Matt,
I have discussed this subject with Scott, who
explained a bit about how he developed this. It seems pretty straightforward,
although it is a little confusing why some bogus file types do not have the
banned notifications sent out and bogus COM files do. In any event, I am looking
into the actual code now to determine the precise source of the problem and I
should have a fix in the *very* near future.
David Franco-Rocha
----- Original Message -----
Sent: Monday, March 21, 2005 9:58
AM
Subject: Re: [Declude.JunkMail] Exclude
BABEXT Notify for COM
David,
I posted some log snippets last week on the
Declude Virus list that show what is happening.
Yes, the notifications
are being sent in error. These COM files are being detected by Declude
Virus as "Bogus", and the proper behavior is for the bogus identification to
override the banned extension, and disable the sending of the banname.eml
file. This is how other bogus files are handled. Essentially bogus
file detection should work exactly the same as vulnerabilities and disable
such notifications.
What is happening currently that has exposed this
flaw is one active zombie spammer is randomizing the name of an image
attachment using a forged E-mail address, most of which end with COM.
Declude sees a COM extension but finds a GIF in the BASE64 code, which is not
a COM file and therefore bogus. Due to the volume and the fact that
these are tripping the banname.eml file, there is a huge volume of postmaster
bounces from undeliverable E-mail (I got over 200 in just 12 hours before
applying the workaround).
Log
Snippet =============================================================== 03/16/2005
00:00:31 Qbd6eb1a701040a54 MIME file: [text/html][quoted-printable;
Length=5395 Checksum=490002] 03/16/2005 00:00:31 Qbd6eb1a701040a54 MIME
file: [EMAIL PROTECTED] [base64; Length=6414
Checksum=850887] 03/16/2005 00:00:31 Qbd6eb1a701040a54 Banning file with
COM extension [image/gif]. 03/16/2005 00:00:31 Qbd6eb1a701040a54 Found a
bogus .com file 03/16/2005 00:00:31 Qbd6eb1a701040a54 Scanned: Banned
file extension. [Prescan OK][MIME: 3 12614] 03/16/2005 00:00:31
Qbd6eb1a701040a54 From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED] 03/16/2005 00:00:31
Qbd6eb1a701040a54 Subject: denigrate cosmetic scene
serge midshipman
MIME
Snippet =============================================================== ------=_NextPart_000_00QP_00N2764VQ_00Y.154D01N0 Content-Type:
image/gif; name="[EMAIL PROTECTED]" Content-Transfer-Encoding:
base64 Content-ID: <[EMAIL PROTECTED]>
Matt
David
Franco-Rocha wrote:
Matt,
I would like to clarify one issue:
Are you saying that the
specific issue is that notifications are erroneously being sent for bogus
COM files and that the issue is *not* whether bogus COM files are being
accurately detected?
David Franco-Rocha
----- Original
Message ----- From: "Matt" <[EMAIL PROTECTED]> To: <Declude.JunkMail@declude.com>
Sent: Monday, March 21, 2005 8:16 AM Subject: Re: [Declude.JunkMail]
Exclude BABEXT Notify for COM
There seems to be a bug in all versions where a
bogus COM file is still bounced as a banned extension (unlike other
'bogus' types that are detected).
The workaround is to add
"SKIPIFEXT COM" to the top of your bannotify.eml, however this will stop
all bounces for COM files regardless of whether or not they are found to
be 'bogus'.
Matt
Don Schreiner wrote:
I am getting a lot of postmaster rejects from
bad addresses after turning on BANEXT for COM attachments. I would
like to exclude notifications on my BANnotify.EML file. Can I do
this by inserting SKIPIFBANEXTNAMEHAS COM at the top of EML file? I
am just guessing based on feature to use SKIPIFVIRUSNAMEHAS
VIRUS_NAME.
I am still sitting on 1.82 waiting until comfortable
with upgrade. I have looked for the Declude Manuals on the site but
see no reference other than the install manual? I got to tell you
guys the Declude site is a real pain in the rear finding the
manuals. I logged on to my account which is no use. It does not have
either of my 2 licenses listed. Nor does it have any links to the
manual. I even downloaded the most recent release version and I see
no readme.txt or manual there either. Ohh well... any assistance
on the BANEXT COM and excluding the notify for same on EML file
would be most appreciated. Thanks.
-Don
--- This
E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
-- =====================================================
MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/
=====================================================
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
--- This E-mail came from the Declude.JunkMail
mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
|
- Re: [Declude.JunkMail] Exclude BABEXT Notify for COM David Franco-Rocha
-