Re: [Mimedefang] TestVirus.org

On 2004-07-29 (Thursday) at 17:43:18 -0700, Kenneth Porter wrote: > Just saw this on the Procmail Sanitizer list: > > > > >This web site allows you to send a harmless test virus to any > >email address. If your mail server or email hosting provider is > >running anti-vi

RE: Re: [Mimedefang] TestVirus.org

> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of David F. Skoll > > Except that you have to pass the message back to Sendmail, > and Sendmail > replaces the "df" file with the new message body. That consumes > real disk I/O. I'll have to admit

Re: Re: [Mimedefang] TestVirus.org

On Fri, 30 Jul 2004, Kelson Vibber wrote: > This would be done in the MD working directory, though, right? So if > you're running that on a ramdisk, it shouldn't be too much of a difference. Except that you have to pass the message back to Sendmail, and Sendmail replaces the "df" file with the n

Re: Re: [Mimedefang] TestVirus.org

On Fri, 30 Jul 2004 [EMAIL PROTECTED] wrote: > Am I correct in beleiving the CanIT voting links would also cause an > action_rebuild as well? Yes, they do. Regards, David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing

Re: Re: [Mimedefang] TestVirus.org

At 09:24 AM 7/30/2004, David F. Skoll wrote: On Fri, 30 Jul 2004 [EMAIL PROTECTED] wrote: > How bad would the performance hit be to do the action_rebuild on every > message? Not that bad. If you add boilerplate, for example, you're doing that anyway. However, if you're short on disk I/O, it will

Re: [Mimedefang] TestVirus.org

At 09:55 AM 7/30/2004, J.D. Bronson wrote: Could you kindly post exactly what you did? OK: Take a cue from the current example filter and call md_copy_orig_msg_to_work_dir_as_mbox_file() just before calling message_contains_virus. That's it. I just placed "md_copy_orig_msg_to_work_dir_as_mbox_file

Re: Re: [Mimedefang] TestVirus.org

[EMAIL PROTECTED] wrote on 07/30/2004 12:24:15 PM: > Not that bad. If you add boilerplate, for example, you're doing that > anyway. However, if you're short on disk I/O, it will cause problems, > because it essentially doubles your Sendmail queue I/O usage. Am I correct in beleiving the CanIT

Re: [Mimedefang] TestVirus.org

On Friday 30 July 2004 03:03 am, Martin Blapp wrote: > Clamav is not catching 5 tests, and viri are slipping throuh ! At least > test 8 and 23 are very important to catch I think: There's timing... I was just looking at this stuff yesterday. I got the same results initially (except for #25, which

Re: Re: [Mimedefang] TestVirus.org

On Fri, 30 Jul 2004 [EMAIL PROTECTED] wrote: > How bad would the performance hit be to do the action_rebuild on every > message? Not that bad. If you add boilerplate, for example, you're doing that anyway. However, if you're short on disk I/O, it will cause problems, because it essentially doub

Re: [Mimedefang] TestVirus.org

On Friday 30 July 2004 03:03 am, Martin Blapp wrote: > Clamav is not catching 5 tests, and viri are slipping throuh ! At least > test 8 and 23 are very important to catch I think: There's timing... I was just looking at this stuff yesterday. I got the same results initially (except for #25, whic

Re: Re: [Mimedefang] TestVirus.org

--On Friday, July 30, 2004 10:50 AM -0400 "David F. Skoll" <[EMAIL PROTECTED]> wrote: As I wrote before many times, I have no intention of making MIMEDefang "bug-for-bug" compatible with various buggy MUAs. If you're really concerned about this thing, the *ONLY* sane response is to canonicalize

Re: Re: [Mimedefang] TestVirus.org

[EMAIL PROTECTED] wrote on 07/30/2004 10:50:50 AM: > As I wrote before many times, I have no intention of making MIMEDefang > "bug-for-bug" compatible with various buggy MUAs. If you're really > concerned about this thing, the *ONLY* sane response is to canonicalize > every single message coming

Re: Re: Re: [Mimedefang] TestVirus.org

>The MIME continuation vulnerability exploits a bug in Outlook. >MIMEDefang interprets the message correctly according to the MIME >RFCs. I just checked up on that and found you are right David. One of the reasons I'm not using Outhouse is because of all it's bugs and vulnerabilities. Unfortunat

RE: Re: [Mimedefang] TestVirus.org

On Fri, 30 Jul 2004, Chris Gauch wrote: > I also ran the test last night -- the only one that got through our server > is #24, 24 can be zapped by bouncing the "message/partial" MIME type. That's something I strongly recommend anyway; message/partial is a security nightmare. What the h*ll were

RE: Re: [Mimedefang] TestVirus.org

ROTECTED] On Behalf Of Paul > Sent: Friday, July 30, 2004 10:42 AM > To: [EMAIL PROTECTED] > Subject: Re: Re: [Mimedefang] TestVirus.org > > I just ran it here with MD 2.41 + SA 2.60 + ClamAV 0.67. #5, #8, #23 and > #25 got through. However, #8 and #25 had the offending att

Re: Re: [Mimedefang] TestVirus.org

On Fri, 30 Jul 2004, Paul wrote: > I just ran it here with MD 2.41 + SA 2.60 + ClamAV 0.67. #5, #8, #23 > and #25 got through. The MIME continuation vulnerability exploits a bug in Outlook. MIMEDefang interprets the message correctly according to the MIME RFCs. As I wrote before many times, I ha

Re: Re: [Mimedefang] TestVirus.org

I just ran it here with MD 2.41 + SA 2.60 + ClamAV 0.67. #5, #8, #23 and #25 got through. However, #8 and #25 had the offending attachment removed by MD and a warning attached to the email. So basically only #5 and #23 really got through unscathed. But yes, efforts should be made to plug up thes

Re: [Mimedefang] TestVirus.org

Hi, Have also just run these tests: Test #22, & #23 failed here using MD 2.43, and SA only. No AV configured. All mails from this system are forwarded to separate AV system running Trend's InterScan VirusWall which picked up #5 and #8 no problem. My client picked up #23 afterwards once it got t

Re: [Mimedefang] TestVirus.org

Test #5,8,22,23 all failed here using MIMEDefang 2.42b2 and f-prot 4.4.3 ... Test #5: Eicar virus sent using BinHex encoding Test #8: Eicar virus sent using BinHex encoding within a MIME segment Test #22: Eicar virus within zip file hidden using the "MIME Continuation Vulnerability" Test #23: Eica

Re: [Mimedefang] TestVirus.org

Hi, Just did the test for mimedefang and clamav: Clamav is not catching 5 tests, and viri are slipping throuh ! At least test 8 and 23 are very important to catch I think: Test #5: Eicar virus sent using BinHex encoding (this is a rarely used Macintosh mail format) Test #8: Eicar viru

[Mimedefang] TestVirus.org

Just saw this on the Procmail Sanitizer list: This web site allows you to send a harmless test virus to any email address. If your mail server or email hosting provider is running anti-virus software, these emails should get blocked. Brought to you by Webmail.us The op

Re: [Mimedefang] TESTVIRUS.org - test question

On Saturday 28 February 2004 23:15, Rob wrote: > Why should I care - if it finds a virus in the email then the email gets > dropped in the bit bucket (or quarantined). At that point it becomes > utterly irrelevant *where* the virus is in the email. That might be the case for your filter, but any

Re: [Mimedefang] TESTVIRUS.org - test question

On Saturday 28 February 2004 23:09, Rob wrote: > clamd you can enable the scanning of mail files as a default, so if it > detects the magic word at the start of the file it'll know what it is. I've added this code to message_contains_virus_clamd(): # copy message for clamd open(I, "Wor

RE: [Mimedefang] TESTVIRUS.org - test question

> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Dirk Mueller > > Its not a half-hearted solution. What would you think about > ClamAV detecting a > virus in a mail, but then not finding the entity containing > the virus (like > for dropping i

RE: [Mimedefang] TESTVIRUS.org - test question

> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of David F. Skoll > > It's pretty easy -- before you call message_contains_virus, > put this in > your filter: > > copy_or_link("./INPUTMSG", "./Work/INPUTMSG"); > > This ensures that the orig

Re: [Mimedefang] TESTVIRUS.org - test question

On Saturday 28 February 2004 21:33, Les Mikesell wrote: > I'm not sure I followed all the steps here, but if MimeDefang > saves the attachment in the same form that a mail user agent > would Well, it doesn't. Thats my point (and thats why its not a ClamAV bug IMHO). But it mostly depends on if

Re: [Mimedefang] TESTVIRUS.org - test question

On Sat, 2004-02-28 at 13:44, Dirk Mueller wrote: > > > So this is a mimedefang-only bug. Not a bug in ClamAV. > > Well, I'd call it a bug (or maybe a feature) of both :) > > As currently ClamAV never actually sees the faulty bit, it can't be a bug in > ClamAV. On the contrary, I would consider a

Re: [Mimedefang] TESTVIRUS.org - test question

On Saturday 28 February 2004 19:28, Rob wrote: > > So this is a mimedefang-only bug. Not a bug in ClamAV. > Well, I'd call it a bug (or maybe a feature) of both :) As currently ClamAV never actually sees the faulty bit, it can't be a bug in ClamAV. On the contrary, I would consider a bug in Clam

RE: [Mimedefang] TESTVIRUS.org - test question

On Sat, 28 Feb 2004, Rob wrote: > I would say that the problem is that MD only does part of the job of > extracting parts. Rather than fully decoding the email it does a > half-hearted job (and no, I'm not having a go - it's a design choice I can > fully understand). This means that any smart sc

RE: [Mimedefang] TESTVIRUS.org - test question

> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Dirk Mueller > > No, this is not the problem. mimedefang does not pass the > original mail to > ClamAV. it extracts all mime parts, and then calls the virus > scanner on those > files, since not

Re: [Mimedefang] TESTVIRUS.org - test question

On Saturday 28 February 2004 17:34, Rob wrote: > The problem is that clamav only enables the mail decoding function if the > first word of the file passed to it is one of a number of key words. No, this is not the problem. mimedefang does not pass the original mail to ClamAV. it extracts all mim

RE: [Mimedefang] TESTVIRUS.org - test question

> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Andrea Gabellini > > I'm using sophos and it didn't catch the binhex encoded virus. I've found that clamav *will* catch it (the binhex test), assuming it's not sent directly. The problem is that c

Re: [Mimedefang] TESTVIRUS.org - test question

On Sat, 28 Feb 2004, Andrea Gabellini wrote: > At 09.04 28/02/2004, you wrote: > >I came across testvirus.org yesterday (a simple way to email yourself > >various ways of encoding EICAR) and was fairly happy with the result. > > I'm using sophos and it didn't catch the binhex encoded virus. Same

Re: [Mimedefang] TESTVIRUS.org - test question

At 09.04 28/02/2004, you wrote: I came across testvirus.org yesterday (a simple way to email yourself various ways of encoding EICAR) and was fairly happy with the result. I'm using sophos and it didn't catch the binhex encoded virus. I'm also interested in solving the 'space gap' with MD, if poss

[Mimedefang] TESTVIRUS.org - test question

I came across testvirus.org yesterday (a simple way to email yourself various ways of encoding EICAR) and was fairly happy with the result. Of the 17 tests, 3 failed with MD+CLAMAV+F-PROT. Neither CLAMAV nor F-PROT detected the BinHex encoded copies of EICAR, though the scanners further down the