Here's an update about the attempted workaround. I added "SKIPIFEXT
mismatched.exe" to my bannotify.eml and it didn't prevent the bounce.
It would seem that while Declude is using the EXE extension from
mismatched.exe in determining the bannotify.eml action, it is not using
that file name in the variable that SKIPIFEXT is using.
It appears that there is no way to prevent the backscatter from this
besides maybe turning off bounces for EXE's (which may or may not
work), turning off all banned extension bouncing, or not blocking EXE's
altogether. This definitely needs a solution since none of those
options are acceptable nor is the potential of bouncing so much E-mail.
I know that I can create something to delete these messages on my own
system, but I would still be vulnerable to other exploits by broken
spamware, and of course that's only me and this affects all Declude
users that block EXE's and use bannotify.eml to bounce.
Matt
Colbeck, Andrew wrote:
.. I hope that Declude will
agree with Matt's point that backscatter must be avoided. There is
ample precedent, for example in that the BOUNCE action was renamed to
BOUNCEONLYIFYOUMUST to prevent backscatter.
Andrew.
Matt,
I agree with everyone of your
points - My intent was to bring it up that I had reported this issue up
a long time ago as I also thought that what was happening was
undesirable. However, at the time Scott did not feel this was a bug.
However, times change and back scatter is a huge issue. Maybe thats
enough now to convince for an alteration of behavior. As my preference
would be to handle mismatched exe's as its own class of which I would
not send bannotify messages for.
Darrell
------------------------------------------------------------------------
Check out http://www.invariantsystems.com
for utilities for Declude And Imail. IMail/Declude Overflow Queue
Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers.
-----
Original Message -----
Sent:
Sunday, October 01, 2006 8:24 PM
Subject:
Re: [Declude.Virus] Bug in mismatched extensions causes backscatter on
spam
Darrell,
I'm sure that it is desirable to block (when the detection isn't
erroring), however having this handled as if it was an EXE when it
comes to the bannotify.eml is problematic. Backscatter can get you
blacklisted, not to mention it is annoying to get such things for
forged E-mail.
I have Virus running after JunkMail and still I have bounced a dozen of
these today alone (which excludes messages that reached my DELETE
weight). For those that run JunkMail before Virus (the default), that
number could be in the hundreds or thousands depending on volume since
this comes from a major zombie spammer. I'm guessing that most are
bouncing EXE's that aren't detected as viruses.
To check this, just search your Virus log for "mismatched.exe".
The behavior needs to be changed so that this doesn't trigger
bannotify.eml bounces. I am testing using "SKIPIFEXT mismatched.exe"
in my bannotify.eml to see if that helps, but this should not bounce
such messages by default as if they were EXE's. It makes sense to give
it a unique extension for these conditions and let us determine what to
do with them instead of lumping it together with actions for EXE's.
Matt
Darrell ([EMAIL PROTECTED])
wrote:
I brought this up to Scott
several years ago - and he said this is not a bug but a by design
issue. He explained a scenario why this was important and I understood
based on the explantion but for the life of me I can't remember the
scenario.
Darrell
------------------------------------------------------------------------
Check out http://www.invariantsystems.com
for utilities for Declude And Imail. IMail/Declude Overflow Queue
Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers.
-----
Original Message -----
Sent:
Sunday, October 01, 2006 3:33 PM
Subject:
[Declude.Virus] Bug in mismatched extensions causes backscatter on spam
I just found this bug. Essentially, if the MIME headers for an
attachment are mismatched, Declude "assumes" that it is an EXE for
virus scanning purposes, and this causes EXE triggers such as
bannotify.eml to be triggered. This is especially bad since it is
happening fairly commonly on zombie spam.
For example, here are the MIME headers from the spam sample:
Content-Type: image/jpeg;
name="smoky.1.jpg"
Content-Transfer-Encoding: base64
Content-ID: <[EMAIL PROTECTED]>
Content-Disposition: inline;
filename="smoky.1.gi"
You will note the Content-Type being image/jpeg and the file extension
being "gi". Here is what Declude Virus finds:
10/01/2006 14:03:44.656 q02f8014a00009ecc.smd
Vulnerability flags = 863
10/01/2006 14:03:44.671 q02f8014a00009ecc.smd MIME file:
[text/html][7bit; Length=590 Checksum=51800]
10/01/2006 14:03:44.671 q02f8014a00009ecc.smd Found file with
mismatched extensions [smoky.1.jpg-smoky.1.gi]; assuming .exe
10/01/2006 14:03:44.671 q02f8014a00009ecc.smd MIME file: mismatched.exe
[base64; Length=25644 Checksum=3233585]
10/01/2006 14:03:44.671 q02f8014a00009ecc.smd Banning file with EXE
extension [image/jpeg].
10/01/2006 14:03:44.890 q02f8014a00009ecc.smd Virus scanner 1 reports
exit code of 0
10/01/2006 14:03:45.421 q02f8014a00009ecc.smd Virus scanner 2 reports
exit code of 0
10/01/2006 14:03:45.421 q02f8014a00009ecc.smd Scanned: Banned file
extension. [Prescan OK][MIME: 2 26380]
10/01/2006 14:03:45.437 q02f8014a00009ecc.smd From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
[outgoing from 62.161.108.7]
10/01/2006 14:03:45.437 q02f8014a00009ecc.smd Subject: Re:
diagnostician dull
This is clearly not desirable behavior, and I have run into a related
bug previously (that was previously reported) where a filename that
spans two lines (which is RFC compliant when 'folded') will be treated
as an EXE and bounced if you are bouncing non-virus EXE's.
It is absolutely necessary to allow for bannotify.eml bouncing of
messages with EXE extensions because they are commonly received
legitimately regardless of whether they are allowed or not, but to have
EXE be the assumed extension at the same time causes a lot of different
issues. Because of this, I would strongly suggest that Declude assume
a different extension when necessary, such as "unknown" so that we can
configure Declude Virus to handle "unknown" files in a different way.
We could choose for instance to block them, but not bounce them.
Thanks,
Matt
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
--- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. |