Re: [IMail Forum] URLSpoof contained within an RTF Doc

[Matt]

Rick, The error that you reported from Panda is described by Panda as follows: http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=43353&sind=0 "Exploit/URLSpoof is a vulnerability exploit. It is not categorized as a virus, worm or Trojan. To be more precise, it is code written in the HTML language, which is included in the body of a message or of a web page in order to exploit a vulnerability in the browser Internet Explorer." This particular "exploit" was discovered in late December and it consists of a URL encoded non-printing character in a link which can cause IE to not display the actual URL of the site after following the link.  Here's the page of the site that explains it:     http://www.zapthedingbat.com/security/ex01/vun1.htm I'd post an example, but I wouldn't want to trip Panda and cause you to not be able to see a legitimate message :)  If you're using Declude JunkMail Pro v1.77i7+, you can generally protect your customers from such things with the following filters (as well as others of course):     http://www.mailpure.com/software/decludefilters/zapthedingbat/ZapTheDingbat_v2-1-0.zip     http://www.mailpure.com/software/decludefilters/obfuscation/Obfuscation_v2-1-0.zip I think what both I and Scott were suggesting was that antivirus programs should be used to protect computers from viruses and not to protect people from their own lack of judgment in clicking on obfuscated links, or prevent people like us from discussing such techniques.  I hope that AV companies stay away from policing content and stick to programs and scripts. Your original post spoke about a RTF document with an error that corresponded directly to what is described above.  I'm not sure where the stuff about mimail.b, zip files and trojans comes from or how it relates. Matt Rick Klinge wrote: Actually the original posting, that I posted, was referring to a virus/trojan. No matter how anyone wants to try to piddle with words the fact remains the same: any email that contains malicious content or attachments that causes or could cause a computer harm, probably contains a virus or trojan. Any major AV company that classifies the same strain as the same virus or trojan knows more about this then I do. All I trust is that when they say it is a virus or trojan then it is - Period - no questions asked. That said this particular one was an email that had an attached zip file to it. Within that zip file was a trojan. That trojan would contact a site in Russia, now closed, to download the binary payload to complete the trojan thus allowing hackers to use your computer at will. Ref: http://securityresponse.symantec.com/avcenter/venc/data/downloader.mimail.b. html Just because an AV company can't or don't find a virus doesn't mean they are bad. This particular strain was found by Norton only a few days ago. FWIW Panda has out performed Norton's AV and I have yet heard of any ill's from it. Now Norton's on the other hand, I believe, has had issues with its auto update feature and recently I believe there was issues with it not being able to connect or function properly because of an intermediate certificate expiration. What I do know is that one should never ever install Panda and Norton's on the same machien. As for turning off anti-virus protection on your laptop.. Hehe.. That can be done.. It's easy and of course it's your choice. There is a feature within panda that will allow you to disable the email scanning. Antivirus software, AFAIK, comes default with all protection on.. Nature of that type of software. I don't believe there is anyway to turn off 'certain' types of virus checking.. There are like 80,000 of them out there.. Would make for a whole lot of check boxes don't ya think? Who would want to turn off scanning for individual viruses anyway? Maybe I've missed your point.. But doubt it. ~Rick -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Adrian Portway Sent: Thursday, January 15, 2004 9:14 PM To: [EMAIL PROTECTED] Subject: RE: [IMail Forum] URLSpoof contained within an RTF Doc I have just bought a new laptop with Panda AV pre installed. When I ran a full scan on the system today Panda AV found 8 "infected" files, all of these where in a sub mailbox of Eudora where only my E mails from this list are stored! Since I had moved this mailbox from my old machine which ran Norton AV and never reported a problem I know that there are no viruses there. This appears to me a case of the AV vendor/vendors trying to protect the user from themselves, I have yet to find anywhere in the settings where this type of checking can be switched off. I object to this type of approach by software vendors, at my company we have always felt that our software should allow the user to take a course of action if they choose (although we warn them of the possible consequences). Surely it's better to educate the user than just stop them dead. Alternatively we could start marketing the ultimate AV program. Roll up, roll up for the latest in Anti virus technology, install this on your machine and never get virus again, of course once we've removed the ability to connect to the Internet you will be unable to get e mail or shop on e Bay so you may just want to give you computer to the local school. After I have run this idea past our marketing people and developers I will be looking for an AV program that allows me to have some input into what I can do on my own machine. ___________________________________________________________________ Virus Scanned and Filtered by http://www.FamHost.com E-Mail System. To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================