Hi there,
On Fri, 8 Aug 2008 jef moskot wrote:
Re: simplest replacement for ancient amavis-perl
> Currently, we accept all infected mail, and quietly quarantine it.
May I suggest that you quarantine it, BUT STILL REJECT IT after it
has been read (and recorded) in its entirety? You're making a
G.W. Haywood wrote:
>> Currently, we accept all infected mail, and quietly quarantine it.
> May I suggest that you quarantine it, BUT STILL REJECT IT after it
> has been read (and recorded) in its entirety?
No, please don't do that for viruses. If they are being transmitted
by a real SMTP clien
David F. Skoll wrote:
> G.W. Haywood wrote:
>
>>> Currently, we accept all infected mail, and quietly quarantine it.
>
>> May I suggest that you quarantine it, BUT STILL REJECT IT after it
>> has been read (and recorded) in its entirety?
>
> No, please don't do that for viruses. If they are bei
[EMAIL PROTECTED] wrote:
> If done during the SMTP conversation the only thing that is going to
> see backscatter is the thing that sent it.
Which is why I qualified my reply with "if the sending relay is a valid
SMTP client."
> I am under the opinion that a message should never
> be silently bl
Hi all,
I need to open ports for Clamav database update, but since yesterday it
seems that IP address are changing every hour.. Can you guys please let
me know what should I do to resolve this issue.
Sending you ping output.
[EMAIL PROTECTED] root]# ping db.us.clamav.net
PING db.us.rr.clamav.net (
On Fri, Aug 08, 2008 at 03:20:01PM CEST, [EMAIL PROTECTED] said:
> David F. Skoll wrote:
> > G.W. Haywood wrote:
> >
> >>> Currently, we accept all infected mail, and quietly quarantine it.
> >
> >> May I suggest that you quarantine it, BUT STILL REJECT IT after it
> >> has been read (and recorde
On Fri, Aug 08, 2008 at 09:25:19AM -0400, David F. Skoll wrote:
> > I am under the opinion that a message should never
> > be silently blackholed.
>
> I used to share that opinion, but no longer do for viruses. If you
> turn off Clam's dubious Phishing options, the odds of a false-positive
> from
Hi Steve,
The site is interesting and will help with general cases but lately the
school is getting phishing specific to the university, which does not
help us. For an example, the latest phishing we got had a Subject: ODU
Network and in the body of the message contained:
The reason for this mes
David F. Skoll wrote:
> [EMAIL PROTECTED] wrote:
>
>> If done during the SMTP conversation the only thing that is going to
>> see backscatter is the thing that sent it.
>
> Which is why I qualified my reply with "if the sending relay is a valid
> SMTP client."
Maybe we are just arguing semantics
On Fri, 8 Aug 2008 13:31:24 +0100 (BST)
"G.W. Haywood" <[EMAIL PROTECTED]> wrote:
>> Currently, we accept all infected mail, and quietly quarantine it.
>
>May I suggest that you quarantine it, BUT STILL REJECT IT after it
>has been read (and recorded) in its entirety? You're making a rod
>for y
Take a look at
http://iserv.rs-hilter.de/doc/clamav-0.91.2/signatures.pdf
Which I found very useful for exactly this situation.
Phil.
Phil Chambers
Postmaster
University of Exeter
___
Help us build a comprehensive ClamAV guide: v
Parveen Malik wrote:
> Hi all,
>
> I need to open ports for Clamav database update, but since yesterday it
> seems that IP address are changing every hour.. Can you guys please let
> me know what should I do to resolve this issue.
> Sending you ping output.
> [EMAIL PROTECTED] root]# ping db.us.cl
[EMAIL PROTECTED] wrote:
>> Which is why I qualified my reply with "if the sending relay is a valid
>> SMTP client."
> Maybe we are just arguing semantics but anything that connects to
> my mail server and speaks RFC821 is valid. I might not like what
> it feeds me but that is what ClamAV/SpamAs
On Fri, 8 Aug 2008, David F. Skoll wrote:
> G.W. Haywood wrote:
> > You're making a rod for your own back if you accept bad mail. The
> > sender will sell the recipients' addresses to all his spammer friends
> > and you'll just get more of it.
>
> In my experience, spammers do not bother cleaning
Chambers, Phil wrote:
> Take a look at
>
> http://iserv.rs-hilter.de/doc/clamav-0.91.2/signatures.pdf
>
I have seen this document but it does not show how to add signatures
to a database OR for clamd to detect the phishing e-mail. I was able
to create the signature (a .hbd file) and clamscan
David F. Skoll wrote:
> [EMAIL PROTECTED] wrote:
>
>>> Which is why I qualified my reply with "if the sending relay is a valid
>>> SMTP client."
>
>> Maybe we are just arguing semantics but anything that connects to
>> my mail server and speaks RFC821 is valid. I might not like what
>> it feeds
[EMAIL PROTECTED] wrote:
[...]
> What backscatter? If done at SMTP the only person that should be
> notified is the sender.
I see. And it's impossible for a virus to forge MAIL FROM:, is it?
Regards,
David.
___
Help us build a comprehensive ClamAV
Steven,
I have a secured environment which governed by HIPAA regulatory, so I
can't keep open everything.
Thanks,
Parveen
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, August 08, 2008 9:56 AM
To: ClamAV users ML
Subject:
On Fri, Aug 08, 2008 at 09:44:11AM -0400, Darren G Pifer wrote:
> Hi Steve,
>
> The site is interesting and will help with general cases but lately the
> school is getting phishing specific to the university, which does not
> help us.
Have you considered using a regular-expression based filterin
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Darren G Pifer
> Sent: Fri 08 August 2008 15:09
> To: ClamAV users ML
> Subject: Re: [Clamav-users] Clamav phishing sigs
>
> Chambers, Phil wrote:
> > Take a look at
> >
> > http://iserv.rs-hilte
David F. Skoll wrote:
> [EMAIL PROTECTED] wrote:
>
> [...]
>
>> What backscatter? If done at SMTP the only person that should be
>> notified is the sender.
>
> I see. And it's impossible for a virus to forge MAIL FROM:, is it?
No, is is trivial for anyone to forge "mail from" headers but that
[EMAIL PROTECTED] wrote:
> No, is is trivial for anyone to forge "mail from" headers but that is
> irrelevant when virus filtering is done at the SMTP level. You don't
> send the rejection to the address in the "mail from." You send the
> rejection to the server/client that sent you the message
David F. Skoll wrote:
> [EMAIL PROTECTED] wrote:
>
>> No, is is trivial for anyone to forge "mail from" headers but that is
>> irrelevant when virus filtering is done at the SMTP level. You don't
>> send the rejection to the address in the "mail from." You send the
>> rejection to the server/cli
[EMAIL PROTECTED] wrote:
> No, I did not say that. I said it was trivial. I am just pointing out that
> it is irrelevant while the SMTP conversation is still going on. It is
> impossible(mostly) to forge the IP the message is being sent from if there
> is a live SMTP conversation going on and w
David F. Skoll wrote:
> [EMAIL PROTECTED] wrote:
>
>> No, I did not say that. I said it was trivial. I am just pointing out that
>> it is irrelevant while the SMTP conversation is still going on. It is
>> impossible(mostly) to forge the IP the message is being sent from if there
>> is a live SM
[EMAIL PROTECTED] wrote:
> No need to be condescending about it. I have no problem taking it off
> list and explaining how you are mistaken.
OK, look. I guess I need to spell it out for you.
End-user PC has virus. Virus does this:
telnet isps-smtp-server 25
HELO bogus
MAIL FROM:<[EMAIL PROTE
David F. Skoll wrote:
> [EMAIL PROTECTED] wrote:
>
>> No need to be condescending about it. I have no problem taking it off
>> list and explaining how you are mistaken.
>
> OK, look. I guess I need to spell it out for you.
>
> End-user PC has virus. Virus does this:
>
> telnet isps-smtp-serv
David F. Skoll writes:
> [EMAIL PROTECTED] wrote:
i'm far from an expert but at some level i believe that you're both
right. the real question boils down (i think) to "who is trying to deliver
this piece of unwanted email?"
if it's a Real MTA, then kicking back a 550 will -- probably -- have the
rick pim wrote:
> David F. Skoll writes:
> > [EMAIL PROTECTED] wrote:
>
> i'm far from an expert but at some level i believe that you're both
> right. the real question boils down (i think) to "who is trying to deliver
> this piece of unwanted email?"
>
> if it's a Real MTA, then kicking back a
David F. Skoll schrieb:
OK, look. I guess I need to spell it out for you.
End-user PC has virus. Virus does this:
telnet isps-smtp-server 25
In my experience that's very unusual behaviour for a virus.
The vast majority try to connect directly to the recipient's MX.
--
Tilman Schmidt
Phoen
On Fri, 8 Aug 2008 11:20:54 -0400
rick pim <[EMAIL PROTECTED]> wrote:
>David F. Skoll writes:
> > [EMAIL PROTECTED] wrote:
>
>i'm far from an expert but at some level i believe that you're both
>right. the real question boils down (i think) to "who is trying to
>deliver this piece of unwanted emai
David F. Skoll wrote:
> [EMAIL PROTECTED] wrote:
>
> [...]
>
>> What backscatter? If done at SMTP the only person that should be
>> notified is the sender.
>
> I see. And it's impossible for a virus to forge MAIL FROM:, is it?
>
That is the concern of the connecting system - they will suffer
David F. Skoll wrote:
> [EMAIL PROTECTED] wrote:
>
>> No need to be condescending about it. I have no problem taking it off
>> list and explaining how you are mistaken.
>
> OK, look. I guess I need to spell it out for you.
>
> End-user PC has virus. Virus does this:
>
> telnet isps-smtp-serv
Gerard writes:
> Employing 'greylisting' would vastly improve the chances of eliminating
> the acceptance of SPAM at the MTA level.
it certainly does. unfortunately, in practice, one of the
prime advantages of greylisting -- the fact that it will never
block 'real' mail -- turns out, um, not to
Chambers, Phil wrote:
> I have looked at the source code and there are numerous places where it
> detects problems with signature, but they all generate the same failure
> message: "Malformed database".
>
> It is going to take me a very long time to patch the code to make it
> generate different er
On Fri, 8 Aug 2008 [EMAIL PROTECTED] wrote:
> > telnet isps-server 25 ... HELO bogus ... MAIL FROM:<[EMAIL PROTECTED]>
> > telnet victims-server 25 ... HELO isps-server ... MAIL FROM
> > If victim's SMTP server fails the DATA with a 5xx code, then
> > backscatter goes [EMAIL PROTECTED]
> i
Tilman Schmidt wrote:
>> telnet isps-smtp-server 25
> In my experience that's very unusual behaviour for a virus.
> The vast majority try to connect directly to the recipient's MX.
I see both. I see malware that connects directly from end-user PCs,
and more sophisticated malware that actually b
Darren G Pifer wrote:
> Chambers, Phil wrote:
>> Take a look at
>>
>> http://iserv.rs-hilter.de/doc/clamav-0.91.2/signatures.pdf
>>
> I have seen this document but it does not show how to add signatures
> to a database OR for clamd to detect the phishing e-mail. I was able
> to create the sig
On Fri, 8 Aug 2008, Charles Gregory wrote:
> Well, first of all, yes it IS. It's *everyone's* problem. That forged
> address could be on *your* server, and *you* get the backscatter from some
> other victim system that also "doesn't care what the ISP does with it"...
what he said: we have two ac
Noel Jones wrote:
> Darren G Pifer wrote:
>> Chambers, Phil wrote:
>>> Take a look at
>>>
>>> http://iserv.rs-hilter.de/doc/clamav-0.91.2/signatures.pdf
>>>
>> I have seen this document but it does not show how to add signatures
>> to a database OR for clamd to detect the phishing e-mail. I w
rick pim wrote:
> (that said, there's something to be said for bouncing mail: one of our
> vendors is occasionally silently blocking my email to them. clearly
> SOMETHING about my messages are triggering their spam filters. it sure
> would be nice if i got the bounces for those)
I discard vi
Charles Gregory wrote:
> On Fri, 8 Aug 2008 [EMAIL PROTECTED] wrote:
>>> telnet isps-server 25 ... HELO bogus ... MAIL FROM:<[EMAIL PROTECTED]>
>>> telnet victims-server 25 ... HELO isps-server ... MAIL FROM
>>> If victim's SMTP server fails the DATA with a 5xx code, then
>>> backscatter goes [
rick pim wrote:
>
> On Fri, 8 Aug 2008, Charles Gregory wrote:
>> Well, first of all, yes it IS. It's *everyone's* problem. That forged
>> address could be on *your* server, and *you* get the backscatter from some
>> other victim system that also "doesn't care what the ISP does with it"...
>
> wh
Charles Gregory wrote:
> On Fri, 8 Aug 2008 [EMAIL PROTECTED] wrote:
>>> telnet isps-server 25 ... HELO bogus ... MAIL FROM:<[EMAIL PROTECTED]>
>>> telnet victims-server 25 ... HELO isps-server ... MAIL FROM
>>> If victim's SMTP server fails the DATA with a 5xx code, then
>>> backscatter goes [
Dennis Peterson wrote:
> Noel Jones wrote:
>> Darren G Pifer wrote:
>>> Chambers, Phil wrote:
Take a look at
http://iserv.rs-hilter.de/doc/clamav-0.91.2/signatures.pdf
>>> I have seen this document but it does not show how to add signatures
>>> to a database OR for clamd to
[EMAIL PROTECTED] wrote:
> Charles Gregory wrote:
>> On Fri, 8 Aug 2008 [EMAIL PROTECTED] wrote:
telnet isps-server 25 ... HELO bogus ... MAIL FROM:<[EMAIL PROTECTED]>
telnet victims-server 25 ... HELO isps-server ... MAIL FROM
If victim's SMTP server fails the DATA with a 5xx co
[EMAIL PROTECTED] wrote:
>
> I meant to imply that when the ISP does not virus filter and the
> recipient silently drops the message the problem never gets resolved
> because nobody is made aware of it. The ISP customer will continue
> to be infected and continue to send out garbage. I suppose
On Fri, 8 Aug 2008 [EMAIL PROTECTED] wrote:
> I have been at the other end of backscatter and it is by no means fun
> but when it happens I am fully capable of taking measures against as I
> would any other spam/virus source. This is where RBLs come in handy.
How would an RBL help? Backscatter co
Charles Gregory wrote:
> On Fri, 8 Aug 2008 [EMAIL PROTECTED] wrote:
>> I have been at the other end of backscatter and it is by no means fun
>> but when it happens I am fully capable of taking measures against as I
>> would any other spam/virus source. This is where RBLs come in handy.
>
> How w
Steve Basford wrote:
> Darren G Pifer wrote:
>
>> So, the e-mail team and security staff need to be able to create
>> signatures so
>> that clamd can detect this spam, and similar phishing, and need to get
>> the
>> database updated in a short time frame. I do not think submitting
>> these to t
On Fri, 08 Aug 2008 13:26:23 -0500
Noel Jones <[EMAIL PROTECTED]> wrote:
>If the sig works with clamscan, it will also work with clamdscan.
>Clamd must be stopped and restarted to recognize new signature
>files.
You can use something like:
pidof clamd # Get the pid of clamd
51 matches
Mail list logo
