Re: [Mimedefang] TestVirus.org
On 2004-07-29 (Thursday) at 17:43:18 -0700, Kenneth Porter wrote: Just saw this on the Procmail Sanitizer list: http://www.testvirus.org/ This web site allows you to send a harmless test virus to any email address. If your mail server or email hosting provider is running anti-virus software, these emails should get blocked. Brought to you by Webmail.us That's not the case if you've done what I have and put the following code in mimedefang-filter (this is with ClamAV): if ($FoundVirus and $VirusName ne 'Eicar-Test-Signature') { md_graphdefang_log('virus', $VirusName, $RelayAddr); md_syslog('warning', Discarding because of virus $VirusName); return action_discard(); } I did that because one of my users is on a mailing list that discussed that test signature in detail a while back and included it in many of the posts in the discussion. As it was legitimate email I made sure it wasn't blocked. Hopefully no one will complain about lack of virus scanning if they manage to mail themselves Eicar! Mark. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] TestVirus.org
Hi, Just did the test for mimedefang and clamav: Clamav is not catching 5 tests, and viri are slipping throuh ! At least test 8 and 23 are very important to catch I think: Test #5: Eicar virus sent using BinHex encoding (this is a rarely used Macintosh mail format) Test #8: Eicar virus sent using BinHex encoding within a MIME segment sent Test #22: Eicar virus within zip file hidden using the MIME Continuation Vulnerability (attachment can be opened by all versions of Microsoft Outlook and Outlook Express) sent Test #23: Eicar virus within zip file hidden using the Empty MIME Boundary Vulnerability (attachment can be opened by all versions of Microsoft Outlook and Outlook Express) Test #25 (non-virus): Attachment with a CLSID extension which may hide the real file extension. BThis does not include the Eicar virus/B, however your mailserver should still block this since the CLSID technique can be used to hide the true extension of a malicious file. (attachment can be opened by any Windows computer) I already mailed this to the clamav people. Martin Just saw this on the Procmail Sanitizer list: http://www.testvirus.org/ ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] TestVirus.org
Test #5,8,22,23 all failed here using MIMEDefang 2.42b2 and f-prot 4.4.3 ... Test #5: Eicar virus sent using BinHex encoding Test #8: Eicar virus sent using BinHex encoding within a MIME segment Test #22: Eicar virus within zip file hidden using the MIME Continuation Vulnerability Test #23: Eicar virus within zip file hidden using the Empty MIME Boundary Vulnerability I think MD could be tweaked to fix some of these failures but not all of them?? Since there seems to be a common failure, maybe someone could help write a few lines into 'mimedefang-filter' to check for these as well? However, when the email was delivered to the client machine Norton SAV promptly still caught this. -- J.D. Bronson Aurora Health Care // Information Services // Milwaukee, WI USA Office: 414.978.8282 // Email: [EMAIL PROTECTED] // Pager: 414.314.8282 ** DISCLAIMER ** Per Anti-Virus Policy, this email has been scanned for viruses. Scanned clean by F-PROT ANTIVIRUS 4.4.3 - http://www.f-prot.com ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] TestVirus.org
Hi, Have also just run these tests: Test #22, #23 failed here using MD 2.43, and SA only. No AV configured. All mails from this system are forwarded to separate AV system running Trend's InterScan VirusWall which picked up #5 and #8 no problem. My client picked up #23 afterwards once it got to the desktop. Cheers, Richard Test #5,8,22,23 all failed here using MIMEDefang 2.42b2 and f-prot 4.4.3 ... Test #5: Eicar virus sent using BinHex encoding Test #8: Eicar virus sent using BinHex encoding within a MIME segment Test #22: Eicar virus within zip file hidden using the MIME Continuation Vulnerability Test #23: Eicar virus within zip file hidden using the Empty MIME Boundary Vulnerability I think MD could be tweaked to fix some of these failures but not all of them?? Since there seems to be a common failure, maybe someone could help write a few lines into 'mimedefang-filter' to check for these as well? However, when the email was delivered to the client machine Norton SAV promptly still caught this. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang -- Richard Whelan Senior Systems Administrator PIPEX Direct: +44 (0) 1865 381568 Mobile: +44 (0) 7786 276020 website: http://www.pipex.net/ This e-mail is subject to: http://www.pipex.net/disclaimer.html ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: Re: [Mimedefang] TestVirus.org
I just ran it here with MD 2.41 + SA 2.60 + ClamAV 0.67. #5, #8, #23 and #25 got through. However, #8 and #25 had the offending attachment removed by MD and a warning attached to the email. So basically only #5 and #23 really got through unscathed. But yes, efforts should be made to plug up these holes. Not sure if this is something Md should do. Since it's a virus, I believe it's more for ClamAV. Nice site tho! Thanks for the link. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: Re: [Mimedefang] TestVirus.org
On Fri, 30 Jul 2004, Paul wrote: I just ran it here with MD 2.41 + SA 2.60 + ClamAV 0.67. #5, #8, #23 and #25 got through. The MIME continuation vulnerability exploits a bug in Outlook. MIMEDefang interprets the message correctly according to the MIME RFCs. As I wrote before many times, I have no intention of making MIMEDefang bug-for-bug compatible with various buggy MUAs. If you're really concerned about this thing, the *ONLY* sane response is to canonicalize every single message coming into your system by using action_rebuild(). This will ensure that every message handed off by MIMEDefang is a well-formed MIME message, and should reduce the likelihood of misinterpretation by buggy MUAs. Regards, David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: Re: [Mimedefang] TestVirus.org
I also ran the test last night -- the only one that got through our server is #24, and there supposedly wasn't even a virus attached to that one. We're running ClamAV 0.74, SA 2.63. - Chris -Original Message- From: [EMAIL PROTECTED] [mailto:mimedefang- [EMAIL PROTECTED] On Behalf Of Paul Sent: Friday, July 30, 2004 10:42 AM To: [EMAIL PROTECTED] Subject: Re: Re: [Mimedefang] TestVirus.org I just ran it here with MD 2.41 + SA 2.60 + ClamAV 0.67. #5, #8, #23 and #25 got through. However, #8 and #25 had the offending attachment removed by MD and a warning attached to the email. So basically only #5 and #23 really got through unscathed. But yes, efforts should be made to plug up these holes. Not sure if this is something Md should do. Since it's a virus, I believe it's more for ClamAV. Nice site tho! Thanks for the link. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: Re: [Mimedefang] TestVirus.org
On Fri, 30 Jul 2004, Chris Gauch wrote: I also ran the test last night -- the only one that got through our server is #24, 24 can be zapped by bouncing the message/partial MIME type. That's something I strongly recommend anyway; message/partial is a security nightmare. What the h*ll were the RFC authors thinking anyway??? :-( Regards, David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: Re: [Mimedefang] TestVirus.org
[EMAIL PROTECTED] wrote on 07/30/2004 10:50:50 AM: As I wrote before many times, I have no intention of making MIMEDefang bug-for-bug compatible with various buggy MUAs. If you're really concerned about this thing, the *ONLY* sane response is to canonicalize every single message coming into your system by using action_rebuild(). This will ensure that every message handed off by MIMEDefang is a well-formed MIME message, and should reduce the likelihood of misinterpretation by buggy MUAs. How bad would the performance hit be to do the action_rebuild on every message? It seems that forcing all traffic into accecpt normal forms would be something desirable if the price isn't unreasonable. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: Re: [Mimedefang] TestVirus.org
--On Friday, July 30, 2004 10:50 AM -0400 David F. Skoll [EMAIL PROTECTED] wrote: As I wrote before many times, I have no intention of making MIMEDefang bug-for-bug compatible with various buggy MUAs. If you're really concerned about this thing, the *ONLY* sane response is to canonicalize every single message coming into your system by using action_rebuild(). This will ensure that every message handed off by MIMEDefang is a well-formed MIME message, and should reduce the likelihood of misinterpretation by buggy MUAs. Has anyone see problems when using this with legitimate email? What real-world mail gets trapped by this? ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] TestVirus.org
On Friday 30 July 2004 03:03 am, Martin Blapp wrote: Clamav is not catching 5 tests, and viri are slipping throuh ! At least test 8 and 23 are very important to catch I think: There's timing... I was just looking at this stuff yesterday. I got the same results initially (except for #25, which had been defanged), but after investigation was able to easily block the rest by copying a few bits over from the current example filter. From what I can tell, it looks like these would all be detected by a default install of the latest MimeDefang paired with a current Clamd with the ScanMail option enabled. Test #5: Eicar virus sent using BinHex encoding (this is a rarely used Macintosh mail format) Test #8: Eicar virus sent using BinHex encoding within a MIME segment sent Actually, it's MIMEDefang that doesn't detect these, because it doesn't decode BinHex. So if you're just passing the message parts MD sees to ClamAV, it doesn't have a chance to see them. ClamAV will detect them in the raw message if you have the ScanMail option active in clamav.conf. Take a cue from the current example filter and call md_copy_orig_msg_to_work_dir_as_mbox_file() just before calling message_contains_virus. This way, clamd gets to look at the raw message in addition to the MD-decoded parts and will pick out the binhex attachment. Note that you have to do something in response to this rather than wait for entity_contains_virus, because MD won't see that entity. Test #22: Eicar virus within zip file hidden using the MIME Continuation Vulnerability (attachment can be opened by all versions of Microsoft Outlook and Outlook Express) sent Test #23: Eicar virus within zip file hidden using the Empty MIME Boundary Vulnerability (attachment can be opened by all versions of Microsoft Outlook and Outlook Express) Interestingly, after I made that change I discovered that Clam was picking up these two as well. Given the wide range of MIME parsers and malformations that will slip by some and get picked up by others, it's good to have two different implementations scanning your mail. Again, you have to take action on message_contains_virus, and not wait for the per-entity results, because MD will see these as invalid MIME and not as attachments. Test #25 (non-virus): Attachment with a CLSID extension which may hide the real file extension. BThis does not include the Eicar virus/B, however your mailserver should still block this since the CLSID technique can be used to hide the true extension of a malicious file. (attachment can be opened by any Windows computer) ClamAV has no reason to detect this: it doesn't include a virus. That said, MIMEDefang's default filter_bad_filename should pick this up. It does here. -- Kelson Vibber SpeedGate Communications, www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: Re: [Mimedefang] TestVirus.org
On Fri, 30 Jul 2004 [EMAIL PROTECTED] wrote: How bad would the performance hit be to do the action_rebuild on every message? Not that bad. If you add boilerplate, for example, you're doing that anyway. However, if you're short on disk I/O, it will cause problems, because it essentially doubles your Sendmail queue I/O usage. Regards, David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] TestVirus.org
On Friday 30 July 2004 03:03 am, Martin Blapp wrote: Clamav is not catching 5 tests, and viri are slipping throuh ! At least test 8 and 23 are very important to catch I think: There's timing... I was just looking at this stuff yesterday. I got the same results initially (except for #25, which had been defanged), but after investigation was able to easily block the rest by copying a few bits over from the current example filter. From what I can tell, it looks like these would all be detected by a default install of the latest MimeDefang paired with a current Clamd with the ScanMail option enabled. Could you kindly post exactly what you did? Take a cue from the current example filter and call md_copy_orig_msg_to_work_dir_as_mbox_file() just before calling message_contains_virus. This way, clamd gets to look at the raw message in addition to the MD-decoded parts and will pick out the binhex attachment. Note that you have to do something in response to this rather than wait for entity_contains_virus, because MD won't see that entity. Can you also expand on this please? (examples ?) thanks in advance! -JDB ** DISCLAIMER ** Per Anti-Virus Policy, this email has been scanned for viruses. Scanned clean by F-PROT ANTIVIRUS 4.4.3 - http://www.f-prot.com ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: Re: [Mimedefang] TestVirus.org
[EMAIL PROTECTED] wrote on 07/30/2004 12:24:15 PM: Not that bad. If you add boilerplate, for example, you're doing that anyway. However, if you're short on disk I/O, it will cause problems, because it essentially doubles your Sendmail queue I/O usage. Am I correct in beleiving the CanIT voting links would also cause an action_rebuild as well? ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] TestVirus.org
At 09:55 AM 7/30/2004, J.D. Bronson wrote: Could you kindly post exactly what you did? OK: Take a cue from the current example filter and call md_copy_orig_msg_to_work_dir_as_mbox_file() just before calling message_contains_virus. That's it. I just placed md_copy_orig_msg_to_work_dir_as_mbox_file(); in filter_begin, right before message_contains_virus(). (Actually I still have some old code calling specific scanners, but that's the only change that was necessary.) Can you also expand on this please? (examples ?) The mimedefang-filter.example probably says it better than I could -- particularly since I still have a lot of complicated code left over from older customizations. Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: Re: [Mimedefang] TestVirus.org
At 09:24 AM 7/30/2004, David F. Skoll wrote: On Fri, 30 Jul 2004 [EMAIL PROTECTED] wrote: How bad would the performance hit be to do the action_rebuild on every message? Not that bad. If you add boilerplate, for example, you're doing that anyway. However, if you're short on disk I/O, it will cause problems, because it essentially doubles your Sendmail queue I/O usage. This would be done in the MD working directory, though, right? So if you're running that on a ramdisk, it shouldn't be too much of a difference. I would think the main drawback of this would be in altering signed messages. Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: Re: [Mimedefang] TestVirus.org
On Fri, 30 Jul 2004 [EMAIL PROTECTED] wrote: Am I correct in beleiving the CanIT voting links would also cause an action_rebuild as well? Yes, they do. Regards, David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: Re: [Mimedefang] TestVirus.org
On Fri, 30 Jul 2004, Kelson Vibber wrote: This would be done in the MD working directory, though, right? So if you're running that on a ramdisk, it shouldn't be too much of a difference. Except that you have to pass the message back to Sendmail, and Sendmail replaces the df file with the new message body. That consumes real disk I/O. I would think the main drawback of this would be in altering signed messages. Most signed messages should survive, as long as they were well-formed MIME to begin with. Regards, David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: Re: [Mimedefang] TestVirus.org
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David F. Skoll Except that you have to pass the message back to Sendmail, and Sendmail replaces the df file with the new message body. That consumes real disk I/O. I'll have to admit that, on FreeBSD CURRENT using softupdates (where short lived files don't get written to disk) I've noticed no performance impact of rebuilding messages. Most signed messages should survive, as long as they were well-formed MIME to begin with. To date I've not had any problems that I could conclusively point the finger at the rebuild causing. One or two messages from the same source come through broken every so often, but I've reason to believe it's at their end. PLEASE - keep list traffic on the list. Email sent directly to me may be ignored utterly. -- Rob | What part of no was it you didn't understand? ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] TestVirus.org
Just saw this on the Procmail Sanitizer list: http://www.testvirus.org/ This web site allows you to send a harmless test virus to any email address. If your mail server or email hosting provider is running anti-virus software, these emails should get blocked. Brought to you by Webmail.us The options below provide several different ways to send the test virus through email. Your anti-virus software should catch them all. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] TESTVIRUS.org - test question
I came across testvirus.org yesterday (a simple way to email yourself various ways of encoding EICAR) and was fairly happy with the result. Of the 17 tests, 3 failed with MD+CLAMAV+F-PROT. Neither CLAMAV nor F-PROT detected the BinHex encoded copies of EICAR, though the scanners further down the line did. Fairly impressively MD did catch the Outlook CR vulnerability, but nothing (not MD, not any of the later scanners) caught the Outlook space gap vulnerability test. Fortunately at that point Outlook blocked the attachment :) I'm already discussing the BinHex problem on the CLAMAV list, but was wondering if anybody knew of a way to solve the space gap problem with MimeDefang. TIA -- Rob MacGregor (BOFH) [PGP key ID 0x1E51BF5A] If I cannot bend Heaven, I shall move Hell. -- Publius Vergilius Maro (Virgil). ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] TESTVIRUS.org - test question
At 09.04 28/02/2004, you wrote: I came across testvirus.org yesterday (a simple way to email yourself various ways of encoding EICAR) and was fairly happy with the result. I'm using sophos and it didn't catch the binhex encoded virus. I'm also interested in solving the 'space gap' with MD, if possible Of the 17 tests, 3 failed with MD+CLAMAV+F-PROT. Neither CLAMAV nor F-PROT detected the BinHex encoded copies of EICAR, though the scanners further down the line did. Fairly impressively MD did catch the Outlook CR vulnerability, but nothing (not MD, not any of the later scanners) caught the Outlook space gap vulnerability test. Fortunately at that point Outlook blocked the attachment :) I'm already discussing the BinHex problem on the CLAMAV list, but was wondering if anybody knew of a way to solve the space gap problem with MimeDefang. TIA -- Rob MacGregor (BOFH) [PGP key ID 0x1E51BF5A] If I cannot bend Heaven, I shall move Hell. -- Publius Vergilius Maro (Virgil). ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang --- Computers are machines to help you solve problems you wouldn't have if you didn't have a computer. --- Ing. Andrea Gabellini Email: [EMAIL PROTECTED] Tel: 0549 886111 (Italy) Tel. +378 0549 886111 (International) Intelcom San Marino S.p.A. Strada degli Angariari, 3 47891 Rovereta Repubblic of San Marino http://www.omniway.sm http://www.intelcom.sm ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] TESTVIRUS.org - test question
On Sat, 28 Feb 2004, Andrea Gabellini wrote: At 09.04 28/02/2004, you wrote: I came across testvirus.org yesterday (a simple way to email yourself various ways of encoding EICAR) and was fairly happy with the result. I'm using sophos and it didn't catch the binhex encoded virus. Same here, and it also passed through the space gap test too - however, the file that I saved was not eicar.com! Either pine mis-decoded it, or they wrongly encoded it at source. A real copy of eicar.com: gordon @ lion: od -x eicar.com 000 3558 214f 2550 4140 5b50 5c34 5a50 3558 020 2834 5e50 3729 4343 3729 247d 4945 4143 040 2d52 5453 4e41 4144 4452 412d 544e 5649 060 5249 5355 542d 5345 2d54 4946 454c 2421 100 2b48 2a48 000a The version pine saved from the space gap test: gordon @ unicorn: od -x eicar.com 000 6559 5996 9665 6559 5996 9665 6559 5996 020 9665 6559 5996 9665 6559 5996 9665 6559 040 5996 9665 6559 5996 9665 6559 5996 9665 060 6559 5996 9665 6559 5996 9665 6559 5996 100 9665 2a48 0020 So somethings wring somewhere.. Gordon ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] TESTVIRUS.org - test question
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andrea Gabellini I'm using sophos and it didn't catch the binhex encoded virus. I've found that clamav *will* catch it (the binhex test), assuming it's not sent directly. The problem is that clamav only enables the mail decoding function if the first word of the file passed to it is one of a number of key words. Where a previous MTA has stuck a Received: header as the first line all is well, however when it's sent directly (as from testvirus.org) that magic header isn't there and clamav treats it like a plain file. I've asked the clamav folks if some flag can be set to tell clamav to treat every file as a mail file, for use in mail scanners. If they don't object I may just look at working a patch for them. PLEASE - keep list traffic on the list. Email sent directly to me may be ignored utterly. -- Rob | What part of no was it you didn't understand? ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] TESTVIRUS.org - test question
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dirk Mueller No, this is not the problem. mimedefang does not pass the original mail to ClamAV. it extracts all mime parts, and then calls the virus scanner on those files, since not all virus scanners can handle raw mails. The virus scanner never actually sees the original, unmodified mail with mimedefang. So this is a mimedefang-only bug. Not a bug in ClamAV. Well, I'd call it a bug (or maybe a feature) of both :) I would say that the problem is that MD only does part of the job of extracting parts. Rather than fully decoding the email it does a half-hearted job (and no, I'm not having a go - it's a design choice I can fully understand). This means that any smart scanners get only part of the story. Ideally MD would not just pass the decoded parts but the original email, as is, to the scanner. There would be some overhead, but it's better than the current situation. BTW, my workaround for letting ClamAV handle mails directly is to prepend the mail with a From [EMAIL PROTECTED] before passing it down to clamdscan --mbox. This way it will always handle it as email. I had thought about that myself :) But again, to avoid misunderstandings: this is not needed with mimedefang, since mimedefang never runs the virus scanner on the mail itself. Yeah, I solved the problem by using clamav-milter itself. I'd rather not have something else in the loop (more things to break), but I'll live with it. PLEASE - keep list traffic on the list. Email sent directly to me may be ignored utterly. -- Rob | What part of no was it you didn't understand? ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] TESTVIRUS.org - test question
On Sat, 28 Feb 2004, Rob wrote: I would say that the problem is that MD only does part of the job of extracting parts. Rather than fully decoding the email it does a half-hearted job (and no, I'm not having a go - it's a design choice I can fully understand). This means that any smart scanners get only part of the story. Ideally MD would not just pass the decoded parts but the original email, as is, to the scanner. There would be some overhead, but it's better than the current situation. It's pretty easy -- before you call message_contains_virus, put this in your filter: copy_or_link(./INPUTMSG, ./Work/INPUTMSG); This ensures that the original raw message is sitting in Work/, ready for scanning. You might need to give the virus scanner special options to get it to decode a mail message, but it's not too hard. -- David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] TESTVIRUS.org - test question
On Saturday 28 February 2004 19:28, Rob wrote: So this is a mimedefang-only bug. Not a bug in ClamAV. Well, I'd call it a bug (or maybe a feature) of both :) As currently ClamAV never actually sees the faulty bit, it can't be a bug in ClamAV. On the contrary, I would consider a bug in ClamAV when it starts to decode inline binhex in arbitrary files (not (!) emails). email, as is, to the scanner. There would be some overhead, but it's better than the current situation. Its not a half-hearted solution. What would you think about ClamAV detecting a virus in a mail, but then not finding the entity containing the virus (like for dropping it in your filter). sure you would consider that a bug too.. right? Yeah, I solved the problem by using clamav-milter itself. I'd rather not have something else in the loop (more things to break), but I'll live with it. Well, more things in the loop can also prevent a single thing to break if combined cleverly (like using two virus scanners instead of one, since one alone always tends to be out of date just the very second you would need it). Dirk ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] TESTVIRUS.org - test question
On Sat, 2004-02-28 at 13:44, Dirk Mueller wrote: So this is a mimedefang-only bug. Not a bug in ClamAV. Well, I'd call it a bug (or maybe a feature) of both :) As currently ClamAV never actually sees the faulty bit, it can't be a bug in ClamAV. On the contrary, I would consider a bug in ClamAV when it starts to decode inline binhex in arbitrary files (not (!) emails). I'm not sure I followed all the steps here, but if MimeDefang saves the attachment in the same form that a mail user agent would if you told it to save to a file that sounds correct to me. If ClamAV doesn't detect a virus when it scans that file, whether saved by an MUA or MimeDefang, then it seems like a bug in ClamAV. --- Les Mikesell [EMAIL PROTECTED] ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] TESTVIRUS.org - test question
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David F. Skoll It's pretty easy -- before you call message_contains_virus, put this in your filter: copy_or_link(./INPUTMSG, ./Work/INPUTMSG); This ensures that the original raw message is sitting in Work/, ready for scanning. You might need to give the virus scanner special options to get it to decode a mail message, but it's not too hard. That's worth knowing - I may have a play with that later. Fortunately with clamd you can enable the scanning of mail files as a default, so if it detects the magic word at the start of the file it'll know what it is. Thanks. PLEASE - keep list traffic on the list. Email sent directly to me may be ignored utterly. -- Rob | What part of no was it you didn't understand? ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] TESTVIRUS.org - test question
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dirk Mueller Its not a half-hearted solution. What would you think about ClamAV detecting a virus in a mail, but then not finding the entity containing the virus (like for dropping it in your filter). sure you would consider that a bug too.. right? Why should I care - if it finds a virus in the email then the email gets dropped in the bit bucket (or quarantined). At that point it becomes utterly irrelevant *where* the virus is in the email. Yes, there's always the option of stripping out the virus from the email - but why? It's pretty unlikely (for values of unlikely approximating zero) that there will be any legitimate content in a virus infected email. Yeah, I solved the problem by using clamav-milter itself. I'd rather not have something else in the loop (more things to break), but I'll live with it. Well, more things in the loop can also prevent a single thing to break if combined cleverly (like using two virus scanners instead of one, since one alone always tends to be out of date just the very second you would need it). Which is why I've got more than one in the loop. By the time any email gets to my mail client it's been through 4 different scanners :) So far (touch wood) nothing's got through to the client, yet. I'd like to only use MD, not MD and clamav-milter, purely to keep overheads minimal. I'll probably play with David's suggestion later next week and see if it works for me, in which case I can junk clamav-milter. PLEASE - keep list traffic on the list. Email sent directly to me may be ignored utterly. -- Rob | What part of no was it you didn't understand? ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] TESTVIRUS.org - test question
On Saturday 28 February 2004 23:09, Rob wrote: clamd you can enable the scanning of mail files as a default, so if it detects the magic word at the start of the file it'll know what it is. I've added this code to message_contains_virus_clamd(): # copy message for clamd open(I, INPUTMSG); open(O, Work/COMPLETE_MSG); # give ClamAV the hint to treat it as mbox, otherwise # it doesn't detect all the inline files. print O From [EMAIL PROTECTED] 1 Jan 2004\r\n; while(I) { print O; } close(I);close(O); which is great for detecting attachments in MIME-broken emails (like qmail-send bounces). those otherwise slip by ClamAV (the same needs to be done for the non-daemon version of ClamAV checking, but I don't use that code). ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] TESTVIRUS.org - test question
On Saturday 28 February 2004 23:15, Rob wrote: Why should I care - if it finds a virus in the email then the email gets dropped in the bit bucket (or quarantined). At that point it becomes utterly irrelevant *where* the virus is in the email. That might be the case for your filter, but anybody not running it for his own pleasure most likely does not run such a configuration. Besides that, there are things called false positives which do happen from time to time. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang