[Clamav-users] freshclam's daily.cvd messages not showing

2005-05-16 Thread Zibeli Aton
Hello, I'm running clamav (currently version 0.85) on two separate servers and my home notebook and recently noticed odd behavior when running freshclam. While on one server and my notebook it always both displays to the console and logs information about both main.cvd and daily.cvd (i.e. whet

Re: [Clamav-users] WORM_MYTOB.EG I am not able to submit pattern

2005-05-16 Thread Ted Fines
Ramya wrote: I have been hit by this virus 19 times as of yesterday WORM_MYTOB.EG. This has been identified as medium risk. I not able to send to submit a pattern since the zip is about 2.4MB and when i unzip this file it contains some 3000 odd EML files.. Is there a signature update for this vi

Re: [Clamav-users] Sober.P

2005-05-16 Thread Diego d'Ambra
Jan Pieter Cornet wrote: It looks like the Sober.P virus has a termination date, just like the previous Sober variants had. The cutoff date is suspiciously close to Tue May 10 2005, 0:00 UTC. More accurate is to say that Sober-P entered "hibernation" - it's still active on infected machines, not r

[Clamav-users] database number

2005-05-16 Thread Bart Silverstrim
What is the current database version from freshclam for people out there? I've been getting a huge number of bounces with german subjects, addressed to people with usernames beginning with 3d (just starting to investigate what is going on with this...) but the past few freshclam runs have show

[Clamav-users] sober.p and german adverts?

2005-05-16 Thread Bart Silverstrim
Some more info... I see in our amavis logs on our ClamAV system (postfix pre-filter FreeBSD for email) this kind of listing... /usr/local/sbin/amavisd[35705]: (35705-10) Blocked INFECTED (Worm.Sober.P), <[EMAIL PROTECTED]> -> >, Hits: -, tag=0, tag2=4, kill=4, L/0/0/0 That address had been hamm

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Mike Blonder
I am also getting inundated with German gibberish spam. Would you mind explaining the significance (if any) of the email address that you posted? I am finding that the German Gibberish garbage is spoofing a different email address with each posting. Thanks Mike On 5/16/05, Bart Silverstrim <[

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Bart Silverstrim
On May 16, 2005, at 9:00 AM, Mike Blonder wrote: I am also getting inundated with German gibberish spam. Would you mind explaining the significance (if any) of the email address that you posted? I am finding that the German Gibberish garbage is spoofing a different email address with each posti

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Matt Fretwell
Bart Silverstrim wrote: > Are there any analysis papers out on sober.p yet? And can anyone else > corroborate the theory I have, or am I totally off-base here? I'm > still trying to figure it out from what I can piece together between > phone calls for other tasks here :-) If I remember

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Mike Blonder
OK. I think I get it. You had identified the oncbuv.com address as a source for the sober.p garbage earlier and now it is showing up with the German gibberish garbage. Thanks Mike I will check the next batch I receive (I hope I don't) for the same address On 5/16/05, Bart S

Re: [Clamav-users] Re: Follow-up on clamav-milter not mailing notice to postmaster

2005-05-16 Thread Christopher X. Candreva
On Sat, 14 May 2005, Dennis Peterson wrote: > Clam runs fine when properly configured. And it ran fine for me right up intil 0.85. > Are you asking the developers to > compensate for sloppy administration? I think for that you need a No, what I'm asking for is if it runs one day with certain p

RE: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread John Taylor
Hi Please see http://www.theregister.co.uk/2005/05/16/sober_spews_spam/ Rgds John Taylor Network & Security Manager Synstar -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Blonder Sent: 16 May 2005 15:00 To: ClamAV users ML Subject: Re: [Clamav-u

Re: [Clamav-users] Re: Follow-up on clamav-milter not mailing notice to postmaster

2005-05-16 Thread Dennis Peterson
Christopher X. Candreva said: > On Sat, 14 May 2005, Dennis Peterson wrote: > >> Clam runs fine when properly configured. > > And it ran fine for me right up intil 0.85. > >> Are you asking the developers to >> compensate for sloppy administration? I think for that you need a > > No, what I'm askin

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Rainer Zocholl
[EMAIL PROTECTED](Bart Silverstrim) 16.05.05 08:51 >Some more info... >I see in our amavis logs on our ClamAV system (postfix pre-filter >FreeBSD for email) this kind of listing... >/usr/local/sbin/amavisd[35705]: (35705-10) Blocked INFECTED >(Worm.Sober.P), <[EMAIL PROTECTED]> -> >>, Hits: -,

Re: [Clamav-users] database number

2005-05-16 Thread Rainer Zocholl
[EMAIL PROTECTED](Bart Silverstrim) 16.05.05 08:27 >What is the current database version from freshclam for people out >there? It's always shown in the bottom line of http://www.clamav.net/ Latest database release is: main.cvd 31 daily.cvd 879 Latest ClamAV stable release is: 0.85 >I've b

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Bart Silverstrim
On May 16, 2005, at 9:59 AM, Mike Blonder wrote: OK. I think I get it. You had identified the oncbuv.com address as a source for the sober.p garbage earlier and now it is showing up with the German gibberish garbage. Sort of. I can't find oncbuv.com so it's spoofed. The IP act

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Bart Silverstrim
On May 16, 2005, at 10:52 AM, Rainer Zocholl wrote: [EMAIL PROTECTED](Bart Silverstrim) 16.05.05 08:51 Maybe you should have simply entered it into google? I'm quite sure that google would have lead you to the right place. Yes, google can search for german strings too! IMOH ;-) I did enter it in w

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Brian Read
Block all mails from dynamic IP. They are 99,99% spam. No they aren't that "rule" causes quite a few of my customers a headache, as the (linux) mailserver I often install sends the email direct, irrespective of whether there Ip is "dynamic" or "static". Some ISPs charge an arm and a leg for

RE: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Randal, Phil
It's easy to block. Check the handler's Diary at http://isc.sans.org/ and follow the links. Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Bart Silverstrim >

Re: [Clamav-users] database number

2005-05-16 Thread Bart Silverstrim
On May 16, 2005, at 10:51 AM, Rainer Zocholl wrote: [EMAIL PROTECTED](Bart Silverstrim) 16.05.05 08:27 What is the current database version from freshclam for people out there? It's always shown in the bottom line of http://www.clamav.net/ Latest database release is: main.cvd 31 daily.cvd 879 L

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Bart Silverstrim
On May 16, 2005, at 11:08 AM, Randal, Phil wrote: It's easy to block. Check the handler's Diary at http://isc.sans.org/ and follow the links. Thank you, that's my next task when I get a block of time today. Thanks again! ___ http://lurker.clamav.net/list/

[Clamav-users] Re: custom signature files

2005-05-16 Thread Jef Poskanzer
>sigtool >docs/signatures.pdf Interesting stuff! I had no idea this capability was available. Hey, has anyone made or run across a signature file that matches all windows executables and all archive formats? Seems like this would be fairly easy to create. --- Jef Jef Poskanzer [EMAIL

Re: [Clamav-users] database number

2005-05-16 Thread Brian Morrison
On Mon, 16 May 2005 08:27:00 -0400 in [EMAIL PROTECTED] Bart Silverstrim <[EMAIL PROTECTED]> wrote: > What is the current database version from freshclam for people out > there? 880 appeared at 1515 GMT or thereabouts. -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Todd Lyons
Brian Read wanted us to know: >>Block all mails from dynamic IP. >>They are 99,99% spam. Agreed. >No they aren't that "rule" causes quite a few of my customers a >headache, as the (linux) mailserver I often install sends the email >direct, irrespective of whether there Ip is "dynamic" or "stat

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Matt Fretwell
Brian Read wrote: > >Block all mails from dynamic IP. They are 99,99% spam. > No they aren't that "rule" causes quite a few of my customers a > headache, as the (linux) mailserver I often install sends the email > direct, irrespective of whether there Ip is "dynamic" or "static". Some > ISPs c

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Thomas Hochstein
Bart Silverstrim schrieb: > That address had been hammering us over and over for awhile with > sober.p. Now it's become quiet. Yes. Now the infected hosts are sending out spam containing (very) right-wing political propaganda. > Perhaps we now know what happened to sober.p? Yes. The same thin

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Matt Fretwell
Todd Lyons wrote: > You should make their ISP's mail servers be the "smarthost" or > "relayhost" for that customer's mail server. Oh yes, really. > Some ISP's don't allow you to relay mail through them if it's not for > @ispdomain.com. They don't allow you to do that so that they can charge

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread John Jolet
Matt Fretwell wrote: Brian Read wrote: Block all mails from dynamic IP. They are 99,99% spam. No they aren't that "rule" causes quite a few of my customers a headache, as the (linux) mailserver I often install sends the email direct, irrespective of whether there Ip is "dynamic" or "

Re: [Clamav-users] database number

2005-05-16 Thread Rainer Zocholl
[EMAIL PROTECTED](Bart Silverstrim) 16.05.05 11:10 Once upon a time "Bart Silverstrim " shaped the electrons to say... >On May 16, 2005, at 10:51 AM, Rainer Zocholl wrote: >> [EMAIL PROTECTED](Bart Silverstrim) 16.05.05 08:27 >> >> >>> What is the current database version from freshclam for p

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Rainer Zocholl
[EMAIL PROTECTED](Bart Silverstrim) 16.05.05 11:05 >I did enter it in when I first discovered it, but there were no hits. Ok, next time mention it ;-) >I thought perhaps it was too new at the time, and then turned to the >lists to corroborate what I was seeing. >> Many of them are pointing t

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Rainer Zocholl
[EMAIL PROTECTED](Brian Read) 16.05.05 16:08 Once upon a time "Brian Read " shaped the electrons to say... >>Block all mails from dynamic IP. >>They are 99,99% spam. >> >> >No they aren't that "rule" causes quite a few of my customers a >headache, Thats the missing 0.01% i know. >as the (lin

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Rainer Zocholl
[EMAIL PROTECTED](Todd Lyons) 16.05.05 10:14 >Brian Read wanted us to know: >>>Block all mails from dynamic IP. >>>They are 99,99% spam. >Agreed. >>No they aren't that "rule" causes quite a few of my customers a >>headache, as the (linux) mailserver I often install sends the email >>direct, ir

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Bart Silverstrim
On May 16, 2005, at 11:06 AM, Thomas Hochstein wrote: Bart Silverstrim schrieb: That address had been hammering us over and over for awhile with sober.p. Now it's become quiet. Yes. Now the infected hosts are sending out spam containing (very) right-wing political propaganda. Don't read German, an

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Bart Silverstrim
On May 16, 2005, at 1:41 PM, John Jolet wrote: This email, for instance was sent from a properly configured mta running antispam and antivirus scanning in BOTH directions, from a dynamic ip. If my wife sends email from her computer, it goes to the isp's mta, which does inbound only scanning. I

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Bart Silverstrim
On May 16, 2005, at 1:54 PM, Rainer Zocholl wrote: [EMAIL PROTECTED](Bart Silverstrim) 16.05.05 11:05 I did enter it in when I first discovered it, but there were no hits. Ok, next time mention it ;-) Here I thought it was common sense now! :-) Apparently it will be very hard to block if it's just

Re: [Clamav-users] database number

2005-05-16 Thread Matt Fretwell
Rainer Zocholl wrote: > There are two flaws IMHO: > - "Gray" should only be used for *un*important infos, but > it is used for important infos and worse main titles(!) too. And I thought I rambled on about irrelevant things. > - Important infos should be visible with out scrolling. >

RE: [Clamav-users] database number

2005-05-16 Thread Samuel Benzaquen
Matt Fretwell wrote: > > Rainer Zocholl wrote: > > > There are two flaws IMHO: > > - "Gray" should only be used for *un*important infos, but > > it is used for important infos and worse main titles(!) too. > > And I thought I rambled on about irrelevant things. I don't see it as irrelevant

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Dennis Peterson
John Jolet said: > Matt Fretwell wrote: >> >> > This email, for instance was sent from a properly configured mta running > antispam and antivirus scanning in BOTH directions, from a dynamic ip. > If my wife sends email from her computer, it goes to the isp's mta, > which does inbound only scanning

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Jef Poskanzer
>that would be a good blacklist: real-time-morons.org. I'd even toss in >systems that NDR after the connection is closed as they have no idea at >that point whe the sender is. Which means all sites running qmail! Yay! ___ http://lurker.clamav.net/list/c

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread John Jolet
On Monday 16 May 2005 04:43 pm, Dennis Peterson wrote: > John Jolet said: > > Matt Fretwell wrote: > > > > > > > > This email, for instance was sent from a properly configured mta running > > antispam and antivirus scanning in BOTH directions, from a dynamic ip. > > If my wife sends email from her

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Matt Fretwell
Dennis Peterson wrote: > Nobody should send mail directly unless it is filtered outbound. In > fact, that would be a good blacklist: real-time-morons.org. I'd even > toss in systems that NDR after the connection is closed as they have no > idea at that point whe the sender is. That, I cannot ar

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Dennis Peterson
Matt Fretwell said: > Dennis Peterson wrote: > >> Nobody should send mail directly unless it is filtered outbound. In >> fact, that would be a good blacklist: real-time-morons.org. I'd even >> toss in systems that NDR after the connection is closed as they have no >> idea at that point whe the send

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Dennis Peterson
John Jolet said: > On Monday 16 May 2005 04:43 pm, Dennis Peterson wrote: >> John Jolet said: >> Nobody should send mail directly unless it is filtered outbound. In >> fact, >> that would be a good blacklist: real-time-morons.org. I'd even toss in >> systems that NDR after the connection is closed

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Matt Fretwell
Dennis Peterson wrote: > > That was my point. My mail IS filtered outbound. So I should have to > > pay double for the privilege of controlling my own email? > How am I to know that you are filtering your mail? If your IP is in the > middle of a block of dynamic IP's you are fair game for me to

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Dennis Peterson
Matt Fretwell said: > Dennis Peterson wrote: > >> > That was my point. My mail IS filtered outbound. So I should have to >> > pay double for the privilege of controlling my own email? > >> How am I to know that you are filtering your mail? If your IP is in the >> middle of a block of dynamic IP's

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Matt Fretwell
Dennis Peterson wrote: > Here's how it works, Matt - if you have a dynamic IP, even one that has > a long life time, other people will still block mail from your IP block. > That seldom happens if you have a true fixed IP, all other things being > equal. And you know what? You have no say in it. I

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Dennis Peterson
Matt Fretwell said: > Dennis Peterson wrote: > >> Here's how it works, Matt - if you have a dynamic IP, even one that has >> a long life time, other people will still block mail from your IP block. >> That seldom happens if you have a true fixed IP, all other things being >> equal. And you know wha

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Matt Fretwell
Dennis Peterson wrote: > There is no need to block outright from the outset. > As I mentioned earlier, I'm getting slammed from comcast.net from relays > all over the US. It is far easier to block by obvious dsl/cable host > identifiers than to spend hours trying to figure out what /24 IP ranges

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Matt Fretwell
Matt Fretwell wrote: > There is no need to blanket ban every other providers dsl yet, though > :) Just as a side note, here are a couple of links for Postfix header checks for this german spam outbreak. http://archives.neohapsis.com/archives/postfix/2005-05/1377.html http://www.heise.de/

Re: [Clamav-users] /dev/console Permission in ClamAV 0.85

2005-05-16 Thread imacat
The /dev/console permission problem seems to be solved in the just-released ClamAV 0.85.1. Thank you. On Mon, 16 May 2005 12:12:09 +0800 imacat <[EMAIL PROTECTED]> wrote: > Sorry, I did not noticed that I had disbled this list, and am > wondering why there is no response on my previous p

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Bill Taroli
Brian Read wrote: Block all mails from dynamic IP. They are 99,99% spam. No they aren't that "rule" causes quite a few of my customers a headache, as the (linux) mailserver I often install sends the email direct, irrespective of whether there Ip is "dynamic" or "static". Some ISPs charge an ar

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Bill Taroli
Matt Fretwell wrote: Brian Read wrote: Block all mails from dynamic IP. They are 99,99% spam. No they aren't that "rule" causes quite a few of my customers a headache, as the (linux) mailserver I often install sends the email direct, irrespective of whether there Ip is "dynamic" or "sta

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread jef moskot
On Mon, 16 May 2005, Matt Fretwell wrote: > Dennis Peterson wrote: > > The world experience is that Windows drones on dialups or cable/dsl > > are a major source of spam/viruses. > That is coming back to the dynamic elitist viewpoint. I agree with both of you, actually. In theory, of course, Mat

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Jef Poskanzer
Bill Taroli: >I wind up blocking mail from people like that for an entirely different >reason. Basic DNS checking against the HELO string to be sure it >resolves to the IP address the connection's actually coming from. There are a few different ways to do DNS checks. I haven't seen this partic

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Dennis Peterson
Matt Fretwell said: > Dennis Peterson wrote: > >> There is no need to block outright from the outset. > >> As I mentioned earlier, I'm getting slammed from comcast.net from relays >> all over the US. It is far easier to block by obvious dsl/cable host >> identifiers than to spend hours trying to fi

[Clamav-users] Freshclam fall back to HTTP

2005-05-16 Thread Awie
All, I cannot run Freshclam in DNS mode, it always fall back to HTTP. Below attached the message from my machine; [EMAIL PROTECTED] root]# freshclam ClamAV update process started at Tue May 17 12:43:32 2005 WARNING: DNS record is older than 3 hours. WARNING: Invalid DNS reply. Falling back to HTT

[Clamav-users] Rene Berber infected?

2005-05-16 Thread Damian Menscher
I've been getting plenty of those German spams, and they're almost all coming from prod-infinitum.com.mx. Interestingly, I got one that spoofed its From: header as [EMAIL PROTECTED] Which indicates that an active clamav user is infected. So, I did the obvious thing and grepped for that domian

Re: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Alan Premselaar
Jef Poskanzer wrote: ..snip... > And finally, if you want to run a check on the HELO string, I find > that just rejecting outside connections that claim a HELO of your own > hostname gets rid of a very high proportion of crapmail. This > very simple check is successful enough th