David,
I posted some log snippets last week on the Declude Virus list that
show what is happening.
Yes, the notifications are being sent in error. These COM files are
being detected by Declude Virus as "Bogus", and the proper behavior is
for the bogus identification to override the banned extension, and
disable the sending of the banname.eml file. This is how other bogus
files are handled. Essentially bogus file detection should work
exactly the same as vulnerabilities and disable such notifications.
What is happening currently that has exposed this flaw is one active
zombie spammer is randomizing the name of an image attachment using a
forged E-mail address, most of which end with COM. Declude sees a COM
extension but finds a GIF in the BASE64 code, which is not a COM file
and therefore bogus. Due to the volume and the fact that these are
tripping the banname.eml file, there is a huge volume of postmaster
bounces from undeliverable E-mail (I got over 200 in just 12 hours
before applying the workaround).
Log Snippet
===============================================================
03/16/2005 00:00:31 Qbd6eb1a701040a54 MIME file:
[text/html][quoted-printable; Length=5395 Checksum=490002]
03/16/2005 00:00:31 Qbd6eb1a701040a54 MIME file: [EMAIL PROTECTED]
[base64; Length=6414 Checksum=850887]
03/16/2005 00:00:31 Qbd6eb1a701040a54 Banning file with COM extension
[image/gif].
03/16/2005 00:00:31 Qbd6eb1a701040a54 Found a bogus .com file
03/16/2005 00:00:31 Qbd6eb1a701040a54 Scanned: Banned file extension.
[Prescan OK][MIME: 3 12614]
03/16/2005 00:00:31 Qbd6eb1a701040a54 From:
[EMAIL PROTECTED]
To: [EMAIL PROTECTED]
03/16/2005 00:00:31 Qbd6eb1a701040a54 Subject: denigrate cosmetic
scene serge midshipman
MIME Snippet
===============================================================
------=_NextPart_000_00QP_00N2764VQ_00Y.154D01N0
Content-Type: image/gif;
name="[EMAIL PROTECTED]"
Content-Transfer-Encoding: base64
Content-ID: <[EMAIL PROTECTED]>
Matt
David Franco-Rocha wrote:
Matt,
I would like to clarify one issue:
Are you saying that the specific issue is that notifications are
erroneously being sent for bogus COM files and that the issue is *not*
whether bogus COM files are being accurately detected?
David Franco-Rocha
----- Original Message ----- From: "Matt" <[EMAIL PROTECTED]>
To: <Declude.JunkMail@declude.com>
Sent: Monday, March 21, 2005 8:16 AM
Subject: Re: [Declude.JunkMail] Exclude BABEXT Notify for COM
There seems to be a bug in all versions where
a bogus COM file is still bounced as a banned extension (unlike other
'bogus' types that are detected).
The workaround is to add "SKIPIFEXT COM" to the top of your
bannotify.eml, however this will stop all bounces for COM files
regardless of whether or not they are found to be 'bogus'.
Matt
Don Schreiner wrote:
I am getting a lot of postmaster rejects
from bad addresses after turning on
BANEXT for COM attachments. I would like to exclude notifications on my
BANnotify.EML file. Can I do this by inserting SKIPIFBANEXTNAMEHAS COM
at
the top of EML file? I am just guessing based on feature to use
SKIPIFVIRUSNAMEHAS VIRUS_NAME.
I am still sitting on 1.82 waiting until comfortable with upgrade. I
have
looked for the Declude Manuals on the site but see no reference other
than
the install manual? I got to tell you guys the Declude site is a real
pain
in the rear finding the manuals. I logged on to my account which is no
use.
It does not have either of my 2 licenses listed. Nor does it have any
links
to the manual. I even downloaded the most recent release version and I
see
no readme.txt or manual there either.
Ohh well... any assistance on the BANEXT COM and excluding the notify
for
same on EML file would be most appreciated. Thanks.
-Don
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
|
- Re: [Declude.JunkMail] Exclude BABEXT Notify for COM Matt
-