default: enabled
#ScanPE
ScanPE

# With this option clamav will try to detect broken executables and mark
# them as Broken.Executable
# Default: disabled
#DetectBrokenExecutables
DetectBrokenExecutables
sections to work?
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] possible new virus?

2005-04-19 Thread Bart Silverstrim 
On Apr 19, 2005, at 2:24 PM, Kelson wrote:
Bart Silverstrim wrote:
Do I want to remove the hash before DisableDefaultScanOptions in 
order to get the

sections to work?
No.  This was discussed yesterday.  There are options that are enabled 
by default, and DisableDefaultOptions wipes those and gives you a 
clean slate.  You don't need it -- or want it! -- if you just want to 
enable additional features on top of the defaults.
Okay.  From the sounds of that section you needed to enable it (remove 
comment hash) in order for the features following that statement to 
work.  Do you know what the thread topic was where this was discussed?

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Maybe a virus Sober.P

2005-05-04 Thread Bart Silverstrim 
On May 4, 2005, at 11:12 AM, Nigel Horne wrote:
On Wednesday 04 May 2005 16:02, [EMAIL PROTECTED] wrote:
.  If you have received this
communication in error, please notify me immediately by telephone or 
fax
But you haven't given your telephone and fax number, so how can you 
expect
anyone to do that?
I've always wondered...why do people put confidentiality notices saying 
"if this is not meant for you, erase it, yadda yadda..." at the END of 
the message, so you already know what you're not supposed to know?

I mean, they do know that these "disclaimers" haven't been tested in 
court, but if they were...they'd probably not hold water?

So far the disclaimers only seem to add cruft for people to resend if 
they top post their messages, and make the message a little harder to 
parse. :-)

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Maybe a virus Sober.P

2005-05-05 Thread Bart Silverstrim 
On May 5, 2005, at 8:02 AM, Matt Fretwell wrote:
Daniel J McDonald wrote:
as it is harder to scan those messages for viruses
 Nonsense. Mail is mail. If you are running a mailserver, it should be
able to cope with all types of mail, irrelevant of 
(creation|submission)
method.
But...if they're using webmail, it bypasses your mail server.  It would 
entirely depend on how "up to date" the webmail company's scanner is 
and the virus scanner on your user's desktop is...unless you're using a 
web proxy with malware scanner.

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Maybe a virus Sober.P

2005-05-05 Thread Bart Silverstrim 
On May 5, 2005, at 9:40 AM, Dennis Peterson wrote:
Bart Silverstrim said:
On May 5, 2005, at 8:02 AM, Matt Fretwell wrote:
Daniel J McDonald wrote:
as it is harder to scan those messages for viruses
 Nonsense. Mail is mail. If you are running a mailserver, it should 
be
able to cope with all types of mail, irrelevant of
(creation|submission)
method.
But...if they're using webmail, it bypasses your mail server.  It 
would
entirely depend on how "up to date" the webmail company's scanner is
and the virus scanner on your user's desktop is...unless you're using 
a
web proxy with malware scanner.
My webmail is configured to use our standard smtp servers for all
inbound/outbound mail. It really isn't all that difficult.
My understanding was that we were talking about people accessing Yahoo 
or Hotmail from work, not your own internal mail servers with a grafted 
webmail interface.

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Maybe a virus Sober.P

2005-05-05 Thread Bart Silverstrim 
On May 5, 2005, at 10:45 AM, Matt Fretwell wrote:
Bart Silverstrim wrote:
My webmail is configured to use our standard smtp servers for all
inbound/outbound mail. It really isn't all that difficult.
My understanding was that we were talking about people accessing Yahoo
or Hotmail from work, not your own internal mail servers with a 
grafted
webmail interface.

 Actually it was Nigel, I believe, who suggested using a webmail 
system to
one poster. It was not regarding explicit webmail servers, rather, just
generic examples were given.

 Dennis was merely pointing out how one of those systems should be 
setup
correctly. It is not a mailserver with a 'grafted' interface. It is a
webmail system that correctly submits mail in a safe and secure 
fashion,
to a MTA, in a way good systems should be designed.
My understanding is that it sounded like the original discussion was 
someone with the idea of "phil in HR is reading his email from yahoo, I 
have no control over yahoo, and phil downloaded a virus from their 
email service before they had their AV set up to catch it" (purely made 
up example).  Someone else is chiming in with the understanding that 
phil is reading email from the in-house mail server using the in-house 
web interface front-end, and got a virus because we don't do antivirus 
on the web server handling the mail content for in-house mail.  This is 
actually two separate scenarios.

To which someone replied that in a *PROPER* network that is *well 
managed* this isn't a worry because we block all external mail hosts 
and use a proxy for web traffic that tests content going over it for 
malware, in addition to virus scanning desktops and servers and , to which in my head I 
dreamed a few moments about what it would be like to be a true BOFH on 
our network and have the power...political power...to get away with 
locking people out of their favorite web sites despite outranking me in 
the org chart and what it would be like to not have to deal with the 
politics of XYZ not being able to get their content completely rendered 
because of some glitch of interaction between the proxy and scanner and 
the website they're trying to get forms from.  Ahhh to dream a little 
dream!

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Maybe a virus Sober.P

2005-05-05 Thread Bart Silverstrim 
On May 5, 2005, at 2:38 PM, Matt Fretwell wrote:
Bart Silverstrim wrote:
This is actually two separate scenarios.
 That was Daniel's fault instigated by his being vague :)
"Now, a clever man would put the poison into his own goblet, because he 
would know that only a great fool would reach for what he was given. I 
am not a great fool, so I can clearly not choose the wine in front of 
you. But you must have known I was not a great fool, you would have 
counted on it, so I can clearly not choose the wine in front of me. "  
Bonus points if you identify what it's from :-p

to which in my head I dreamed a few moments about what it would be 
like
to be a true BOFH on our network and have the power...political
power...to get away with locking people out of their favorite web 
sites
despite outranking me in the org chart and what it would be like to 
not
have to deal with the politics of XYZ not being able to get their
content completely rendered because of some glitch of interaction
between the proxy and scanner and the website they're trying to get
forms from.  Ahhh to dream a little dream!
 Tell the accountants they can save money by locking down a network. 
You
would be amazed how quickly things happen :) Plus, they get all the
stick from irate users|management :)
Nope, doesn't work that way.  User complaints and convenience are 
balanced against us.

___
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] database number

2005-05-16 Thread Bart Silverstrim 
What is the current database version from freshclam for people out 
there?  I've been getting a huge number of bounces with german 
subjects, addressed to people with usernames beginning with 3d (just 
starting to investigate what is going on with this...) but the past few 
freshclam runs have shown nothing new.

Current output:
# freshclam
ClamAV update process started at Mon May 16 08:24:30 2005
main.cvd is up to date (version: 31, sigs: 33079, f-level: 4, builder: 
tkojm)
daily.cvd is up to date (version: 879, sigs: 1282, f-level: 4, builder: 
tkojm)

Platform is FreeBSD, using ClamAV from ports.
-Bart
___
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] sober.p and german adverts?

2005-05-16 Thread Bart Silverstrim 
Some more info...
I see in our amavis logs on our ClamAV system (postfix pre-filter 
FreeBSD for email) this kind of listing...
/usr/local/sbin/amavisd[35705]: (35705-10) Blocked INFECTED 
(Worm.Sober.P), <[EMAIL PROTECTED]> -> 
>, Hits: -, tag=0, tag2=4, kill=4, L/0/0/0

That address had been hammering us over and over for awhile with 
sober.p.  Now it's become quiet.

I notice a huge amount of german messages coming in, getting past the 
AV and our spam filter.  I went into the Exchange server and there was 
one sample message in one of the recipient mailboxes with the following 
in the headers:

Received: from oncsbuv.com 
(aolclient-24-25-128-223.aol.nycap.res.rr.com [24.25.128.223])

The message has the German subject line and the text appears to be just 
a link to a website...?

Perhaps we now know what happened to sober.p?
(anyone know offhand how to use the access file for postfix to reject a 
message by *sender* instead of recipient?)

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Bart Silverstrim 
On May 16, 2005, at 9:00 AM, Mike Blonder wrote:
I am also getting inundated with German gibberish spam. Would you mind
explaining the significance (if any) of the email address that you  
posted? I
am finding that the German Gibberish garbage is spoofing a different  
email
address with each posting.
I'm new to the sleuthing aspect, so forgive me if I'm offbase  
here...(education/explanations always welcome!  Plus it's made harder  
because the messages I have to work with are on a Unix system and  
managled headers off an Exchange final destination)

I know that usually they alter the headers and spoof (viruses, that is)  
but I thought it strange that we've been hammered by sober.p with that  
same address showing up over and over again in our amavis logs :
# grep 24-25-128-223 amavis.log|grep Sober.P |wc -l
16546

Usually it should vary things, I'd think.  But then one of the first  
german gibberish messages I had found in a mailbox had the following  
right in the header:
Received: from oncsbuv.com 
(aolclient-24-25-128-223.aol.nycap.res.rr.com[
24.25.128.223 ])
Coincidence?  The first set I grepped was the IP of Sober.P's being  
stopped at the bastion server over the past couple weeks looking for  
that specific IP name.  The second was a sample german message that  
managed to find it's way to the administrator mail account on the  
exchange server.

I mean,...spoofing I understand, and expect...but is it really  
coincidental that these just happened to hit that IP?  That's why I  
wondered if maybe there wasn't a link between the two...that sober.p is  
now a mass mailing spam tool.

Are there any analysis papers out on sober.p yet?  And can anyone else  
corroborate the theory I have, or am I totally off-base here?  I'm  
still trying to figure it out from what I can piece together between  
phone calls for other tasks here :-)

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Bart Silverstrim 
On May 16, 2005, at 9:59 AM, Mike Blonder wrote:
OK.
I think I get it. You had identified the oncbuv.com
address as a source for the
sober.p garbage earlier and now it is showing up with the German 
gibberish
garbage.
Sort of.  I can't find oncbuv.com so it's spoofed.  The IP actually 
reverses to a RoadRunner address.  I was hammered by the RR address, 
then administrator had one message in german gibberwocky from that 
appeared to be from that IP.

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Bart Silverstrim 
On May 16, 2005, at 10:52 AM, Rainer Zocholl wrote:
[EMAIL PROTECTED](Bart Silverstrim)  16.05.05 08:51
Maybe you should have simply entered it into google?
I'm quite sure that google would have lead you to the right place.
Yes, google can search for german strings too! IMOH ;-)
I did enter it in when I first discovered it, but there were no hits.   
I thought perhaps it was too new at the time, and then turned to the  
lists to corroborate what I was seeing.

and the text appears to be just a link to a website...?
Yes, it is.
Many of them are pointing to websites of
reputated printed newletters/magazins like "Der Spiegel".
Apparently it will be very hard to block if it's just text without  
extra spammer tricks in it to bypass filters...or at least not enough  
to cross the threshold of spam vs. regular mail.

Perhaps we now know what happened to sober.p?
See:
http://www.viruslist.com/en/weblog
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp? 
VName=WORM%5FSOBER%2EU&VSect=P
Details in german:
http://www.heise.de/newsticker/meldung/59562
Well...I'm somewhat proud of myself that so far my hunches and  
(amateurish) deductions had me on the right track :-)

(anyone know offhand how to use the access file for postfix to reject
a message by *sender* instead of recipient?)
Write complaints to the owners of the IP blocks!
  The "MAIL FROM" is always faked.
  The URL-owner is mostly "innocent" too.
Block all mails from dynamic IP.
They are 99,99% spam.
Is there a way to do that with the access file/postmap in postfix?   
Block sender IP's/IP blocks?

I thought it was odd that our hammering from particular sober.p  
infections were consistent in IP.  If they were spoofing (this was from  
the logs that I extracted that grep), then why wouldn't I have 16000  
different sober.p sources instead of a few of them over and over?

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] database number

2005-05-16 Thread Bart Silverstrim 
On May 16, 2005, at 10:51 AM, Rainer Zocholl wrote:
[EMAIL PROTECTED](Bart Silverstrim)  16.05.05 08:27

What is the current database version from freshclam for people out
there?
It's always shown in the bottom line of
http://www.clamav.net/
 Latest database release is: main.cvd 31 daily.cvd 879
 Latest ClamAV stable release is: 0.85
Thanks for the info.  I didn't realize that was there...I knew there 
were recent threads about versioning problems going around, and began 
to suspect something was wrong with this one.  Apparently not.

I've been getting a huge number of bounces with german
subjects, addressed to people with usernames beginning with 3d (just
starting to investigate what is going on with this...)
"3d" is "=" and originates from broken ISO interpretation.
Figured that.  Knew that most bounces/address attempts with that prefix 
tended to come from viruses.

but the past few freshclam runs have shown nothing new.
Why should clamav point up?
That are just "bounces", there is NO worm inside.
They are just sent by a worm.
There nothing a virus scanner can do anymore. It's to late now.
What I thought we were seeing was an attempt for a virus to propagate.  
I've had bounces in some mail systems that still contain the virus, or 
even if they didn't, I hoped that I'd see something change at the 
bastion server (update virus database, whatever was trying to propagate 
would suddenly get flagged as a virus instead of get through and become 
bounce fodder).

Write to the abuse account of the orignating host,
and beg him ot reject all messages for unknown users,
and not to bounce them.
The ones I was searching through were actually undeliverables to 
nonexistent accounts within our network.  I was getting the error 
messages to follow up on.

-Bart
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Bart Silverstrim 
On May 16, 2005, at 11:08 AM, Randal, Phil wrote:
It's easy to block.
Check the handler's Diary at http://isc.sans.org/ and follow the links.
Thank you, that's my next task when I get a block of time today.
Thanks again!
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Bart Silverstrim 
On May 16, 2005, at 11:06 AM, Thomas Hochstein wrote:
Bart Silverstrim schrieb:
That address had been hammering us over and over for awhile with
sober.p.  Now it's become quiet.
Yes. Now the infected hosts are sending out spam containing (very)
right-wing political propaganda.
Don't read German, and haven't had the pleasure of the English versions 
(yet?)...so, I guess it's another case of "I'm not the target 
audience."

(anyone know offhand how to use the access file for postfix to reject 
a
message by *sender* instead of recipient?)
Those senders are faked.
Thanks to someone else's posting, I found some regex lists to put into 
the header_check file for postfix...should put a stop to it.

I HATE that solution simply because it's too easy to forget about it 
and people who may send such headings in the subject line are blocked 
as well (there are courses here where you never know...the German 
course may have someone send info on Dresden in 1945...).

I also know there can be collateral damage from it.  Weigh...invalid 
bounce, or "silently dropping" messages that may be legit...hmm...

Some days it's just not worth using the Internet anymore.
-Bart
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Bart Silverstrim 
On May 16, 2005, at 1:41 PM, John Jolet wrote:
This email, for instance was sent from a properly configured mta 
running antispam and antivirus scanning in BOTH directions, from a 
dynamic ip.  If my wife sends email from her computer, it goes to the 
isp's mta, which does inbound only scanning.  I have several rules in 
place for postfix to force it to use my isp's mta for domains that 
refuse traffic from dynamic or "residential" ip addresses.  The price 
for a non-residential ip from my isp is nearly double that for 
residential.  Do I get any added-value service for that?  No, in fact, 
I lose the ability to take faulty equipment directly to the service 
center for replacement, instead of waiting for a service call.  I 
think more people running mtas would take the tack of examining the 
TRAFFIC, not the IP it came from.  That's just laziness.
Also...what if you don't trust your provider?  What if you want to have 
more control over the spam filtering, the virus handling...data 
retention...remember, in the US, your ISP records can be searched now 
without them being able to notify you, and your messages logged from 
their mail server.

Yes, there are ways around it, but why make it really easy for the 
people the tin-foil-hat brigade fears?

And what if you believe that people willing to take responsibility for 
their connections should be allowed to do so?  It's the irresponsible, 
the lazy, and the foolish that are setting up open relays today.  If 
someone is willing to take the time to wear the sysadmin hat and do it 
right, they should be able to run their own mail service.  The ISP 
should be just that.  Internet Service Provider.  Gimme my connection 
and leave the rest to me, thank you! :-)

___
http://lurker.clamav.net/list/clamav-users.html

  1   2   >