Re: [Clamav-users] Cherishing my ignorance - An appeal to package rs

[Bart Silverstrim]

On Nov 10, 2006, at 6:28 PM, Gary V wrote:

Hmm, I wonder how many of the people who responded in one way or   
another is actually familiar with the package in question. I  
have  been using Linux for a couple years now and have installed   
thousands of packages. In general, I have not had any problems   
navigating the package after it has been installed. Sure  
packages  need configuration. Sure, time is well spent figuring  
out how to  configure them. I would have been happy to use the  
package in  question rather than compile from source, but after  
spending 30  minutes trying to get into the mindset of the  
packager so I could  actually get clamav to function, I said f***  
it.




See, you do that much effort, but then the OP said he just hacks  
the  word "example" out of the config file and runs the app as  
root.  That  means he took what, five minutes of effort?


The conf for ClamAV is rather well documented from my experiences   
with it.  The packages may have altered the defaults or where the   
files are located, but once it's in place, it's not normally that   
hard to get working.  The hard part is integrating with other  
daemons  and scanners.  How do you expect THAT to be simplified  
for everyone  and all situations?


Yes, unlike the OP, I was willing to spend the time, but like the  
OP I wish I could have simply installed it and had it functioning  
(at least to the point I could then tweak it). This particular  
package appears to me it *is* trying to figure out and mold itself  
to environments like "CLAMAV for POSTFIX filtered through AMAVISD- 
NEW using SPAMASSASSIN" which in fact was my case, but somehow  
broke itself in the process of figuring this out. Your experience  
may differ. Heck, my experience may differ if I try to install the  
aforementioned packages in a different sequence, but I'm not sure  
my experience should differ. I would rather it simply put stuff in  
reasonably predictable places, then left it up to me to finish the  
configuration (if needed). The complexity of the package left me  
wanting something I could at least predict.


The only way to solve this problem is to find someone willing to set  
up a Linux VMWare image of a turnkey mail server for people who can't  
figure out how to fulfill their sysadmin duties.


Then you can answer the questions of how to set up VMWare Player or  
VMWare server.


-Bart
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Cherishing my ignorance - An appeal to package rs

[Bart Silverstrim]

On Nov 10, 2006, at 4:10 PM, jef moskot wrote:


On Fri, 10 Nov 2006, Bart Silverstrim wrote:

On Nov 10, 2006, at 11:07 AM, jef moskot wrote:

If some packages install without difficulty and others do not, then
how about we work together to bring the less efficient packages  
in line

with the more effective ones?


Now see, that's a reasonably worded request, but see, he didn't do  
that.


Couldn't we just pretend he did and move on from there?


Not really...he didn't tell us what the specific problem is aside  
from mentioning that he is unwilling to read the config file.  I  
shudder to think how he is going to get it to integrate with the MTA  
of choice...


He didn't tell us his config, his distro, anything.  How do you help  
him?


Or are you going to create a custom out-of-box working package for  
him from the information the original message?

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Cherishing my ignorance - An appeal to package rs

[Bart Silverstrim]

On Nov 10, 2006, at 11:32 AM, Gary V wrote:


Ease of installation is valued by knowledgeable users also.


Yes, especially if they already know why it is working and how to  
fix  it if something goes wrong.




But you want a drop-in solution so you don't need to know   
anything...how do you troubleshoot something when you don't know  
what  it's doing in the first place?




Hmm, I wonder how many of the people who responded in one way or  
another is actually familiar with the package in question. I have  
been using Linux for a couple years now and have installed  
thousands of packages. In general, I have not had any problems  
navigating the package after it has been installed. Sure packages  
need configuration. Sure, time is well spent figuring out how to  
configure them. I would have been happy to use the package in  
question rather than compile from source, but after spending 30  
minutes trying to get into the mindset of the packager so I could  
actually get clamav to function, I said f*** it.


See, you do that much effort, but then the OP said he just hacks the  
word "example" out of the config file and runs the app as root.  That  
means he took what, five minutes of effort?


The conf for ClamAV is rather well documented from my experiences  
with it.  The packages may have altered the defaults or where the  
files are located, but once it's in place, it's not normally that  
hard to get working.  The hard part is integrating with other daemons  
and scanners.  How do you expect THAT to be simplified for everyone  
and all situations?

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Cherishing my ignorance - An appeal to package rs

[Bart Silverstrim]

On Nov 10, 2006, at 11:07 AM, jef moskot wrote:


On Fri, 10 Nov 2006, Bart Silverstrim wrote:
What you're talking about is hassle...if it's too much hassle, you  
move
on to something else.  That's fine and dandy.  But there are many  
many

many people who are using, for example, ClamAV without throwing a fit
because there's too much in the conf file to set up.


He didn't throw a fit, he suggested that if a package exists, it  
ought to

work.  I don't think that's unreasonable.


It does work.  It installs, you then set up the conf file for your  
specific setup.


Unless you have a way of packaging it so that you download
CLAMAV for POSTFIX filtered through AMAVISD-NEW using SPAMASSASSIN  
with options (XYZ) preset.rpm


And rewrite all the configs for those files in turn so it doesn't  
upset your site-specific info...


THAT was what he was asking for.

Calling him lazy is obscuring and sidestepping the actual problem.   
It's
also pointless, since if you've read the subject line, you already  
know

that he's lazy.  He's admitted it, hooray, you win.


YAY! Let's have devs go out of their way to help someone too lazy to  
do the most basic steps.  If he's that lazy and ignorant, what makes  
you think he'd even work with packagers to assist in customizing a  
package for him?


If some packages install without difficulty and others do not, then  
how
about we work together to bring the less efficient packages in line  
with

the more effective ones?


Now see, that's a reasonably worded request, but see, he didn't do  
that.  He said he's ignorant, this stuff takes (/whine) too much  
effort to configure(/whine), and wants someone to do it for him as a  
package.


It's called outsourcing.
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Cherishing my ignorance - An appeal to package rs

[Bart Silverstrim]

On Nov 10, 2006, at 11:17 AM, Jim Maul wrote:


Bart Silverstrim wrote:

On Nov 9, 2006, at 2:40 PM, Daniel J McDonald wrote:

On Thu, 2006-11-09 at 10:24 -0500, Bart Silverstrim wrote:

On Nov 7, 2006, at 6:48 PM, Jim Redman wrote:


Chris,



Christopher X. Candreva wrote:

On Tue, 7 Nov 2006, Jim Redman wrote:



My observation is that of all the modern packages ClamAV fails to
install and run successfully and securely without operator
intervention.  I think that this should be refined to reference
Fedora packages and perhaps not all of them.


I don't use Fedora - I use Mandriva.  And my experience has been  
that
the RPMS provided by Mandriva do allow you to run out of the box  
with
very little tweaking.  That is important to me - I manage about  
20 linux

servers, but my primary responsibility is 196 routers and firewalls.
I'm not ignorant of the build process - I learned how to build  
SRPM's
working with this package - I merely don't have the time to mess  
with

it.  So, I understand the sentiment.



There are a number of reasons why I consider this a bad thing
(other opinions have been expressed by others on the list).




4) (Altruism) It limits the adoption of ClamAV which in turn
increase the number/penetration of viruses.


Maybe the project doesn't WANT people who have problems with their
installs caused by willful ignorance...just a thought.


I personally think that's a poor attitude.  Clueless newbies are
important too.  I personally will dump a project that takes too  
long to

get working at all.  As long as I can see progress it will keep my
interest.
Cluelessness is one thing.  Willful cluelessness is another.   
There is a difference.
What you're talking about is hassle...if it's too much hassle, you  
move on to something else.  That's fine and dandy.  But there are  
many many many people who are using, for example, ClamAV without  
throwing a fit because there's too much in the conf file to set up.
The distinction is you can get frustrated and ask for help, or you  
can get frustrated and bitch about it rather than read the  
comments in the conf file.  There's a lot, it can be tedious to a  
degree, but you're not having to go through source code to figure  
out how to get it to work.  I have found that *overall*, with all  
the different distros out there, it is impossible to come up with  
a one-size-fits-all solution but the config files and guides for  
installation and configuration on the Internet are enough that you  
need not invest a lifetime to getting this one project working.
As I've said in other posts, the problem (as I see it) isn't  
necessarily that he's clueless, or a newbie.  It's the attitude he  
approached the group with, the attitude of "I don't know anything  
and want to stay ignorant.  You should make it so I can stay  
ignorant but get this to work."  This is something that can easily  
ruffle some feathers, especially when so many in the group have  
started in that position but learned how to get it to work.  It's  
also shocking for a sysadmin to declare that they want to stay  
ignorant of the equipment they're using..."I want to be a rocket  
scientist, but don't want to take that nasty physics stuff...you  
should make it easier!"


I understand completely what you are saying and also agree with it.  
However, regardless of how clueless the rocket scientist wants to  
remain (which, yes, is a poor attitude), IF there is room for  
improvement or IF some part of the process CAN be made easier,  
shouldnt it?


Sure.  Taking into consideration other factors.
A) Pay them for the features...this is all volunteer work.
B) No one is proposing how this is to be done.  What distro do you  
aim for?  What MTA?  Integration with another spam scanner?  How to  
make this simpler without crippling or making more difficult getting  
it to work with particular setups?
C) How can you simplify or get this to work to the point where a user  
who states right out that it's too hard for him to read a conf file  
is able to use it?  That is NOT what one would expect from a sysadmin  
doing his job.


This has nothing to do with the fact that he wants to remain  
ignorant.  It really seems as if everyone read that part and  
COMPLETELY missed what he was really trying to say and instead  
focused on blasting the guy because of his willingness to remain  
ignorant.


He was saying he is too ignorant to configure his install for his  
mail server setup and wanted other people to do it for him rather  
than have him read the config file.


That probably irks a lot of people who use ClamAV with minimal effort  
and also have to support people who have this guy's type of attitude  
because he is running a server that takes some knowledge and skill  
yet willfully remains ignorant on the details of how to properly do  
so.  For all the whi

Re: [Clamav-users] Cherishing my ignorance - An appeal to package rs

[Bart Silverstrim]

On Nov 10, 2006, at 9:45 AM, Jim Maul wrote:


Bart Silverstrim wrote:

On Nov 9, 2006, at 2:09 PM, Jim Redman wrote:

Folks,

I have to say, of all the lists I subscribe to, the vocal members  
of this list are the most arrogant and insulting.  However, I  
consider comments such as Luca Gibelli's, bandwidth wasting, "We  
are happy to suffer this loss." and Dennis Peterson's "His  
specific problem is he lacks the skill to install and manage the  
product" reflect more about the person making the comment, rather  
than the target.
You're forgetting one detail that probably was the most provoking,  
though.  He started right off saying he "cherishes his ignorance".
How many of our problems as sysadmins come from user ignorance?   
How much worse is it when you have to deal with another peer's  
ignorance, and worse yet, WILLFUL ignorance?  "Hi, I'm hired to do  
a complicated and skillful job as a sysadmin, but want to know  
nothing about how or why this software stuff works...can you help  
me?  By, like, doing it for me?"


Maybe i missed it, but where in his original email did he ask  
anyone to help him by doing something for him?  From what i can  
see, he didnt even ask for help at all.  The way i took it was:


Gee, I downloaded this package for clamav and installed it and now  
there are all sorts of other things that still need to be done to  
get it working correctly. Maybe clamav developers could work with  
the package maintainers to make this process go more smoothly?


Here is what I was reading from the original (I believe)  
email...correct me if I'm wrong...

*
I WANT to know NOTHING about ClamAV, I wish to remain ignorant.
*
Instead the packages need me to learn some of the inner workings of
ClamAV and FreshClam (forget editing the conf files, the packages don't
even seem to work together out of the box)
**
This means that much of the developers work is wasted, because I take
the easiet way around an error, no clamav user, the hell with it,
freshclam runs as root.
***
config file, just take out "Example" keep hacking until it stops
complaining.
***
Sorry if this sounds like a rant, it's not, it's an appeal to make a
priority of simplifying the installation.
***

If anything, these highlight that the user posting the message:
A) wants to remain ignorant, despite being in charge of whatever  
system this is he's administrating
B) is asking for others (packagers, clamav devs...) to fix his  
unwillingness to read a config file.


If you want to know where it sounds like he's asking someone to do it  
for him, the last quoted line is making an appeal to make a braindead  
install routine a priority.  That sounds like it's asking someone to  
do something to me.


Is what he's asking for out of line? Not necessarily.  But if I were  
one of the devs doing an install package, I would not be overly  
motivated to help someone who is SOOO not willing to work with me on  
it that his idea of making it work is to run the software as root and  
just delete the word "example" from the conf file instead of reading  
what the line says and comprehending what he's doing.


He COULD have mailed in saying, "I'm running distro XYZ and am  
looking for opinions on what the simplest installation package is,  
and where I can download it with as much preconfiguration as  
possible..."


Instead, he sends a message proclaiming that he wants to remain  
ignorant of what is going on despite being a sysadmin because things  
like the conf file are just too hard to comprehend.  He works with  
other sourceforge projects, so how can it be so hard for him to  
understand a conf file?  Worse, he just runs it as root, and then  
people talk about not knowing about configurations having security  
holes in it?  Um...


What kind of sysadmin proclaims it's too hard to read a conf file and  
wants everything as braindead simple as possible so he doesn't have  
to think?  It's nice not to have to get headaches configuring things,  
but it kind of goes with the territory!


If he's not a sysadmin, why is he running a mailserver on the  
Internet in the first place?  How much spam and crap mail comes from  
misconfigured mail servers because their admins were too lazy or  
incompetent to configure it properly?


To me it seems like everyone missed the point and made their own  
assumptions as to what he *really* meant.  Maybe the title was  
worded poorly, or his post looked too similar to others that people  
have seen in the past and it triggered an immediate negative  
response from them, or maybe its just that some people on this list  
havent gotten any lately and are grumpy - who knows.  But to berate  
someone like this over a post they made which i believe was  
interpreted incorrectly to begin with is completely wrong.  I

Re: [Clamav-users] Cherishing my ignorance - An appeal to package rs

[Bart Silverstrim]

On Nov 9, 2006, at 7:23 PM, Tom Metro wrote:


Dennis Peterson wrote:

Jim Redman wrote:

Your opinions, seem to be the prevalent attitude of the vocal
members of this list - if you don't suffer, it wasn't worth it.
His specific problem is he lacks the skill to install and manage  
the product.


It's rather sad to see that this elitist attitude - which was  
commonplace on Usenet back in the early 90's - is still alive and  
well here in 2006. I'm not sure why people who otherwise are  
enthusiastic supporters of open source don't see how this damages  
the community.


Probably because Open Source isn't about selling a product.  It's  
people doing this as a hobby, in the end, and if you want to use it,  
there it is...if not, *shrug*.  That's the attitude I see (except  
from the just plain rude and arrogant who want to keep their toys to  
themselves).


And in the quote above, he isn't necessarily saying the poster is  
stupid, just lacking a skill.  What's wrong in that?  Maybe I don't  
remember what else was said, but if you lack a skill in something,  
you lack the skill.  Approach the group with the attitude of, "Can  
someone help me figure this out?," instead of, "Fix this for me," and  
you might see a change in how people respond.


The argument is also flawed. So, the people criticizing the OP's  
premise all build their software from scratch, build their own OS  
distributions,  and never used packaged software - right? No? Do  
you at least review all the source code before you install a  
package? No?


We've built up these layers not always because the end users don't  
have the knowledge to reproduce them themselves, but because it  
would be a waste of effort to replicate them. This hold as true for  
rewriting a virus scanning engine from scratch as it does for  
writing your own installation script. (If your environment requires  
custom behavior, then by all means, write your own installation  
script...or for that matter, customize the virus scanning engine.)


And ClamAV has been built in a way that many people have not had this  
as a major stumbling block.  I'm not a programmer, but had installed  
Clam on at least three platforms.  I'm not a guru, hold no certs for A 
+ or Cisco or MS or any other groups.  So what's going on here...am I  
lying?  Extremely lucky?...



Ease of installation is valued by knowledgeable users also.


Yes, especially if they already know why it is working and how to fix  
it if something goes wrong.


Why spend time on a problem that others have already solved  
hundreds of times over. I'd much rather use my time in solving  
unexpected problems that are specific to my environment.


But you advocate not knowing anything about that environment in the  
first place.


Where did that email go?  Well I have it filtered in the bastion  
server here first, then it goes to this scanner for spam, then this  
for antivirus, then forwarded to this queue and out to this server...


But you want a drop-in solution so you don't need to know  
anything...how do you troubleshoot something when you don't know what  
it's doing in the first place?


Maybe it's just my opinion, for what little it's worth.


___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Cherishing my ignorance - An appeal to package rs

[Bart Silverstrim]

On Nov 9, 2006, at 2:40 PM, Daniel J McDonald wrote:


On Thu, 2006-11-09 at 10:24 -0500, Bart Silverstrim wrote:

On Nov 7, 2006, at 6:48 PM, Jim Redman wrote:


Chris,



Christopher X. Candreva wrote:

On Tue, 7 Nov 2006, Jim Redman wrote:



My observation is that of all the modern packages ClamAV fails to
install and run successfully and securely without operator
intervention.  I think that this should be refined to reference
Fedora packages and perhaps not all of them.


I don't use Fedora - I use Mandriva.  And my experience has been that
the RPMS provided by Mandriva do allow you to run out of the box with
very little tweaking.  That is important to me - I manage about 20  
linux

servers, but my primary responsibility is 196 routers and firewalls.
I'm not ignorant of the build process - I learned how to build SRPM's
working with this package - I merely don't have the time to mess with
it.  So, I understand the sentiment.



There are a number of reasons why I consider this a bad thing
(other opinions have been expressed by others on the list).




4) (Altruism) It limits the adoption of ClamAV which in turn
increase the number/penetration of viruses.


Maybe the project doesn't WANT people who have problems with their
installs caused by willful ignorance...just a thought.


I personally think that's a poor attitude.  Clueless newbies are
important too.  I personally will dump a project that takes too  
long to

get working at all.  As long as I can see progress it will keep my
interest.


Cluelessness is one thing.  Willful cluelessness is another.  There  
is a difference.


What you're talking about is hassle...if it's too much hassle, you  
move on to something else.  That's fine and dandy.  But there are  
many many many people who are using, for example, ClamAV without  
throwing a fit because there's too much in the conf file to set up.


The distinction is you can get frustrated and ask for help, or you  
can get frustrated and bitch about it rather than read the comments  
in the conf file.  There's a lot, it can be tedious to a degree, but  
you're not having to go through source code to figure out how to get  
it to work.  I have found that *overall*, with all the different  
distros out there, it is impossible to come up with a one-size-fits- 
all solution but the config files and guides for installation and  
configuration on the Internet are enough that you need not invest a  
lifetime to getting this one project working.


As I've said in other posts, the problem (as I see it) isn't  
necessarily that he's clueless, or a newbie.  It's the attitude he  
approached the group with, the attitude of "I don't know anything and  
want to stay ignorant.  You should make it so I can stay ignorant but  
get this to work."  This is something that can easily ruffle some  
feathers, especially when so many in the group have started in that  
position but learned how to get it to work.  It's also shocking for a  
sysadmin to declare that they want to stay ignorant of the equipment  
they're using..."I want to be a rocket scientist, but don't want to  
take that nasty physics stuff...you should make it easier!"


For example, the Hobbitmonitor project is buried deep on my todo  
list -

There are about 15 "post release" patches that have to be individually
applied in a certain order, and I have yet to get it right and have it
compile.  So I ignore it, and think "If I ever get about 4 hours of
un-interrupted time, I'm going to tackle that beast".  Of course, I
don't have 4 hours, so it just gets deeper on the pile, and I never  
get

my monitoring server built, and I never am able to contribute back to
the project by helping other clueless newbies...


Then cut it loose.

This seems to be a hard concept...similar problems crop up, and my  
response is something along the lines of, "Well, your company isn't  
hiring enough to properly staff your department or manage the staff  
properly...if it were truly important, you'd get the time.  So either  
suffer with the lack of XYZ, or have them hire more people, or move  
to another company that does respect their IT department's role  
more."  "Well, that's not realistic..."  "Well, then it sounds like  
you are going with A, suffer the lack of XYZ.  Accept it, quit  
complaining."




I'm not saying every project requires you to cut off fingers and  
chant voodoo incantations to work.  I'm just saying that ClamAV isn't  
rocket science, there are some problems, and your average sysadmin  
should be able to go through a conf file to configure it and be able  
to get it to integrate with most MTA's using docs on the Internet  
with relatively little energy lost.  I am tired of the couch sysadmin  
running mail servers using a black box 

Re: [Clamav-users] Cherishing my ignorance - An appeal to package rs

[Bart Silverstrim]

On Nov 9, 2006, at 2:09 PM, Jim Redman wrote:


Folks,

I have to say, of all the lists I subscribe to, the vocal members  
of this list are the most arrogant and insulting.  However, I  
consider comments such as Luca Gibelli's, bandwidth wasting, "We  
are happy to suffer this loss." and Dennis Peterson's "His specific  
problem is he lacks the skill to install and manage the product"  
reflect more about the person making the comment, rather than the  
target.


You're forgetting one detail that probably was the most provoking,  
though.  He started right off saying he "cherishes his ignorance".


How many of our problems as sysadmins come from user ignorance?  How  
much worse is it when you have to deal with another peer's ignorance,  
and worse yet, WILLFUL ignorance?  "Hi, I'm hired to do a complicated  
and skillful job as a sysadmin, but want to know nothing about how or  
why this software stuff works...can you help me?  By, like, doing it  
for me?"


If he was asking for help or proposing a reform without expressly  
saying the driving reason was because he wanted to know nothing about  
how it worked or how to install it or even how to properly tune it to  
keep from annoying fellow mail sysadmins on nearby networks, it  
wouldn't have elicited such a venomous response from an open source  
group.  These people working on ClamAV aren't, to my knowledge, paid  
to make the program or keep it up to date, let alone make the  
installer and front-end interfaces the most polished.  They are  
programmers doing this in their spare time to try to make a usable  
product for their peers.


And you're surprised that unpaid programmers and sysadmins having to  
routinely deal with problems that are often linked to end-user  
ignorance would get a little ticked when getting a question from  
someone saying they're a sysadmin who wants to remain clueless?  More  
often than not the way to get respect among that little social club  
is to try learning things and expanding your knowledge through your  
questions, not chastising them because they're doing something that  
forces you to learn something about why and how your system works.


I would also consider the prevalent attitude misplaced and wrong,  
and before you berate me for knowing nothing, let me say this I've  
been managing mail systems on Linux since the late 1.x releases and  
build and support embedded Linux distros.  If you're following the  
logic here, that still doesn't prove that I know much, but at least  
I have some background...


Personally, I didn't mean to say that you're someone who knows  
*nothing* about Linux or Unix.  I don't know what your specialty is.   
My personal belief is that there are very few gurus who know all  
there is to know about hardware and software  
administration...sysadmins specialize or they tend to have  
superficial knowledge of a wide array of topics.  A mail admin may  
know about spam filtering, viruses flying around the Internet,  
Postfix vs. Qmail, etc., while knowing little about DDR RAM or the  
next-gen processors slated for release from Intel.  At the same time,  
you shouldn't be willfully ignorant about the topics related to your  
field and have no desire to learn more since you don't know when that  
knowledge will be handy.  Sysadmins supposedly carry on the spirit of  
the original hackers, and the hallmark was curiosity and willingness  
to learn new things.


Proclaiming a desire to be ignorant does not win brownie points among  
those he was "asking for help".


Somewhere between my teenage years and now, I have enough  
experience to realize that I don't know everything.  I can't create  
faster/better optimized programs using assembler than a high level  
language, and I'm not the worlds most knowledgeable Linux security  
expert.  The many packages that make up Linux are better understood  
by those who created and maintain them and these people are the  
most qualified to produce secure configurations of these packages.   
Even if I DID understand a package better than the maintainer, or  
have a better grasp of security than the person producing  
configuration, I would recognize that having more people look at  
the configuration WILL improve the system.  This is one of the  
basic arguments of Eric Raymond's "The Cathedral and the Bazaar"  
http://www.firstmonday.org/issues/issue3_3/raymond/


Which is fine...no one, I believe, was arguing against this idea.

They did seem to take offense to the attitude of "Hello fellow  
sysadmins, can you improve this packager so I don't need to know  
anything about it, just drop it in place and bingo everything works?"


I'll further encourage these efforts because, having done this for  
a while, I realize that it _IS_ now possible for someone who knows  
almost nothing about Linux administration to take a distro, install  
it, update it using one of the package managers and have a secure,  
if sub-optimal installation, taking the de

Re: [Clamav-users] Cherishing my ignorance - An appeal to package rs

[Bart Silverstrim]

On Nov 7, 2006, at 6:16 PM, Jim Redman wrote:


Steve,

Steve Holdoway wrote:
> You really do need to get out of the mindset that you don't  
actually >need to know what you're doing to administer a server. It  
is *NOT* a >trivial task, requires skills to support it, and years  
of experience to >do it well.


Your opinions, seem to be the prevalent attitude of the vocal  
members of this list - if you don't suffer, it wasn't worth it.


Is it really suffering if the steps are documented and you can follow  
them?


Suffering to me would be if the steps are outlined somewhere and in  
the course of following those directions, you get errors and  
failures.  Or the routine isn't documented anywhere so you have to  
dig and hunt and infer how to configure something.


If you're a sysadmin and following directions is defined as  
suffering, I think you may have other problems to deal with...


I would argue that I'm know enough about server administration to  
realize that my knowledge of ClamAV will never be as deep as others  
on this list, how much better if they create a secure, stable,  
successful, packaged configuration and everyone (which happens to  
also include me!) benefits from their knowledge.  Or does that  
sound like flamebait?


Because what fits your needs may not fit other people's needs when  
you stop to consider how draconian or how absolutely loose-and-free  
different mail admins can be?  There are still idiots running open  
relays out there. Encouraging people to know what the hell they're  
doing helps separate those idiots from the rest of the populace.


Maybe what would actually be helpful is an automated uninstall/ 
reinstall that asks what options you want set to what values, and  
compares changes from the previous install.  Makes it more tedious  
though.


-Bart
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Cherishing my ignorance - An appeal to package rs

[Bart Silverstrim]

On Nov 7, 2006, at 6:48 PM, Jim Redman wrote:


Chris,



Christopher X. Candreva wrote:

On Tue, 7 Nov 2006, Jim Redman wrote:
Your opinions, seem to be the prevalent attitude of the vocal  
members of this

list - if you don't suffer, it wasn't worth it.

I would disagree, in that I don't see it as suffering.
Forgive me if I missed it, but what is your specific problem ?  
Perhaps we have different definitions of suffering.
The only specific complaint I saw was the message "Your version is  
outdated", and that seems to me to be a very simple English  
declarative sentence, with a simple solution. You are running an  
old version, get a new one.


Sorry, my point has nothing to do with my particular suffering or  
any particular aspect of that - or at least only indirectly.


My observation is that of all the modern packages ClamAV fails to  
install and run successfully and securely without operator  
intervention.  I think that this should be refined to reference  
Fedora packages and perhaps not all of them.


There are a number of reasons why I consider this a bad thing  
(other opinions have been expressed by others on the list).


1) It sucks my time because I immediately have to learn more than I  
want to about ClamAV (and freshclam and clamav-milter and the  
interactions between all these applications).


2) The installation is probably going to be sub-optimal because I  
don't have enough time to spend on ClamAV to become the expert that  
others on this list clearly are.


You don't have to be an expert to tune it if you're just reading the  
config file, though.  If you have problems with the server spiking  
CPU usage or running out of RAM, it's not hard to look and see what  
settings would affect that.


If you can't do this and the material is out there for people to  
easily refer to, maybe you're short on staff (and need more people in  
your department) or there's some management problems that keep you  
from effectively doing your job, from the sounds of it.


3) It encourages bad/insecure installations because people  
(including me) without enough time to spend on researching the best  
way to install ClamAV (and associated apps) will be ignorant of  
possible security hole (or not recognize the significance of  
them).  Bad installations could be REALLY bad - is there any way  
ClamAV could be instrumental in generating mails to the SENDER of a  
virus e-mail?


This can be a problem with ANY software.  I don't know anything about  
AutoCAD, yet am expected to install and troubleshoot it at times.  I  
rely on the people who know AutoCAD (but squat about computers) to  
tell me when something is "wrong" with their install and troubleshoot  
it from there (yes, we're understaffed, otherwise I'd dedicate more  
time to learning it; just the reality of the situation).


It means that either they hire more people, let me dedicate more time  
to troubleshooting and repairing server work, or suffer the  
consequences of the short staffed.  I'm not going to bitch to the  
software programmers that they need to fix my problems that are  
caused by management on my side, though, since there is documentation  
and references available for the software package...I just click  
through the defaults and mop up problems later on.


4) (Altruism) It limits the adoption of ClamAV which in turn  
increase the number/penetration of viruses.


Maybe the project doesn't WANT people who have problems with their  
installs caused by willful ignorance...just a thought.  The OP showed  
this right off with the title "cherishing my ignorance".  If someone  
wants a labor-centric job with no skills to enhance, apply at  
McBurger King.  They cherish employees who cherish ignorance because  
they're easy to hire and fire.


IT isn't a McJob that it seems to get treated as.  One person doing  
overlapping job skills without an adequate staff to support them will  
cause problems, and the business needs to recognize that.

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] OT: Copyright (was: Re: Out of Office AutoReply)

[Bart Silverstrim]

On May 17, 2006, at 1:53 PM, Daniel T. Staal wrote:


On Wed, May 17, 2006 1:34 pm, [EMAIL PROTECTED] said:

At 10:31 AM 5/17/2006, Daniel T. Staal wrote:


On Wed, May 17, 2006 1:23 pm, [EMAIL PROTECTED] said:


as opposed to annoying "copyright notifications" attached to email
published to mailing lists, that state information that is wholey
meaningless within the context of a publicly distributed mailing
list, so therefore nothing more than junk bytes your forcing
mailservers to digest?


Read mine.  ;)


that's what i was referring to. it's nothing but junk bytes. it
accomplishes nothing, and adds *no* useful information to the message.


It does several things: specifically acknowledges the public nature of
email, and clarifies accepted use vs. non-accepted use.



How about this...just a one line URL to a place you maintain as a 
website with that information, so people don't have to be subjected to 
the same boilerplace template stamp every time they read your email?  
It's less to trim with replies, it's less to read as a mental blah blah 
blah, and %90 of the time your readers probably don't care about your 
copyright, or if they did they read it once and don't need it over and 
over and over again.


THERE's an useful feature in email...template blocks that your email 
program can hide selectively.  Wanna read the sig?  Click.  Wanna read 
the disclaimer? Click.  Otherwise...dude, I don't want to read that.  
Just give me that bloody message.  This is another concept that 
top-posters can seem to understand.  They love supposedly reading in 
reverse order the previous emails.  But there are some that insist on a 
9-line sig EVERY TIME getting embedded so (especially for Exchange) you 
get lines of from/to/subj/time/etc then a blurb of quoted crap then 
this huge sig then more exchange headers with repeated blurb from 
before and more of the same bloody sig...I get it, I have your title, I 
have your cell number, your work number, your fax number, your address, 
PLEASE STOP MY EYES ARE BLEEDING.  Maybe even find a way to have top 
posted emails turn the previous mails into hidden blocks so they aren't 
so obnoxious...


It's been one of those weeks.

___
http://lurker.clamav.net/list/clamav-users.html

Re: Now OT - Re: Out of Office AutoReply: [Clamav-users] Question About Quarantine

[Bart Silverstrim]

On May 17, 2006, at 1:42 PM, Christopher X. Candreva wrote:


On Wed, 17 May 2006, Bart Silverstrim wrote:

That's where you're both wrong.  It's an extension to instant 
messaging.  Why


Really ? That's amazing, that email managed to be invented at least a 
decade

before IM and still extended it.


It was initially treated as a delayed instant messenger (ha!).

Look at how people today use email and if you have schools where 
students use email, see if you can get access to some of those 
messages.  They treat it just like an instant messaging client.


I was looking at the way it was treated and applied, not what the 
technology was titled...look at how it's practically used now and 
you'll see the parallels.


___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] OOO (was: Question AboutQuarantine)

[Bart Silverstrim]

On May 17, 2006, at 12:55 PM, <[EMAIL PROTECTED]> wrote:


At 09:27 AM 5/17/2006, Daniel T. Staal wrote:
Luckily, my spam filter catches them.  That's all they are, anyway.  
More

spam.


as opposed to annoying "copyright notifications" attached to email 
published to mailing lists, that state information that is wholey 
meaningless within the context of a publicly distributed mailing list, 
so therefore nothing more than junk bytes your forcing mailservers to 
digest?


Plus they're less fun than the ones that threaten you with a lawsuit if 
you weren't the intended recipient to blah blah blah...


ENCRYPT IT.  Why would you warn people they couldn't read the message 
AFTER they read the @#$! message?  Are you people email-defective??


___
http://lurker.clamav.net/list/clamav-users.html

Re: Now OT - Re: Out of Office AutoReply: [Clamav-users] Question About Quarantine

[Bart Silverstrim]

On May 17, 2006, at 12:56 PM, Daniel T. Staal wrote:


On Wed, May 17, 2006 12:35 pm, Christopher X. Candreva said:

On Wed, 17 May 2006, Daniel T. Staal wrote:

These days, being out of the office, or town, or country, is no 
reason

for you to not be able to get your email, if you felt you needed to.
So, the only reason you aren't responding is that you don't want to.


I would say the problem is people expecting e-mail to be treating 
like a

voice conversation with an immediate response.

If you call the office and get a human, they can tell you Joe is on
vacation, someone else can help you. When people got voice mail boxes,
they would put those messages there.  E-mail supplimented the phone, 
and

that same feature was expected.


Yeah, that's probably a better summation.  I never considered email a
successor to the phone: I think of it as a successor to snail mail.  
But I

can see how some could think of it that way.


That's where you're both wrong.  It's an extension to instant 
messaging.  Why do you think so many people fail to craft email 
messages anymore, instead choosing to top-post some brain fart of two 
sentences at the top of a multipage email?


It takes time to make email more readable.  But people can't be 
bothered to stop and think about things like grammar, spelling, 
readability...little details like that.


It's an EXCHANGE based world, people!  C'mon and catch up to the rest 
of us here, m'kay??


___
http://lurker.clamav.net/list/clamav-users.html

Re: Out of Office AutoReply: [Clamav-users] Question About Quarantine

[Bart Silverstrim]

On May 17, 2006, at 12:36 PM, Jim Maul wrote:


Daniel T. Staal wrote:

On Wed, May 17, 2006 12:12 pm, Jim Maul said:

  If you are on a mail list such as this, think longer
and harder than usual. Then don't do it.

Right.  That seems like an acceptable solution.  Hell, why even have
autoresponders at all then?
I figure autoresponders are relics of the way email worked in the 
80's. Back before spam, and email viri, and big mailing lists, and

web-accessible email.
These days, being out of the office, or town, or country, is no 
reason for
you to not be able to get your email, if you felt you needed to.  So, 
the

only reason you aren't responding is that you don't want to.


Yes, i certainly dont want to check my work email when i am on 
vacation.   Apparently you feel otherwise.


Some do, some don't.  If communications are so important to you, you 
glance at your email when away.  Otherwise, you put it off.


Personally, if you didn't get back to me in time for something that is 
time-pressed, I'd try to find out why you hadn't replied by following 
up on a phone call.  Why do you need to spam everyone sending some 
two-second mind fart inquiring about lunch meeting with a note telling 
the world that you're out until blah blah?


If you must use such a feature, I think it should be limited to 
addresses within your business and/or people you frequently exchange 
mails with, like particular business contacts.  Mailing lists don't 
need to know that you're out.  You don't want to read your email while 
on vacation?  You think the people who *aren't* on vacation want to 
read that you're out having fun while they're stuck emailing you about 
something?


Does it autoreply to spam also?


The fact that some email packages still have autoresponders is a
misfeature, in my eyes.


Perhaps we should eliminate answering machines then too?  I mean hell, 
if they dont answer the phone, they must not be home.


The purpose is still useful.  It's a way of ensuring that your message 
will eventually be delivered to the person in question.   Emailing you, 
assuming it arrived, means you'll eventually get the message.  When you 
get back in, explain why it took so long, if it's any of my business in 
the first place.


Eventually we will probably get rid of answering machines.  Many phone 
companies offer the same feature on their side of the offices, and 
other places are using VOIP setups that will transfer your voicemail as 
a sound file to your email.


I have a hard time believing it's so important to know that the 
out-of-office recipient GOT the email in the first place when we don't 
have the majority of email using "read receipt" outside of the private 
corporation.  Even when I do get them, I have my mail program not 
reply.  For some reason you find your vacation or business meeting that 
important that you splarch a reply just for that occasion..."Yes, I got 
your email, but you know what?  I'm on a sunny beach!  Away from email! 
For another ten days!  Sorry!  If you want, you can call this poor 
sucker to handle your problem at 555-x555!"  I mean really, do you 
set your Out-Of-Office responder to go off when you leave for the day?  
Or just when you want to trumpet that your life is momentarily better 
while the rest of the working stiff's lives still suck?


Luckily, my spam filter catches them.  That's all they are, anyway.  
More

spam.


Spam is unsolicited.  If you send a message to a mailing list and dont 
expect a reply, why even bother sending your message?


Um...because an out-of-office reply isn't a *useful* reply?  "Hey, I'd 
help ya, but I'm on VACATION!!"  Do you send an email to a business and 
expect (and deserve) fifty promotional emails to come back at you 
because you asked a question?


___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] [OT] Top posting is harmful. (Was: Clamd Problem.)

[Bart Silverstrim]

On Dec 19, 2005, at 11:03 AM, aCaB wrote:


Hi kids.
Is the spam going to last long?

Please keep your OT confined to your own blogs/MLs.
Stop abusing everyone's patience.


Maybe people should stop contributing to the thread asking people to 
stop contributing to thread.


If attention spans weren't so short we'd remember that flare-ups of 
threads like this will go away quickly on their own, and they'll go 
away more quickly if people stopped chirping from the peanut gallery 
that the thread bugs them.


___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Virus not found by local clamscan

[Bart Silverstrim]

On Aug 16, 2005, at 7:42 AM, Gian Carlo wrote:


On Tue, Aug 16, 2005 at 12:35:29PM +0200, [EMAIL PROTECTED] wrote:

Usually, they say it's not a good thing...


Sorry, but I rather put it online then sending it into a mailing-list.


Forgive me: maybe I was too "purist".
I realize there are better ways for a malicious person to get something
harmful than monitoring a list like this.


You mean, like, connecting a honeypot VMWare machine to the Internet 
running unpatched Windows for about five minutes then looking at the 
altered binaries on the system?


___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] What versions of Clamav for ppc platform

[Bart Silverstrim]

On Aug 3, 2005, at 3:45 PM, mailing by Giardina Software wrote:


Hello list,

i must install clamav on my machine; what stable stable version can i 
install for ppc platform??


PPC as in OS X?  For that I'd use Fink to keep it up to date.

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Amavis error with clamd

[Bart Silverstrim]

On Jun 27, 2005, at 2:33 PM, D.J. Fan wrote:





I just finished trying to upgrade ports on this FreeBSD system, and 
am getting an unusual error in the logs for Amavisd-new.


Clam Antivirus-clamd: Error reading from /var/run/clamav/clamd: 
Resource temporarily unavailable at (eval 53) line 253,  line 
1., retrying (2)





Any ideas?  Help?



Appears to be the usual problem with file permissions.
See if this link provides insight and a possible solution:

http://www200.pair.com/mecham/spam/clamav-amavisd-new.html

BTW, I have found that even after my Debian system is set up correctly 
and I have restarted the clamd and amavisd-new daemons, I still get an 
access denied error that only seems to solve itself with a reboot.




Thanks for the address.  I checked what you had written up, and the 
only thing in the update that I didn't have was the group membership 
for clamav in vscan.  I never had it before, don't know why it would 
suddenly matter now, but I added clamav to that group and shut down 
then relaunched postfix/clamav/amavis and it appears to work, since 
only test virus 27 slipped through in my authorized test from 
http://www.webmail.us/testvirus.


Don't know what did it exactly, will need to keep an eye on it, but 
THANK YOU for the advice!!  Seems to be working again!


Now if I can just figure out the second error about mime tools in 
amavisd... :-(


___
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] Amavis error with clamd

[Bart Silverstrim]

I just finished trying to upgrade ports on this FreeBSD system, and am 
getting an unusual error in the logs for Amavisd-new.


Clam Antivirus-clamd: Error reading from /var/run/clamav/clamd: 
Resource temporarily unavailable at (eval 53) line 253,  line 1., 
retrying (2)


Here's the clamd socket:
# pwd
/var/run
# ls -al |grep clam
drwxrwxrwx   2 clamav  clamav 512 Jun 27 12:29 clamav
# cd clamav
# ls -al
total 6
drwxrwxrwx  2 clamav  clamav  512 Jun 27 12:29 .
drwxr-xr-x  5 rootwheel   512 Jun 27 11:46 ..
srwxrwxrwx  1 vscan   clamav0 Jun 27 12:29 clamd
-rw-rw  1 vscan   clamav5 Jun 27 12:29 clamd.pid
#

so it shouldn't be a permission problem.  The amavis log seems to see 
the clam socket:
Jun 27 12:33:56 myserver /usr/local/sbin/amavisd[50841]: starting.  
/usr/local/sbin/amavisd at myserver amavisd-new-2.3.1 (20050509), 
Unicode aware
Jun 27 12:33:56 myserver /usr/local/sbin/amavisd[50841]: Perl version   
5.008007
Jun 27 12:33:56 myserver /usr/local/sbin/amavisd[50842]: Module 
Amavis::Conf2.038
Jun 27 12:33:56 myserver /usr/local/sbin/amavisd[50842]: Module 
Compress::Zlib  1.34
Jun 27 12:33:56 myserver /usr/local/sbin/amavisd[50842]: Module DB_File 
1.811
Jun 27 12:33:56 myserver /usr/local/sbin/amavisd[50842]: Module 
MIME::Entity5.417
Jun 27 12:33:56 myserver /usr/local/sbin/amavisd[50842]: Module 
MIME::Parser5.417
Jun 27 12:33:56 myserver /usr/local/sbin/amavisd[50842]: Module 
MIME::Tools 5.417
Jun 27 12:33:56 myserver /usr/local/sbin/amavisd[50842]: Module 
Mail::Header1.66
Jun 27 12:33:56 myserver /usr/local/sbin/amavisd[50842]: Module 
Mail::Internet  1.66
Jun 27 12:33:56 myserver /usr/local/sbin/amavisd[50842]: Module 
Mail::SpamAssassin  3.04
Jun 27 12:33:56 myserver /usr/local/sbin/amavisd[50842]: Module 
Net::Cmd2.26
Jun 27 12:33:56 myserver /usr/local/sbin/amavisd[50842]: Module 
Net::DNS0.51
Jun 27 12:33:56 myserver /usr/local/sbin/amavisd[50842]: Module 
Net::SMTP   2.29
Jun 27 12:33:56 myserver /usr/local/sbin/amavisd[50842]: Module 
Net::Server 0.87
Jun 27 12:33:56 myserver /usr/local/sbin/amavisd[50842]: Module 
Time::HiRes 1.66
Jun 27 12:33:56 myserver /usr/local/sbin/amavisd[50842]: Module 
Unix::Syslog0.100
Jun 27 12:33:56 myserver /usr/local/sbin/amavisd[50842]: Amavis::DB 
codeNOT loaded
Jun 27 12:33:56 myserver /usr/local/sbin/amavisd[50842]: Amavis::Cache 
code NOT loaded
Jun 27 12:33:56 myserver /usr/local/sbin/amavisd[50842]: SQL base code  
NOT loaded
Jun 27 12:33:56 myserver /usr/local/sbin/amavisd[50842]: SQL::Log code  
NOT loaded
Jun 27 12:33:56 myserver /usr/local/sbin/amavisd[50842]: 
SQL::QuarantineNOT loaded
Jun 27 12:33:56 myserver /usr/local/sbin/amavisd[50842]: Lookup::SQL  
code  NOT loaded
Jun 27 12:33:56 myserver /usr/local/sbin/amavisd[50842]: Lookup::LDAP 
code  NOT loaded
Jun 27 12:33:56 myserver /usr/local/sbin/amavisd[50842]: AM.PDP prot  
code  loaded
Jun 27 12:33:56 myserver /usr/local/sbin/amavisd[50842]: SMTP-in prot 
code  loaded
Jun 27 12:33:56 myserver /usr/local/sbin/amavisd[50842]: ANTI-VIRUS 
codeloaded
Jun 27 12:33:56 myserver /usr/local/sbin/amavisd[50842]: ANTI-SPAM  
codeloaded
Jun 27 12:33:56 myserver /usr/local/sbin/amavisd[50842]: Unpackers  
codeNOT loaded
Jun 27 12:33:56 myserver /usr/local/sbin/amavisd[50842]: Found $file
at /usr/bin/file
Jun 27 12:33:56 myserver /usr/local/sbin/amavisd[50842]: No $dspam, 
not using it
Jun 27 12:33:56 myserver /usr/local/sbin/amavisd[50842]: Internal 
decoder for .mail
Jun 27 12:33:56 myserver /usr/local/sbin/amavisd[50842]: Internal 
decoder for .asc
Jun 27 12:33:56 myserver /usr/local/sbin/amavisd[50842]: Internal 
decoder for .uue
Jun 27 12:33:56 myserver /usr/local/sbin/amavisd[50842]: Internal 
decoder for .hqx
Jun 27 12:33:56 myserver /usr/local/sbin/amavisd[50842]: Internal 
decoder for .ync
Jun 27 12:33:56 myserver /usr/local/sbin/amavisd[50842]: Found decoder 
for.Fat /usr/local/bin/unfreeze
Jun 27 12:33:56 myserver /usr/local/sbin/amavisd[50842]: Found decoder 
for.Zat /usr/bin/uncompress
Jun 27 12:33:56 myserver /usr/local/sbin/amavisd[50842]: Internal 
decoder for .gz
Jun 27 12:33:56 myserver /usr/local/sbin/amavisd[50842]: Found decoder 
for.bz2  at /usr/bin/bzip2 -d
Jun 27 12:33:56 myserver /usr/local/sbin/amavisd[50842]: Found decoder 
for.lzo  at /usr/local/bin/lzop -d
Jun 27 12:33:56 myserver /usr/local/sbin/amavisd[50842]: No decoder for 
  .rpm
Jun 27 12:33:56 myserver /usr/local/sbin/amavisd[50842]: No decoder for 
  .cpio
Jun 27 12:33:56 myserver /usr/local/sbin/amavisd[50842]: Found decoder 
for.cpio at /usr/bin/cpio
Jun 27 12:33:56 myserver /usr/local/sbin/amavisd[50842]: No decoder for 
  .tar
Jun 27 12:33:56 myserver /usr/local/sbin/amavisd[50842]: Found decoder 
for.tar  at /usr/bin/cpio
Jun 27 12:33:56 myserver /usr/local/sbin/am

Re: [Clamav-users] ClamAV on Exchange 200x

[Bart Silverstrim]

On Jun 17, 2005, at 3:01 PM, Patrick Andry wrote:

Does Exchange 2000 still accept mail for non-existent users, as it 
does for

5.5?


Unless there's a feature/setting I'm missing, yes it does.

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] For those who submitted adware/spyware samples

[Bart Silverstrim]

On Jun 17, 2005, at 4:08 PM, Matthew Schumacher wrote:


Kelson wrote:

Niek wrote:


If you want protection from ad- spyware, get anti-spyware software.



I don't want to start up another flame war, but I really have to ask
this question:

Isn't email-borne spyware more in a virus scanner's domain than 
phishing

is?



IMHO, anything malicious sent though email should be detected by the
virus scanner.


Wouldn't that be a malware scanner instead of a virus scanner in that 
case?


___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] For those who submitted adware/spyware samples

[Bart Silverstrim]

On Jun 17, 2005, at 4:21 PM, Jim Popovitch wrote:


On Fri, 2005-06-17 at 12:08 -0800, Matthew Schumacher wrote:

IMHO, anything malicious sent though email should be detected by the
virus scanner.


I agree.  What will it take for clamav to support all files/emails
deemed malicious?


A procmail script that searches for "Exchange" or "Outlook" in the 
headers?


:-)

-Bart

___
http://lurker.clamav.net/list/clamav-users.html

Fwd: [Clamav-users] Re: which scans mail

[Bart Silverstrim]

Begin forwarded message:


From: [EMAIL PROTECTED]
Date: June 17, 2005 9:01:33 AM EDT
To: clamav-users@lists.clamav.net
Subject: [Clamav-users] Re: which scans mail
Reply-To: ClamAV users ML 

I will be away from the office until Monday, June 27.  If you need an
immediate response, please send your email to [EMAIL PROTECTED]

Thank you,
Bowie Bailey
BUC International


CAN SOMEONE PLEASE UNSUBSCRIBE HIM?  Maybe permanently?...

After the 15th time, I really start to hate those @#$%! OoO replies...

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] ClamAV on Exchange 200x

[Bart Silverstrim]

On Jun 16, 2005, at 4:37 PM, Robert G. Werner wrote:


Roger Rustad wrote:
Does anyone have any links to resources that deal with installing 
ClamAV
on Exchange 200x servers? (Yes, I know that I can set up a ClamAV 
proxy;

in this case, I want something I can install/do directly *on* the
Exchange server)

If not, perhaps someone knows of some 3rd party software that I could
purchase? I'm trying to move away Symantec-based products



I haven't heard of anyone using Clamav Directly with exchange.  That
being the case,  I think Exchange has an API for submitting messages
to a virus scanner.  If you can get Clamd to run on Win* (may or may
not be very easy because I think Clamav assumes a POSIX environment)
then the next step would be to write something to the Exchange API
that takes the message,  submits it to Clamd and then disposes of the
message appropriatly.

This would be a nice addition to Clamav if you or someone else wanted
to create it.  Would help make Clamav even more cross platform.


I know the OP didn't want to use a proxy, but personally I've found 
that the  FreeBSD system I set up our scanning proxy:
A) saves disk space and processor cycles...Exchange can be hoggish, 
especially when a lot of clients are logged on
B) is wonderful for logging and troubleshooting; only our incoming mail 
is scanned and logged, so if someone emails us asking if [EMAIL PROTECTED] 
emailed them (Why haven't I received their message?), we can easily 
check the logs with a quick "grep" to see if it ever hit our border 
scanner and tell them whether it's in the spamtrap or if it never even 
REACHED the exchange server; I personally find the Exchange server's 
logging facilities to be rather inadequate.
C) opened our budgets a little more thanks to the huge array of 
anti-spam and antivirus configurations we can install on it.

D) adds a ton of flexibility in how email is handled and scanned.

But I'm sure the OP already knew of these things and was just in a 
position where it isn't feasible to install it or just doesn't want to. 
 I thought I'd send this just so it would be in the archives in the 
slim chance anyone consults them when looking for experiences other 
people have had with ClamAV in production use :-)


___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Re: undetected malwares

[Bart Silverstrim]

On Jun 7, 2005, at 9:46 AM, Matt Fretwell wrote:


Bart Silverstrim wrote:


My wife and I just had a newborn baby boy.  The first and foremost
thing to learn...tolerance.  He cries because it's the only way he can
communicate, it's frustrating because we have to interpret what he
means.  But he's a baby and that's what they do!  It's their nature.
We knew it when we...um...compiled him :-)



 Congratulations. First child, or do you have other children?


Her second, my first :-)  I have a thirteen year old stepdaughter 
(she's a great kid but she's just entering her teen years...yikes!) and 
now a 17 day old boy.  I can't wait for that day when I get home from 
work and hear him yell "Daddy's home!"


___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Arrogance toward well-meaning participants (was: undetected malwares)

[Bart Silverstrim]

On Jun 7, 2005, at 9:00 AM, Matt Fretwell wrote:


Bart Silverstrim wrote:

If he already did and hadn't gotten feedback, maybe there could be 
some

people who would coordinate some form of feedback system on whether a
sample is in the works or in the queue or something like that or an
automated sig-maker system could be worked on as a project. If the
things he is asking be included in the malware detection code isn't
going to do it because the developers have vetoed it, then tell him.


 Give people blood, and they will still find some reason to complain.


Welcome to the world of the sysadmin.  Or developer.  Or anything else 
that involves users. Or people.


We just have to adapt our philosophy in life so we don't get ulcers or 
have a stroke.



Don't just insult the guy.  Geez.  :-(


 Courtesy first, I do have to agree with you on that. Pandering, 
however,

is a very different thing.


Bottom line: this could have been handled better.  They guy could have 
ended up helping out in the future or contributing to the betterment of 
the project.  Certainly he was (is?) using ClamAV, helping with the 
number of deployments out there and is another potential tester or bug 
reporter, shown by the fact that he was trying to give feedback to the 
group when he was told to screw off.


Not advocating pandering.  Just showing respect to other people and 
giving them an opportunity to show themselves to be jackasses before 
being treated as one.  This guy didn't get that chance and I think that 
some people probably do owe him a bit of an apology for the incendiary 
responses they sent to him for making a mistake.  Because so many 
people (including, most likely, the OP at this point) is in full 
defensive-asbestos-underwear-flamefest mode, the apologies probably 
aren't going to come for awhile, if ever...despite the fact that it 
would make the people apologizing look like the more honorable out of 
this mini-debacle.  But oh well.  Cest la vie, que sera sera, and the 
status quo of the list continues onwards.  God, I LOVE THE INTERNET!!


___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Re: undetected malwares

[Bart Silverstrim]

On Jun 7, 2005, at 8:56 AM, Matt Fretwell wrote:


Bart Silverstrim wrote:


 The devel's time is not infinite. I am sure most of them do have
 other jobs and things to do also. Do stop trolling and just ask them
 how to submit the virii :) ( No use being of a subtle disposition on
 this list :)


I also would disagree that he was trolling...sounds like he's peeved 
at

the acidic response he got when he was just trying to be helpful.



 No doubt you are correct with regards to the second aspect. However,
coming back with the 'outdated scanner' bit was unnecessary. 
Personally, I

have no time for people with tender dispositions. Lifes a bitch. Tough.
Deal with it.


The same could be said of us...those of us that are on the verge of 
snapping at the number of people who don't read docs, guidelines, 
howtos, etc. first.  Believe me.  My current disposition is the product 
of dealing with this all the time.


My wife and I just had a newborn baby boy.  The first and foremost 
thing to learn...tolerance.  He cries because it's the only way he can 
communicate, it's frustrating because we have to interpret what he 
means.  But he's a baby and that's what they do!  It's their nature.  
We knew it when we...um...compiled him :-)


I've had to extend this to users (and people in general).  They don't 
like following rules.  Top posters.  Sigs longer than PGP signatures.  
Documentation?  Huh?  It's the way of the users.  It's the way of 
people in general.  People tend to be lazy and not want to learn 
things.  We have to accept it.


Situations like the one you're pointing out are made slightly worse 
with the popularity of IM-oriented communications.  Why look it up when 
I can just belch it out to a mailing list and someone else might 
already know the answer to regurgitate back to me quickly?  The easiest 
way to deal with that is to keep in mind that despite this constant 
churning of the same material, more often than not an answer still 
surfaces, meaning that someone on the list (in general, not just this 
one) is getting some benefit out of answering the person that causes 
your frustration in the first place...maybe they just feel good helping 
out, maybe they like feeling superior in knowing someone someone else 
didn't, maybe they just like preening feathers a little...who knows.  
If people didn't reply to all the answers that were already available 
out there in FAQs and web pages, the list would be probably pretty damn 
quiet.



(Yes, I am trying to fit as many non posting-etiquette type
responses into one message as possible). For goodness sakes, what is 
wrong
with people just using common sense and asking first if they are 
unsure of

how to proceed, or, dare I mention this blasphemy, actually reading any
guidelines or documentation.


Nothing, except it's against people's nature as humans :-)

 I was never aiming specifically at the OP. He made a mistake. Simple 
as

that.


This is the type of thing that probably should have been pointed out 
originally.  I see no reason for him not to have taken the attacks 
personally as responses were worded.



 This pissy tit lip, I get upset over everything, type attitude that
people seem to suffer from these days, however, is becoming one of my
major bugbears.


That's all in good only the attacks against him were right-off-the-bat, 
not giving any opportunity for correction or guidance to the "right" 
way.


a) Hey, can you put this in the pie?  It might make it taste better!
b) What are you, some kind of f'ing idiot?  Quit being a dumbass.
a) Wha...well,...you're a dumbass.  And your pie tastes like crap 
anyway.
b, c, d, e...) stupid troll...don't need your kind around here anyway.  
The cooks do a great job as it is!  YAY!


Get pissed if the guy is corrected or directly asked not to do 
something and THEN persists without reason.  Don't bring up past 
incidents this person wasn't party to as part of your (in general, not 
you necessarily in particular) response.  Do you take it out on your 
spouse and kids when you have a bad day at work?  Don't take out 
frustrations towards persistent idiots on this guy that made, as you 
put it, an honest mistake.  It makes the entire list and the developers 
look rather poor.


___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] 0.85.1 milter crashing alot

[Bart Silverstrim]

On Jun 6, 2005, at 9:49 PM, Carl Thompson wrote:

I've had lots of problems with clamav-milter (running inet or .sock) 
crashing.  I know that .82 didn't have issues like this and I would 
like to track them down and post any results I can find to possibly 
help the developers.


Is there any special configuration options or start/configuration 
options that I should set in place to get quality output about the 
crashes that can be passed along to the development team for their 
review?


This is a fairly busy mail server during the day but slacks off after 
hours.  I generally run with max children of 50.


Maybe I'm misreading something or have a glitch in my mail reader, but 
it looks like you're hijacking a thread (hitting "reply" to a message 
and just changing the subject line).  If that's the case here, please 
don't do that.  If I'm mistaken please disregard this message :-)


With mail clients that thread conversations your message will get 
embedded in with another conversation.  Many people will select what 
they want to follow and will delete whole threads without looking.  If 
it is someone who may be in a position to help you they may not see 
your message because it's inside a thread of conversation they are 
deleting.


If you want to maximise your changes of getting help (and follow 
appropriate mailing etiquette) please open a new message and copy and 
paste the actual *to:* address to send to the mailing list, don't reply 
to someone else's subject and alter just the subject header.


___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Arrogance toward well-meaning participants

[Bart Silverstrim]

On Jun 6, 2005, at 1:23 PM, Matt Fretwell wrote:


Timo Schoeler wrote:


What can certainly be observed on this mailing list is a tendency to
attack and reproach the developers.


IMHO this is misunderstood then. most of the cases some people ask why
this or that is managed in this or that way and some people have (and
tell) an idea of how to 'improve' (mind the colons) things.

this has nothing in common with criticism of any developer.



 Actually, these are not suggestions regarding how one might 'improve'
things. These are initial posts which are carried out with a complete 
lack
of forethought, and then, when an OP becomes piqued once they are 
berated
for their aforementioned lack of forethought, become ignorant, for 
lack of

a better word.


No, they got angry and were shocked at the response the initially got.  
You said it yourself that they were berated for lack of forethought.  
There is NO REASON to berate someone for a first offense that didn't 
cause harm or foul to anyone on this list.  He wasn't corrected, he 
wasn't asked why he did what he did, he was insulted.  Save the insults 
and beratement for someone who repeatedly breaks a rule after being 
corrected.  Don't reply immediately with insults and beratement then 
act surprised when they respond defensively!  It's a show of respect 
for someone as a person to give them some opportunity to correct their 
mistake before writing them off as an asshat.  I don't know the guy's 
history on the list, but I didn't see why or how his initial postings 
to this thread warranted such a response.



Whilst ones does admit that some devel's may lack certain
'people skills', or as the troll one said, are just misanthropic :), (I
really love that one. Practically had it emblazoned on a badge), 
stupidity

is no excuse on the part of the OP.


It does not excuse insulting end users who weren't TRYING to be a pest 
or make a problem.  Maybe he was...but I personally didn't see it in 
his post.


I think the definition of troll in this thread is getting greatly 
watered down.


 One does not need to be offhand, unless circumstances really do 
dictate
such. Propogating a link to a public page where viral or trojan 
software
may be freely downloaded does possibly constitute one of those 
occasions.

Whilst the OP is already receiving these, the people who are not yet
inundated may well be pretty damn soon.


They looked to be IRC bots if I recall correctly.  Hardly so new that 
they are a secret.  www.honeynet.org/papers/bots



___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Arrogance toward well-meaning participants (was: undetected malwares)

[Bart Silverstrim]

On Jun 6, 2005, at 12:26 PM, Tomasz Kojm wrote:


On Mon, 6 Jun 2005 17:51:35 +0200
Julian Mehnle <[EMAIL PROTECTED]> wrote:


Tomasz Kojm wrote:

Michel Arboi wrote:

I was about to ask how I can help the project. I will not. I
think that
you don't need "bad" people.

Good bye.


You're a troll. Go away!


It's an insolence to cite me out of the real context.

-- begin --

From: Tomasz Kojm <[EMAIL PROTECTED]>
To: ClamAV users ML 
Reply-To: ClamAV users ML 
Subject: Re: [Clamav-users] Re: undetected malwares
Date: Mon, 6 Jun 2005 16:41:09 +0200
Sender: [EMAIL PROTECTED]
X-Mailer: Sylpheed-Claws 1.9.11cvs5 (GTK+ 2.6.4; i686-pc-linux-gnu)

On Mon, 6 Jun 2005 16:34:21 +0200
Michel Arboi <[EMAIL PROTECTED]> wrote:


On 06/06/05, Tomasz Kojm <[EMAIL PROTECTED]> wrote:


You're distributing malware, so you're bad.


Clamav does not even catch half of the worms that are currently in the
wild. Most of them are dangerous IRC bots.
I was about to ask how I can help the project. I will not. I think
that you don't need "bad" people.

Good bye.

PS: you're distributing an outdated scanner, Im' not sure you are
better than me.


You're a troll. Go away!


My interpretation was he tried to help out in a way others deemed 
inappropriate, they replied to him in turn in an inappropriate manner, 
and he snapped back in a way he probably shouldn't have if he had been 
replying with a cooler head.  I wouldn't classify it as being a troll 
post, and I personally don't think I'd really blame him for taking it 
personally enough to snap back at people on the list, given the 
context.



-- end --


A tendency to ridicule people who even just remotely insinuate that
not everything about ClamAV is perfect can certainly be observed on
this mailing list.


This is not true.

What can certainly be observed on this mailing list is a tendency to
attack and reproach the developers.


Actually I respectfully disagree here.  I haven't seen a tendency to 
attack and reproach developers, but I may have seen MANY posts and 
threads congratulating you on the good work you're doing (and I agree 
with them).  I have seen a tendency for people with differing opinions 
to get scorched if they disagree with some aspect of ClamAV's 
implementation or virus/phishing/trojan/worm detection/classification 
philosophy though.


This is just my impression.  If people want to back it up with solid 
numbers by digging through the archives, feel free to spend time doing 
so, but to me this is the impression I've received in my time on the 
list.  This particular thread would have been a great opportunity to 
have the developers and list members shine in their responses, but 
instead the impression comes off as if there is a core group of 
elitists telling someone who may not have known better in regards  to 
the protocols observed for the list to p*ss off instead of trying to 
help them out.  I could always try an unscientific approach by printing 
out most of the thread and asking some non-techie people to read it and 
get their impressions of who has been acting inappropriate with or 
without cause...see what they'd have to say.  I get the feeling that 
this thread would not be a highlight in a customer relations handbook, 
though.



Don't you notice you are shooting yourself in the foot by alienating
people who want to help the project?


We don't need a help from people who distribute malware on their www
sites (and even fail to properly classify samples).


That wasn't what he was trying to do though.  His intention was to help 
you.  He took samples that weren't hard to find since they're actively 
spreading in the wild on their own, went on the list and asked for the 
decision-makers to add them to the signatures.  If he was just a 
"malware spreader" he wouldn't have come to the Clam list asking to 
have them included.


Are you implying that if you make a mistake in protocol that you're too 
stupid to be worthy of helping out in some way with Clam?  I thought 
(maybe incorrectly) that he did submit the samples in the proper 
channels but didn't get feedback on it.


I believe his intentions were good but he made a mistake.  Instead of 
pointing this out there were a group of people that made him out to be 
a retard or imbecile.  I can't blame him if he thinks that only thing 
that makes him an imbecile in this matter was taking some of his time 
to try and get some things detected with Clam and instead getting 
insulted for it.



I voiced criticism, now call me a troll.


I've nothing against constructive criticism but the OP's last message
was a boorishness and not criticism.


It was.  It was an insult.  I think it is understandable given that to 
me it was provoked, and not necessarily aimed personally at you but 
instead to all on the list that were giving a virtual flick-off.  As an 
observer the response he got wasn't really well deserved and it appears 
that now everyone is being overly defensive instead of stopping to say, 
"You know, y

Re: [Clamav-users] Arrogance toward well-meaning participants (was: undetected malwares)

[Bart Silverstrim]

On Jun 6, 2005, at 12:10 PM, Kevin W. Gagel wrote:


On 6/6/2005 5:54 PM +0200, Kevin W. Gagel wrote:

Tomasz,

The best defence against such childish behaviour is to
consider the source and not bother to respond.

You're above such childish behaviour, the child is not.
Don't bother responding to it...


I'll bite, who's childish ? We can't tell, because you
decided to top-post.

Niek Baakman
___
http://lurker.clamav.net/list/clamav-users.html


I don't think it matters who started it or who ends it.

Thanks to all the volunteers who have added their coding
skills to ClamAV. Excellent job and great effort.

Thanks to all who conribute in countless other ways.

Without your efferts many of us would be at the whims of
closed source, capitalistic business practices and subject
to slow or non existant help.

You guys rock!


While the developers do work hard and have done a great job, that 
doesn't really resolve the problem here that, it appears to me anyway, 
there was an attitude problem towards someone who may be new to the 
list trying to help and subsequently getting a virtual slap to the face 
for it.  Does the original poster have a history of being a problem or 
troll?  I didn't see in this thread where he was out of line, but it 
certainly appears that others were.


It's a little odd to me that some would go out of their way to insult 
the guy then say "oh well, it doesn't matter because CLAMAV ROCKS MAN!! 
 YOU GUYS ARE AWESOME!  WOOO YEAH!".  This thread had nothing 
whatsoever to do with whether or not the team is doing a good job, it's 
routinely acknowledged on this list that they do a great job and it's 
not an easy one.  What this thread was about, again from what I can 
tell, was a guy trying to contribute to the group and getting crap for 
it which is rather inappropriate in my opinion.  If you don't like what 
he was trying to do, then I do think there are better ways of handling 
it than have been acknowledged on the list, and not resolving it can 
make the developers and the participants in this list look rather 
elitist and will not help ClamAV's image with other users when trying 
to be taken seriously.  If there's another way to get things submitted, 
tell him.  If he already did and hadn't gotten feedback, maybe there 
could be some people who would coordinate some form of feedback system 
on whether a sample is in the works or in the queue or something like 
that or an automated sig-maker system could be worked on as a project.  
If the things he is asking be included in the malware detection code 
isn't going to do it because the developers have vetoed it, then tell 
him.  Don't just insult the guy.  Geez.  :-(


___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Arrogance toward well-meaning participants (was: undetected malwares)

[Bart Silverstrim]

On Jun 6, 2005, at 11:56 AM, Niek wrote:


On 6/6/2005 5:54 PM +0200, Kevin W. Gagel wrote:

Tomasz,
The best defence against such childish behaviour is to
consider the source and not bother to respond. You're above such 
childish behaviour, the child is not.

Don't bother responding to it...


I'll bite, who's childish ? We can't tell, because you decided to 
top-post.


I'm trying to figured out the "childishness" aspect as well...while the 
insinuation that ClamAV is outdated because it doesn't detect those IRC 
bots wasn't the most mature response in the world, I can certainly see 
why he'd say that after the reception he got on the list.


As for the top posting, pointing it out is a bit off topic and 
contributes nothing to resolving the issue...even though I would agree 
with your implications :-)


So far in the thread I've seen a guy try to help out by submitting 
stuff (in an incorrect manner?) to be detected that currently isn't, 
people respond inappropriately to someone trying to be helpful, someone 
replying to that inappropriate reply by asserting that when there's an 
implication that ClamAV isn't the best that those people are ridiculed 
and marginalized instead of having their opinion taken seriously, and 
that message is met with an accusation of being childish without 
explanation.  I would start to wonder as an outsider if this is an 
elitist attitude within a group using/developing ClamAV...would they 
prefer that if you don't actively promote or develop Clam that you just 
go away and leave them be?  Or is this just a rogue group with big 
voices making the group look bad?


___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Re: undetected malwares

[Bart Silverstrim]

On Jun 6, 2005, at 11:22 AM, Matt Fretwell wrote:


Michel Arboi wrote:


You're distributing malware, so you're bad.


Clamav does not even catch half of the worms that are currently in the
wild. Most of them are dangerous IRC bots.
I was about to ask how I can help the project. I will not. I think
that you don't need "bad" people.



 Calm down chaps :) It is a bad idea to put the files where they are
publicly available. That is a simple fact. You are possibly helping to
spread the problem. However, if the files are not currently detected,
submitting them would be helpful. If you ask on the list, one of the
devel's will advise you regarding how, if you have a large amount to
submit.


I think he said he did submit them but didn't get feedback on it.

As for posting them while I'm sure there are opinions both ways, he 
probably didn't feel like it was violating anything that a script 
kiddie with an IQ above a hamster didn't already have or have access 
to, since they were "captured" in the wild.  I just finished reading a 
honeynet bot tracking paper where they had their Win2k/XP honeypots 
violated in ten minutes on a dialup line, and they easily captured IRC 
bots with some monitoring utilities in a very short amount of time.  Is 
this going to degenerate into a war of information freedom vs. security 
through obscurity?  Hope not...


He was catching things and posting them not out of malice but in an 
attempt to be helpful to the group, methinks.



PS: you're distributing an outdated scanner, Im' not sure you are
better than me.


 The devel's time is not infinite. I am sure most of them do have other
jobs and things to do also. Do stop trolling and just ask them how to
submit the virii :) ( No use being of a subtle disposition on this 
list :)


I also would disagree that he was trolling...sounds like he's peeved at 
the acidic response he got when he was just trying to be helpful.  If 
my kid drops a bowl of cake batter while trying to "help" daddy in the 
kitchen while he's baking, sure I'm upset for a second or two,...but he 
didn't do it on purpose and his motives weren't bad.  He's just being a 
kid, and I should be glad he was trying to help me out.  This guy found 
that a number of "malware" programs weren't detected as such by ClamAV 
while other "AV" products did detect them and he was trying to bring it 
to the attention of the ClamAV people.  If he were trying to be a prick 
or have ill intentions, I'm pretty sure he wouldn't have bothered 
coming here to have bile thrown back at him for his efforts.


If his message is considered trolling...geez...haven't you guys been on 
Usenet at all?  THAT has true trolling.


___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Re: undetected malwares

[Bart Silverstrim]

On Jun 6, 2005, at 10:34 AM, Michel Arboi wrote:


On 06/06/05, Tomasz Kojm <[EMAIL PROTECTED]> wrote:


You're distributing malware, so you're bad.


Clamav does not even catch half of the worms that are currently in the
wild. Most of them are dangerous IRC bots.
I was about to ask how I can help the project. I will not. I think
that you don't need "bad" people.

Good bye.

PS: you're distributing an outdated scanner, Im' not sure you are
better than me.


Some sigs were probably removed at some point, weren't they?

ClamAV has shifted from being an antivirus into a general malware 
detector with emphasis on detecting emailed malware.  It's not a 
general antivirus, from what I can tell.  Just another layer of 
defense.  While the ClamAV team has done a great job at keeping up with 
the deluge of email trojan crap out there, good luck catching all 
malware out there...


___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[Bart Silverstrim]

On May 17, 2005, at 7:06 PM, Damian Menscher wrote:
On Tue, 17 May 2005, Dennis Peterson wrote:
Damian Menscher said:
Since you are speaking for all of us what do we think of your 5 line 
sig?
I bet some of us think it sux.
As do I.  But I think you'll agree it is about as dense as possible 
given the amount of information (I work two jobs, and my employers 
require me to include that fifth line when posting to public lists). 
But that's off-topic for this list also.
You don't have a personal email address to use in the lists?
And what about the other four lines each and every time?
I found the DNS discussion interesting and it helps to understand what
other mail admins are thinking about the processes around clamav and
email.
It's mildly interesting, but has nothing to do with ClamAV.
Then give it some time and the thread will die, as all the other 
threads do eventually.  Everyone gets tired of this stuff eventually.  
But it's also important to acknowledge that this is a ClamAV user 
community, and obviously there are some members of the community that 
have found a topic that strike a nerve...let'm play it out or it'll 
just keep coming up again.

And did you not find the clamd log permissions debugging segment in
another thread educational? I did.
I found Stephen Gran's comment interesting, in that he beat me to 
finding the bug (I'd wasted time looking in clamav-milter.c first). 
The rest of the posts, including your arrogant ramblings, were 
worthless.
I'm sure people looking through archives and seeing how members of the 
community regard others' input as worthless and arrogant will certainly 
reflect nicely on the community...

Does it occur to anyone that maybe within this ClamAV community some 
people have found others that  they think may have respectable opinions 
worth listening to, that they may not find in the other groups?  That 
maybe these people here are a good resource from which to learn?  Just 
because I have a friend that is big on Fieros doesn't mean he doesn't 
have other interests or experiences that I respect hearing about, even 
if it's while he's working on the Fiero at the time...

It was an informative day with no major new clamav issues - that's a 
good
thing.
Well, the LogFile thing is "major" in the sense that it confused a lot 
of newbies.  But the rest of the discussion here today has been a 
complete waste.  You people really need to spend more time reading 
what others have done, rather than spending all day screaming your 
heads off about your own little viewpoints.
When a thread seems to just take up space to me, I just use the thread 
view so all the messages to a particular thread are in one group, then 
highlight it and hit delete.

Unlike spam, no one is trying to munge, mangle, or hide the origin of 
these messages.  They're fairly easy to actually hit delete and have go 
away.  And also unlike spam, when I ignore a thread, it goes away after 
a relatively short time and it's also easy to redirect to a clamav 
folder for organization...

But that's just my arrogant, worthless opinion.
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[Bart Silverstrim]

On May 17, 2005, at 4:03 PM, Bill Taroli wrote:

Steffen Winther Soerensen wrote:
This seems more like a discussion for another mailing list or a Usenet
group on MTAs/SMTP IMHO
I don't disagree... are there any good ones for SPF or similar 
debates? I do think -- much as you'd find in the Amavisd list -- that 
these issues do tend to intersect and overlap in various ways. While 
clamav is obviously about virii, it routinely gets deployed right 
along side spam and other tools.
I'd argue that ClamAV is no longer even "just an AV".  It was crossing 
the line to "malware detector" when it started filtering phishing 
attempts that have nothing to do with viruses, much as Spybot now 
detects several Bagle variants.

Not saying it's good or bad...just stating the way it appears to be 
from this observer's viewpoint.

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p, spf, dns, nazis, fruit-of-the-loom, lucky charms

[Bart Silverstrim]

On May 17, 2005, at 5:35 PM, [EMAIL PROTECTED] wrote:
perhaps it's time clamav-users be split into clamav-help and 
clamav-discussion. something like that maybe.

but the list is sagging under the weight of all this metadiscussion. 
am i the only one growing weary of not just meta-discussion, but 
meta-meta-discussion?
There are so many other things to be weary of.  Is it really worth the 
time to fight and complain about a large number of messages with the 
same subject line, handily threaded, from a non-forged source address?

I mean...I'm on another mailing list that gets over a hundred messages 
a day.  I love it when there's a thread that I'm not participating in 
on that one...one delete gets rid of all the messages stored in that 
thread all at once.  More than that, I'm already filtering my mailing 
list messages so they're contained reliably in subfolders to store out 
of sight until I'm ready to look through the messages.

All that, as opposed to, say, the spam that may or may not be getting 
accurately filtered, and may or may not be taking up space in my inbox, 
about stuff I never want to read and unlike mailing lists can't 
unsubscribe from.

Also, if I ignore the thread, it sooner or later goes away on it's own. 
 I can't tell  you how many times I've deleted and filtered messages to 
enlarge my member or get bigger boobs and yet they *just keep coming*.  
Amazing.  But threads on mailing lists?  In the worst case scenario, 
the annoying topic just flares up every couple of months.

But that's just my viewpoint.  I mean, I get more annoyed by people 
that top-post, or can't seem to get their mail client to put the right 
information into their "your name" or "reply-to" fields than people who 
get overinvolved in an inflammatory thread in a mailing list, where 
pleas to end the thread end up actually prolonging the thread...

Again.  Just my view.  *shrug*  People will do what they want to do 
anyway.  My users have taught me this fact of life :-)

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[Bart Silverstrim]

On May 17, 2005, at 3:39 PM, Dennis Peterson wrote:
[EMAIL PROTECTED] said:
For email transfer and MTA's alike, putting SPF in DNS to help
"authenticate" the source is a step in the right direction.  If SPF 
is a
good idea, and it is dns based, then so should forward-and-back 
lookups.
If additional mail standardization can take place (again) then spam 
can be
reduced to a certain degree.  I much like Brian Read's idea of 
blocking
mail xfer from sites which are not authenticated (SASL) or who cannot 
give
a proper reverse lookup.  Every ISP we have worked with have been 
happy to
create or change a PTR entry in their dns, even if it took a lot of 
work
to get the ISP to do so (I even offered to do it for one isp and they
finally did it themself).

If we can standardize the set of rules and protocols required for an 
MTA
to accept an email, then spam will reduce.  Either that or we need to
build a better mousetrap. This is jut my $0.02.

Your thoughts?
-Eric
How would you handle the PTR record for an SMTP server that hosts 500
virtual domains?
Guess by charging a nominal fee for those hosts to have the record 
maintained?  :-)

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[Bart Silverstrim]

On May 17, 2005, at 3:21 PM, [EMAIL PROTECTED] wrote:
On Tue, 17 May 2005, Damian Menscher wrote:
Would the person who implements this do me a favor and make the virus
pretend to be a viagra spam?  If we format the hard drives of people
that buy from spammers, and the media picks up on it, then everyone 
will
be informed of how dangerous spam is.  Nobody will click it anymore, 
and
spammer profits will plummet.  This has a very real chance of
eliminating the spam problem.

Kill two birds with one stone... I like it.
Nice. That couldn't be cleaner.  There are plenty of ways of harmlessly
disabling a system (no lost data, just no boot) and that would 
certainly
be an awakening call for everyone across the board.  People would get 
to
reinstall their os and loose at least 2hrs of time.  I really miss the
days of destructive viruses.  We just don't really see 'em like we used
to.  Remember Michaelangelo?  What was his birthday again?

/me stops reminiscing of the good ol' days.
Actually I don't know if users would be effected by an hour or two 
charge of reinstalling the OS.  Lose their favorite bookmarks or the 
report they were working on, they might remember that.  But just 
hitting "next" a couple times...then again, re-entering a 50 digit key 
and reactivating XP is a pain in the butt. :-)

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[Bart Silverstrim]

On May 17, 2005, at 12:17 PM, Matt Fretwell wrote:
Bart Silverstrim wrote:
Maybe even do a reverse check to see if there's a mail server on the
sending system...how many systems would break doing a check like that?
 The sending server isn't guaranteed to be a MX, so any DNS MX or 
reverse
connection tests would fail.
No guarantees in life :-)
No matter what solution is put into place, there's going to be problems 
for some group that they would need to adapt to.  There has to be some 
sensible solution that doesn't involve fifty patches and hacks and 
sub-scanners...

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Re: custom signature files

[Bart Silverstrim]

On May 17, 2005, at 11:28 AM, Morgan Smith wrote:
Jef Poskanzer wrote:
Hey, has anyone made or run across a signature file that matches
all windows executables and all archive formats?  Seems like this
would be fairly easy to create.
---
Jef
Jef Poskanzer  [EMAIL PROTECTED]  http://www.acme.com/jef/
___
http://lurker.clamav.net/list/clamav-users.html

Since not all executables and archives are malicious, ClamAV may not be
the proper tool to use.  If you want to handle all executables and
archives regardless of content, procmail may work well for you.
Googleing for sanitizer may help as well.
Maybe something like mimedefang?  Haven't used it, but am considering 
it and read good things about it...

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[Bart Silverstrim]

On May 17, 2005, at 8:48 AM, Dennis Peterson wrote:
Bart Silverstrim said:
To me, that price is learning how to do it right.  Price isn't always
monetary.
I wouldn't argue with the idea of having to tell your provider that 
you
need your particular connection unfiltered and leave it unfiltered
because you're setting up the server.

What you are paying for is their trust that you are doing your part
correctly.
I'm not sure of that...maybe that's your relationship with your 
provider, but I know what I was looking for when I bought access :-)

As an ISP my greatest investment aside from my hardware is my
IP. Anything that puts it at risk puts all at risk.
Your intellectual property?  Or do you mean your address?
Policy describes I do
all I can to protect that investment so I set the rules. I don't have 
to
trust my  average customers because I manage the resources.
And vice-versa.  If you want to offload the responsibility and 
liability.  I'm telling you there are people who don't want that, and 
if they're willing to shoulder the burden it should be shifted to them.

Second, as a business, businesses cater to market desires.  If you 
don't want to do that then that's your business.  You probably won't 
lose a huge number of people because of it but there are some that 
would leave if they couldn't find a solution that fits them.  Most 
businesses understand that there's a balance...give customers what they 
want, and they will be your customers instead of your competitor's.  
Other businesses don't really care or don't want to serve that kind of 
market.

If you come to
me and ask me to loosen my rules I will do that but you have to invest 
in
my trust in you. By requiring you to have a higher liability I 
encourage
you to avoid activities that put your investment in jeopardy.
*shrug* fine with me. :-)
Imagine I am an ISP and you are a customer and you spam the world with
your own machine, drawing attention to my IP block. As is the norm, my 
IP
is blacklisted and I have to go to the blacklist vendors, hat in hand, 
to
explain that you, not I, did the dirty deed, and that I've pulled your
account. Personally I would probably find you and kick your ass, but
technically, I could have avoided the problem by requiring you to use 
my
smtp server and my traffic policies.
Ahh...see...there are other things that can draw unwanted attention.  
And while using just your resources may be one way to prevent the 
problem, there are others as well, and it's not a guarantee that you'll 
be entirely protected still.  There are trojans now spamming through 
the legit servers now.

Blocking ports can have oddball side effects...secondary collateral 
damage.  Not always significance, but non-blocking is one less thing to 
worry about.

And why must I trust you?  Is there something else you're doing to the 
email that I don't know about?  After all, you could be subpoenaed into 
handing over copies of my email to other people without my knowledge or 
permission. What if I want to have my email stored on my servers with 
my own resources instead?  Unless you're covering something up, 
perhaps?

So if you're going to shoulder the burden of protecting me from my own 
stupidity to keep yourself looking better and off lists, what else are 
you going to block or monitor?  I mean, RIAA surely must be knocking at 
your door if you have more than a hundred users out there.  So you 
block those ports too?  Monitor for any and all programs that can be 
used for file sharing?  Mandatory website traffic blocking to prevent 
porn from hitting the end user?

Maybe you could require users to only run Linux or OS X, immune to most 
attacks and thus making your network better and safer?  Or probe your 
customer's systems to see that they have the latest updates, and if 
not, cut off access at your router and have them redirected to a site 
that has the latest updates for Windows and not allow access until the 
updates are installed?  There are some colleges that take that 
approach. I wouldn't want the liability of forcing a customer to update 
to the latest service pack and possibly having it keep them from 
booting or wiping some data, but hey, to each their own.

Now imagine you are one of 25,000
customers I have to deal with. Where do you think I'm going to put my
effort?
Serving the customer the service they want? :-)
If I don't want anything other than access, that's all I'm looking for. 
 I don't want to pay for blocking, filtering, or storage space on your 
servers.

It can be argued that true spammers are so profitable they can afford 
to
throw away any reasonable fees I might impose.
Considering that they're A) using zombied Wintel crap to spam and/or B) 
using foreign soil systems to spam, I don't think that's the problem.

It is certainly true, but
what I advo

Re: [Clamav-users] sober.p and german adverts?

[Bart Silverstrim]

On May 17, 2005, at 2:17 AM, Alan Premselaar wrote:
Jef Poskanzer wrote:
..snip...
And finally, if you want to run a check on the HELO string, I find
that just rejecting outside connections that claim a HELO of your own
hostname gets rid of a very high proportion of crapmail.  This
very simple check is successful enough that I'll probably publish
a "notme_milter" at some point after spfmilter gets out of beta 
status.
I already do this with MIMEDefang.  it's proven quite effective.
I don't bother with any of the other checks because they either take 
too
many resources or have potentially too much collateral damage.
What I'd like is a system that takes incoming mail, strips rich 
text/html and reinterprets it into plain text, strips attachments and 
puts them into an ACL-controlled quarantine so users can get to them 
only if they really wanted them (within X days before it's wiped from 
the database and storage area) whether it's a networked fileshare or 
(probably better) a website.  Stick headers in as to probability of 
message being spam so client filtering can work still.

Have DNS lookups on the helo string...not valid, don't take it.  Maybe 
even do a reverse check to see if there's a mail server on the sending 
system...how many systems would break doing a check like that?  Enough 
to be significant?  Build in some tarpitting if the same site keeps 
hitting users on your site that are invalid more than X times when 
checking against your user database.

How much collateral damage would a system like this cause, I wonder?
After yet another day of putting up with all this crap from viruses, 
there's a part of me that wonders what would happen if someone wrote a 
virus that would pull a sober.p "infectinfectinfect...sleep...payload" 
trick where instead of turning the computer into a spambot would 
instead delete some system files so Windows wouldn't boot again, 
forcing people to STOP CLICKING ON RANDOM ATTACHMENTS and fixing the 
problem systems.  Isn't that the primary trick being used now to spread 
spam and viruses?  People are clicking and running attachments from 
other viruses and are clueless about NOT CLICKING RANDOM ATTACHMENTS?  
Although I already know people abhor the idea and it's definitely not 
the first time that idea's been entertained in some twisted form of 
vigilante online justice.

*sigh*  too much of this stuff makes Johnny a dull boy.  Need more 
sleep.

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[Bart Silverstrim]

On May 16, 2005, at 5:43 PM, Dennis Peterson wrote:
Most of the spam I've gotten the last three days is from comcast.net.
Apparently they allow their customers to send out to port 25. They 
should
lock that down so that spam goes out through their own servers so they 
can
feel the pain when they are blacklisted for incompetence. If you need 
to
run your own stand-alone mail service you should pay the price for the
privilege.
To me, that price is learning how to do it right.  Price isn't always 
monetary.

I wouldn't argue with the idea of having to tell your provider that you 
need your particular connection unfiltered and leave it unfiltered 
because you're setting up the server.

I'm paying for the bandwidth of a connection.  If anything you're 
saving the ISP money in labor to maintain your mail spool, you're 
saving them disk space, and you're saving them liability...because 
you're willing to shoulder the burden yourself.  The price here is 
you're doing the administration, you're sacrificing your disk space, 
and you're sacrificing the ability to complain to them when the disk 
dies and there's not a backup and you don't have 24/7 connection 
reliability, only a "reasonable" connection.

It's kinda stupid to me that you'd save them some space and time and 
liability and have to pay them for taking away a sliver of a headache, 
if all you want is a connection...and you may even be one of the small 
percentage that if you run the services yourself, you won't be on their 
tech support line.  Seems like that's the biggest "cost" for ISPs.  For 
people who are willing to learn and put work into maintaining it the 
cost of getting a "business class" connection is so high 
that...well...they'd have to be a business to get it.  Or at least get 
it and not subsist on bologna and Cheerios for meals.

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[Bart Silverstrim]

On May 16, 2005, at 1:54 PM, Rainer Zocholl wrote:
[EMAIL PROTECTED](Bart Silverstrim)  16.05.05 11:05
I did enter it in when I first discovered it, but there were no hits.
Ok, next time mention it ;-)
Here I thought it was common sense now! :-)
Apparently it will be very hard to block if it's just text without
extra spammer tricks in it to bypass filters...
There is a list of known subjects which can be feed into
spamassasign.
But in a few days that spam will stop.
I used someone's advice from the list to add to the header_check file 
for postfix.  Seems to have stemmed the spam.  I'm gonna be ticked if 
it stops now that I just got that all set up... :-/

I thought it was odd that our hammering from particular sober.p
infections were consistent in IP.
I scanned out logfile today:
there where
?  Missing part of that?
If they were spoofing (this was from the logs that I extracted that 
grep),
then why wouldn't I have 16000 different sober.p sources instead of a
few of them over and over?
They use 16000 different home PCs infected before.
That one IP showed up in the log as hitting us 16000 times.  Unless 
you're saying there were 16000 pc's all spoofing that same IP.  If so, 
I pity the "owner" of that IP lease.

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[Bart Silverstrim]

On May 16, 2005, at 1:41 PM, John Jolet wrote:
This email, for instance was sent from a properly configured mta 
running antispam and antivirus scanning in BOTH directions, from a 
dynamic ip.  If my wife sends email from her computer, it goes to the 
isp's mta, which does inbound only scanning.  I have several rules in 
place for postfix to force it to use my isp's mta for domains that 
refuse traffic from dynamic or "residential" ip addresses.  The price 
for a non-residential ip from my isp is nearly double that for 
residential.  Do I get any added-value service for that?  No, in fact, 
I lose the ability to take faulty equipment directly to the service 
center for replacement, instead of waiting for a service call.  I 
think more people running mtas would take the tack of examining the 
TRAFFIC, not the IP it came from.  That's just laziness.
Also...what if you don't trust your provider?  What if you want to have 
more control over the spam filtering, the virus handling...data 
retention...remember, in the US, your ISP records can be searched now 
without them being able to notify you, and your messages logged from 
their mail server.

Yes, there are ways around it, but why make it really easy for the 
people the tin-foil-hat brigade fears?

And what if you believe that people willing to take responsibility for 
their connections should be allowed to do so?  It's the irresponsible, 
the lazy, and the foolish that are setting up open relays today.  If 
someone is willing to take the time to wear the sysadmin hat and do it 
right, they should be able to run their own mail service.  The ISP 
should be just that.  Internet Service Provider.  Gimme my connection 
and leave the rest to me, thank you! :-)

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[Bart Silverstrim]

On May 16, 2005, at 11:06 AM, Thomas Hochstein wrote:
Bart Silverstrim schrieb:
That address had been hammering us over and over for awhile with
sober.p.  Now it's become quiet.
Yes. Now the infected hosts are sending out spam containing (very)
right-wing political propaganda.
Don't read German, and haven't had the pleasure of the English versions 
(yet?)...so, I guess it's another case of "I'm not the target 
audience."

(anyone know offhand how to use the access file for postfix to reject 
a
message by *sender* instead of recipient?)
Those senders are faked.
Thanks to someone else's posting, I found some regex lists to put into 
the header_check file for postfix...should put a stop to it.

I HATE that solution simply because it's too easy to forget about it 
and people who may send such headings in the subject line are blocked 
as well (there are courses here where you never know...the German 
course may have someone send info on Dresden in 1945...).

I also know there can be collateral damage from it.  Weigh...invalid 
bounce, or "silently dropping" messages that may be legit...hmm...

Some days it's just not worth using the Internet anymore.
-Bart
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[Bart Silverstrim]

On May 16, 2005, at 11:08 AM, Randal, Phil wrote:
It's easy to block.
Check the handler's Diary at http://isc.sans.org/ and follow the links.
Thank you, that's my next task when I get a block of time today.
Thanks again!
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] database number

[Bart Silverstrim]

On May 16, 2005, at 10:51 AM, Rainer Zocholl wrote:
[EMAIL PROTECTED](Bart Silverstrim)  16.05.05 08:27

What is the current database version from freshclam for people out
there?
It's always shown in the bottom line of
http://www.clamav.net/
 Latest database release is: main.cvd 31 daily.cvd 879
 Latest ClamAV stable release is: 0.85
Thanks for the info.  I didn't realize that was there...I knew there 
were recent threads about versioning problems going around, and began 
to suspect something was wrong with this one.  Apparently not.

I've been getting a huge number of bounces with german
subjects, addressed to people with usernames beginning with 3d (just
starting to investigate what is going on with this...)
"3d" is "=" and originates from broken ISO interpretation.
Figured that.  Knew that most bounces/address attempts with that prefix 
tended to come from viruses.

but the past few freshclam runs have shown nothing new.
Why should clamav point up?
That are just "bounces", there is NO worm inside.
They are just sent by a worm.
There nothing a virus scanner can do anymore. It's to late now.
What I thought we were seeing was an attempt for a virus to propagate.  
I've had bounces in some mail systems that still contain the virus, or 
even if they didn't, I hoped that I'd see something change at the 
bastion server (update virus database, whatever was trying to propagate 
would suddenly get flagged as a virus instead of get through and become 
bounce fodder).

Write to the abuse account of the orignating host,
and beg him ot reject all messages for unknown users,
and not to bounce them.
The ones I was searching through were actually undeliverables to 
nonexistent accounts within our network.  I was getting the error 
messages to follow up on.

-Bart
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[Bart Silverstrim]

On May 16, 2005, at 10:52 AM, Rainer Zocholl wrote:
[EMAIL PROTECTED](Bart Silverstrim)  16.05.05 08:51
Maybe you should have simply entered it into google?
I'm quite sure that google would have lead you to the right place.
Yes, google can search for german strings too! IMOH ;-)
I did enter it in when I first discovered it, but there were no hits.   
I thought perhaps it was too new at the time, and then turned to the  
lists to corroborate what I was seeing.

and the text appears to be just a link to a website...?
Yes, it is.
Many of them are pointing to websites of
reputated printed newletters/magazins like "Der Spiegel".
Apparently it will be very hard to block if it's just text without  
extra spammer tricks in it to bypass filters...or at least not enough  
to cross the threshold of spam vs. regular mail.

Perhaps we now know what happened to sober.p?
See:
http://www.viruslist.com/en/weblog
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp? 
VName=WORM%5FSOBER%2EU&VSect=P
Details in german:
http://www.heise.de/newsticker/meldung/59562
Well...I'm somewhat proud of myself that so far my hunches and  
(amateurish) deductions had me on the right track :-)

(anyone know offhand how to use the access file for postfix to reject
a message by *sender* instead of recipient?)
Write complaints to the owners of the IP blocks!
  The "MAIL FROM" is always faked.
  The URL-owner is mostly "innocent" too.
Block all mails from dynamic IP.
They are 99,99% spam.
Is there a way to do that with the access file/postmap in postfix?   
Block sender IP's/IP blocks?

I thought it was odd that our hammering from particular sober.p  
infections were consistent in IP.  If they were spoofing (this was from  
the logs that I extracted that grep), then why wouldn't I have 16000  
different sober.p sources instead of a few of them over and over?

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[Bart Silverstrim]

On May 16, 2005, at 9:59 AM, Mike Blonder wrote:
OK.
I think I get it. You had identified the oncbuv.com
address as a source for the
sober.p garbage earlier and now it is showing up with the German 
gibberish
garbage.
Sort of.  I can't find oncbuv.com so it's spoofed.  The IP actually 
reverses to a RoadRunner address.  I was hammered by the RR address, 
then administrator had one message in german gibberwocky from that 
appeared to be from that IP.

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[Bart Silverstrim]

On May 16, 2005, at 9:00 AM, Mike Blonder wrote:
I am also getting inundated with German gibberish spam. Would you mind
explaining the significance (if any) of the email address that you  
posted? I
am finding that the German Gibberish garbage is spoofing a different  
email
address with each posting.
I'm new to the sleuthing aspect, so forgive me if I'm offbase  
here...(education/explanations always welcome!  Plus it's made harder  
because the messages I have to work with are on a Unix system and  
managled headers off an Exchange final destination)

I know that usually they alter the headers and spoof (viruses, that is)  
but I thought it strange that we've been hammered by sober.p with that  
same address showing up over and over again in our amavis logs :
# grep 24-25-128-223 amavis.log|grep Sober.P |wc -l
16546

Usually it should vary things, I'd think.  But then one of the first  
german gibberish messages I had found in a mailbox had the following  
right in the header:
Received: from oncsbuv.com 
(aolclient-24-25-128-223.aol.nycap.res.rr.com[
24.25.128.223 ])
Coincidence?  The first set I grepped was the IP of Sober.P's being  
stopped at the bastion server over the past couple weeks looking for  
that specific IP name.  The second was a sample german message that  
managed to find it's way to the administrator mail account on the  
exchange server.

I mean,...spoofing I understand, and expect...but is it really  
coincidental that these just happened to hit that IP?  That's why I  
wondered if maybe there wasn't a link between the two...that sober.p is  
now a mass mailing spam tool.

Are there any analysis papers out on sober.p yet?  And can anyone else  
corroborate the theory I have, or am I totally off-base here?  I'm  
still trying to figure it out from what I can piece together between  
phone calls for other tasks here :-)

___
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] sober.p and german adverts?

[Bart Silverstrim]

Some more info...
I see in our amavis logs on our ClamAV system (postfix pre-filter 
FreeBSD for email) this kind of listing...
/usr/local/sbin/amavisd[35705]: (35705-10) Blocked INFECTED 
(Worm.Sober.P), <[EMAIL PROTECTED]> -> 
>, Hits: -, tag=0, tag2=4, kill=4, L/0/0/0

That address had been hammering us over and over for awhile with 
sober.p.  Now it's become quiet.

I notice a huge amount of german messages coming in, getting past the 
AV and our spam filter.  I went into the Exchange server and there was 
one sample message in one of the recipient mailboxes with the following 
in the headers:

Received: from oncsbuv.com 
(aolclient-24-25-128-223.aol.nycap.res.rr.com [24.25.128.223])

The message has the German subject line and the text appears to be just 
a link to a website...?

Perhaps we now know what happened to sober.p?
(anyone know offhand how to use the access file for postfix to reject a 
message by *sender* instead of recipient?)

___
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] database number

[Bart Silverstrim]

What is the current database version from freshclam for people out 
there?  I've been getting a huge number of bounces with german 
subjects, addressed to people with usernames beginning with 3d (just 
starting to investigate what is going on with this...) but the past few 
freshclam runs have shown nothing new.

Current output:
# freshclam
ClamAV update process started at Mon May 16 08:24:30 2005
main.cvd is up to date (version: 31, sigs: 33079, f-level: 4, builder: 
tkojm)
daily.cvd is up to date (version: 879, sigs: 1282, f-level: 4, builder: 
tkojm)

Platform is FreeBSD, using ClamAV from ports.
-Bart
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Maybe a virus Sober.P

[Bart Silverstrim]

On May 5, 2005, at 2:38 PM, Matt Fretwell wrote:
Bart Silverstrim wrote:
This is actually two separate scenarios.
 That was Daniel's fault instigated by his being vague :)
"Now, a clever man would put the poison into his own goblet, because he 
would know that only a great fool would reach for what he was given. I 
am not a great fool, so I can clearly not choose the wine in front of 
you. But you must have known I was not a great fool, you would have 
counted on it, so I can clearly not choose the wine in front of me. "  
Bonus points if you identify what it's from :-p

to which in my head I dreamed a few moments about what it would be 
like
to be a true BOFH on our network and have the power...political
power...to get away with locking people out of their favorite web 
sites
despite outranking me in the org chart and what it would be like to 
not
have to deal with the politics of XYZ not being able to get their
content completely rendered because of some glitch of interaction
between the proxy and scanner and the website they're trying to get
forms from.  Ahhh to dream a little dream!
 Tell the accountants they can save money by locking down a network. 
You
would be amazed how quickly things happen :) Plus, they get all the
stick from irate users|management :)
Nope, doesn't work that way.  User complaints and convenience are 
balanced against us.

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Maybe a virus Sober.P

[Bart Silverstrim]

On May 5, 2005, at 10:45 AM, Matt Fretwell wrote:
Bart Silverstrim wrote:
My webmail is configured to use our standard smtp servers for all
inbound/outbound mail. It really isn't all that difficult.
My understanding was that we were talking about people accessing Yahoo
or Hotmail from work, not your own internal mail servers with a 
grafted
webmail interface.

 Actually it was Nigel, I believe, who suggested using a webmail 
system to
one poster. It was not regarding explicit webmail servers, rather, just
generic examples were given.

 Dennis was merely pointing out how one of those systems should be 
setup
correctly. It is not a mailserver with a 'grafted' interface. It is a
webmail system that correctly submits mail in a safe and secure 
fashion,
to a MTA, in a way good systems should be designed.
My understanding is that it sounded like the original discussion was 
someone with the idea of "phil in HR is reading his email from yahoo, I 
have no control over yahoo, and phil downloaded a virus from their 
email service before they had their AV set up to catch it" (purely made 
up example).  Someone else is chiming in with the understanding that 
phil is reading email from the in-house mail server using the in-house 
web interface front-end, and got a virus because we don't do antivirus 
on the web server handling the mail content for in-house mail.  This is 
actually two separate scenarios.

To which someone replied that in a *PROPER* network that is *well 
managed* this isn't a worry because we block all external mail hosts 
and use a proxy for web traffic that tests content going over it for 
malware, in addition to virus scanning desktops and servers and , to which in my head I 
dreamed a few moments about what it would be like to be a true BOFH on 
our network and have the power...political power...to get away with 
locking people out of their favorite web sites despite outranking me in 
the org chart and what it would be like to not have to deal with the 
politics of XYZ not being able to get their content completely rendered 
because of some glitch of interaction between the proxy and scanner and 
the website they're trying to get forms from.  Ahhh to dream a little 
dream!

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Maybe a virus Sober.P

[Bart Silverstrim]

On May 5, 2005, at 9:40 AM, Dennis Peterson wrote:
Bart Silverstrim said:
On May 5, 2005, at 8:02 AM, Matt Fretwell wrote:
Daniel J McDonald wrote:
as it is harder to scan those messages for viruses
 Nonsense. Mail is mail. If you are running a mailserver, it should 
be
able to cope with all types of mail, irrelevant of
(creation|submission)
method.
But...if they're using webmail, it bypasses your mail server.  It 
would
entirely depend on how "up to date" the webmail company's scanner is
and the virus scanner on your user's desktop is...unless you're using 
a
web proxy with malware scanner.
My webmail is configured to use our standard smtp servers for all
inbound/outbound mail. It really isn't all that difficult.
My understanding was that we were talking about people accessing Yahoo 
or Hotmail from work, not your own internal mail servers with a grafted 
webmail interface.

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Maybe a virus Sober.P

[Bart Silverstrim]

On May 5, 2005, at 8:02 AM, Matt Fretwell wrote:
Daniel J McDonald wrote:
as it is harder to scan those messages for viruses
 Nonsense. Mail is mail. If you are running a mailserver, it should be
able to cope with all types of mail, irrelevant of 
(creation|submission)
method.
But...if they're using webmail, it bypasses your mail server.  It would 
entirely depend on how "up to date" the webmail company's scanner is 
and the virus scanner on your user's desktop is...unless you're using a 
web proxy with malware scanner.

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Maybe a virus Sober.P

[Bart Silverstrim]

On May 4, 2005, at 11:12 AM, Nigel Horne wrote:
On Wednesday 04 May 2005 16:02, [EMAIL PROTECTED] wrote:
.  If you have received this
communication in error, please notify me immediately by telephone or 
fax
But you haven't given your telephone and fax number, so how can you 
expect
anyone to do that?
I've always wondered...why do people put confidentiality notices saying 
"if this is not meant for you, erase it, yadda yadda..." at the END of 
the message, so you already know what you're not supposed to know?

I mean, they do know that these "disclaimers" haven't been tested in 
court, but if they were...they'd probably not hold water?

So far the disclaimers only seem to add cruft for people to resend if 
they top post their messages, and make the message a little harder to 
parse. :-)

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] possible new virus?

[Bart Silverstrim]

On Apr 19, 2005, at 2:24 PM, Kelson wrote:
Bart Silverstrim wrote:
Do I want to remove the hash before DisableDefaultScanOptions in 
order to get the

sections to work?
No.  This was discussed yesterday.  There are options that are enabled 
by default, and DisableDefaultOptions wipes those and gives you a 
clean slate.  You don't need it -- or want it! -- if you just want to 
enable additional features on top of the defaults.
Okay.  From the sounds of that section you needed to enable it (remove 
comment hash) in order for the features following that statement to 
work.  Do you know what the thread topic was where this was discussed?

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] possible new virus?

[Bart Silverstrim]

On Apr 19, 2005, at 1:56 PM, Daniel J McDonald wrote:
On Tue, 2005-04-19 at 11:52 -0600, lists wrote:
How should I submit this to see if it is a virus?
Make certain detectbrokenexecutable is enabled.
Stupid question but I thought I might as well ask anyway...going in on 
my own system to enable this option, I saw the following above it:

# By default clamd uses scan options recommended by libclamav. This 
option
# disables recommended options and allows you to enable selected ones 
below.
# DO NOT TOUCH IT unless you know what you are doing.
# Default: disabled
#DisableDefaultScanOptions

Do I want to remove the hash before DisableDefaultScanOptions in order 
to get the

# ClamAV to perform a deeper analysis of executable files and it's also
# required for decompression of popular executable packers such as UPX, 
FSG,
# and Petite.
# Default: enabled
#ScanPE
ScanPE

# With this option clamav will try to detect broken executables and mark
# them as Broken.Executable
# Default: disabled
#DetectBrokenExecutables
DetectBrokenExecutables
sections to work?
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] false hits

[Bart Silverstrim]

On Apr 15, 2005, at 12:54 PM, Tomasz Kojm wrote:
On Fri, 15 Apr 2005 09:53:11 -0400
Bart Silverstrim <[EMAIL PROTECTED]> wrote:
Hello all...
Question...I recently tried booting up with the Ultimate Boot CD that
included INSERT Linux as one of the images.  I booted to INSERT, ran
freshclam, then proceeded to scan a hard disk on which Windows 98 was
installed.  I had a number of hits showing up within the
Windows/system  directory.  A subsequent scan with a standalone
utility from an AV  vendor showed no sign of the viruses in that
directory.
Make sure your INSERT Linux contains the latest stable version of 
ClamAV
(0.83). There were some issues with MS05-002 exploit detection in 0.82.
Good point...I don't know what version it was.  It is the default with 
the latest version of UBCD...

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] false hits

[Bart Silverstrim]

On Apr 15, 2005, at 10:45 AM, BitFuzzy wrote:
Bart Silverstrim wrote:
I had a number of hits showing up within the Windows/system directory.
Heh, didn't Norton detect windows as a virus at one time?
I remember there was something that reported Windows as a virus.  I 
thought it was some old AV that was made for OS/2.  The Clam team 
doesn't have a sense of humor...they refused my offer to send Win.com 
in for a signature addition :-)

A subsequent scan with a standalone utility from an AV vendor showed 
no sign of the viruses in that directory.
This doesn't necessarily mean anything.
What I would do is do a online scan (I highly recommend 
http://housecall.trendmicro.com)
If you are indeed compromised, there's a chance your AV may be as well
Hope not.  It was a standalone bootable utility to scan hard disks for 
viruses (well, I used the ultimate boot disk to boot to FreeDOS to run 
the scan).  The Clam scan session was also done from a bootable CD with 
the latest definitions.

I do agree with the online scanner, I often use it.  This was more of a 
scanning-an-odd-acting-system that probably had some form of corruption 
before we formatted and reinstalled an OS.

I was just wondering if anyone else had resources to try running the 
scan via a bootable Linux CD (like the INSERT CD) and scan a Windows 
system to see if they were getting oddball false hits.  I just 
dismissed the results initially because it seemed from my many lurking 
sessions (and participation sessions) in the mailing list that Clam was 
and is primarily a mail scanner aimed at getting mail viruses, not the 
"old school" viruses like Brain...perhaps the signatures were just 
picking up oddball patterns on the drive and misreporting it.

I miss the old days when there was a clear delineation among viruses 
and malware and just plain social engineering hoaxes and whatnot. Today 
it's just getting easier for administrators to simply label every file 
that's not approved as unrunnable and do away with AV.  The best move 
we've been taking in months is to adopt Deep Freeze on systems.  Go 
ahead and infect it...we reboot, the infection goes away, along with 
all the chaff and crud that the users have carelessly installed. :-)

___
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] false hits

[Bart Silverstrim]

Hello all...
Question...I recently tried booting up with the Ultimate Boot CD that 
included INSERT Linux as one of the images.  I booted to INSERT, ran 
freshclam, then proceeded to scan a hard disk on which Windows 98 was 
installed.  I had a number of hits showing up within the Windows/system 
directory.  A subsequent scan with a standalone utility from an AV 
vendor showed no sign of the viruses in that directory.

I was wondering if someone else could reproduce these hits to confirm 
that I wasn't dreaming this up...I'd submit the false hits, but the 
system has since been wiped to install NT and I didn't want to try 
extracting those files from the hard disk and sending them in if other 
people could get the same results.  These appeared to be regular 
Windows dll's that it was getting hits on...

Thanks,
-Bart
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Can phishing be considered one kind of spam ?

[Bart Silverstrim]

On Apr 15, 2005, at 9:39 AM, Joanna Roman wrote:
Can phishing be considered one kind of spam ?
Please no...please please no
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Report Phishing attacks?

[Bart Silverstrim]

On Mar 22, 2005, at 9:43 AM, BitFuzzy wrote:
Bart Silverstrim wrote:
Personally, my gripe is that the product is called ClamAV.  If it's 
expanding it's mission to protect people from everything called 
"malware", I'd change the name to something that indicates it's a 
malware detector and not a virus detector.  Phishing scams are *not* 
viruses.  Maybe change it's name to ClaMal.  It'll make the O'Reilly 
book cover look interesting, too.

But this would probably never happen.  *shrug*

I can't believe this is still going on! This got old "fast" the last 
time it was discussed.

This isn't about detecting messages concerning Viagra, or getting 
27,000,000 by helping some yutz in Nigeria.

The way I see it, any item regardless of it's delivery method that has 
the potential to do harm financially or otherwise should be stopped 
(IMHO) by the AV.
These messages are running out of control. They are clever, and when 
used in conjunction with their associated websites are very hard to 
identify it from the real thing.

ClamAV isn't the only agent that detects "Phishing" attempts. Mcafee, 
PcCillin, etc detect these attempts why would anyone expect ClamAV to 
do less

I may be thinking of something else here, but if memory serves the dev 
team will be providing a method for you (or anyone) not wanting these 
detected, to disable it.

and with that the debate should be ended.
Please, calm down.  I wasn't arguing one thing or the other.  I just 
expressed an opinion.  Why should it be that just because you don't 
like to hear the opinion that anyone who shares it must "shut up", when 
this list is monitored by people who may or may not want feedback from 
the users?  You're implying that I should shut up with my opinion then 
you go on to express your own.  Geez.

I wasn't even saying disable it.  I had said, consistent with the 
participation in the past mail list war, that if ClamAV were going to 
start detecting non-virus attacks and stop things that were aimed at 
people who should generally know better by now than to fall for 
scammers and baiters, then it would be better aesthetically if you 
didn't advertise as an anti-VIRUS and instead as an anti-MALWARE 
program, as that is what it was migrating it's role to.  Saying the 
neighbors are doing the same thing doesn't help either, since I've 
griped about that as well.  If you're a malware detector, do the search 
engines a favor and advertise the program as such.  It's bad enough 
that people are sloppy with terminology and concepts go way over users 
heads without making it worse by contributing to the fuzzy definitions.

No debate.  Opinion.  As I also stated in the past it's ultimately up 
to the developers.  Getting a bug up your butt about it will only give 
you a stroke or heart attack.  I'm not a developer and lack the skill 
to fork the project and even if I could, I lack the resources to host 
it...so I use what the developers offer.  They do a very good job in 
the first place.  Doesn't mean I don't differ in opinion once in awhile 
with how things are done, but oh well!

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Report Phishing attacks?

[Bart Silverstrim]

On Mar 22, 2005, at 8:05 AM, Dennis Davis wrote:
On Tue, 22 Mar 2005, Bart Silverstrim wrote:
From: Bart Silverstrim <[EMAIL PROTECTED]>
To: ClamAV users ML 
Date: Tue, 22 Mar 2005 07:40:18 -0500
Subject: Re: [Clamav-users] Report Phishing attacks?
...
I believe this is what the commercial anti-virus company,
MessageLabs, does.  When I spoke to them a few years ago, they
had licenses for five anti-virus products.  Messages were fed
through the three they considered the best.
You're saying a commercial AV vendor is using competitor's AV
products in addition to their own to protect their systems?
They aren't, as far as I'm aware, a commercial AV vendor.  Instead
they offer a managed email service which provides anti-virus and
andti-spam facilities.  See:
http://www.messagelabs.com/
for details.  Note that:
http://www.messagelabs.com/services/antivirus/detail/ 
default.asp#features

includes:
  Anti-Virus combines Skeptic's predictive technology with multiple
  commercial scanners to detect and combat against viruses entering
  and leaving your organization
Oops! My bad :-)
Thanks for the info!
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Report Phishing attacks?

[Bart Silverstrim]

On Mar 22, 2005, at 4:58 AM, Rob MacGregor wrote:
On Mon, 21 Mar 2005 17:01:48 -0400, Samuel Benzaquen 
<[EMAIL PROTECTED]> wrote:
I can also say that they don't want to compete against commercial AV 
vendors
as I have read here 2^32 times that we should use not _only_ clamav, 
but a
list of AVs to improve the chances to catch malware.
Best practice for security always involves defence in depth.  Basing
all your protection on a single AV product, given that *none* of them
are 100% effective, would be short sighted (and particularly given the
current spate of attacks on AV products).
Personally, my gripe is that the product is called ClamAV.  If it's 
expanding it's mission to protect people from everything called 
"malware", I'd change the name to something that indicates it's a 
malware detector and not a virus detector.  Phishing scams are *not* 
viruses.  Maybe change it's name to ClaMal.  It'll make the O'Reilly 
book cover look interesting, too.

But this would probably never happen.  *shrug*
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Report Phishing attacks?

[Bart Silverstrim]

On Mar 22, 2005, at 6:35 AM, Dennis Davis wrote:
On Tue, 22 Mar 2005, Rob MacGregor wrote:
From: Rob MacGregor <[EMAIL PROTECTED]>
To: ClamAV users ML 
Date: Tue, 22 Mar 2005 09:58:17 +
Subject: Re: [Clamav-users] Report Phishing attacks?
Reply-To: ClamAV users ML 
On Mon, 21 Mar 2005 17:01:48 -0400, Samuel Benzaquen 
<[EMAIL PROTECTED]> wrote:
I can also say that they don't want to compete against
commercial AV vendors as I have read here 2^32 times that we
should use not _only_ clamav, but a list of AVs to improve the
chances to catch malware.
Best practice for security always involves defence in depth.
Basing all your protection on a single AV product, given that
*none* of them are 100% effective, would be short sighted (and
particularly given the current spate of attacks on AV products).
I believe this is what the commercial anti-virus company,
MessageLabs, does.  When I spoke to them a few years ago, they had
licenses for five anti-virus products.  Messages were fed through
the three they considered the best.
You're saying a commercial AV vendor is using competitor's AV products 
in addition to their own to protect their systems?

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Report Phishing attacks?

[Bart Silverstrim]

On Mar 21, 2005, at 5:10 PM, Brian Morrison wrote:
On Mon, 21 Mar 2005 20:06:02 +0100 in
[EMAIL PROTECTED] "Julian Mehnle"
<[EMAIL PROTECTED]> wrote:
Brian Morrison wrote:
Julian Mehnle wrote:
Probably more like: can we have 'technical-threats.cvd' and
'non-technical-threats.cvd' instead of 'main.cvd'?
You don't give up do you? ;-)
Not until someone convincingly explains to me why my request for a
practical option to distinguish between technical and non-technical
threats (i.e. exploitation of technical flaws in software vs.
exploitation of end-user naiveté) is inappropriate.
I'm not commenting on your correctness, merely on your staying power.
For a moment I thought this was spam...
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Report Phishing attacks?

[Bart Silverstrim]

On Mar 21, 2005, at 1:20 PM, Brian Morrison wrote:
On Mon, 21 Mar 2005 18:07:31 +0100 in
[EMAIL PROTECTED] "Julian Mehnle"
<[EMAIL PROTECTED]> wrote:
Matthew van Eerde wrote:
Sounds like a feature request to me... "can we have a user.cvd file"
(in addition to main.cvd and daily.cvd)
Probably more like: can we have 'technical-threats.cvd' and
'non-technical-threats.cvd' instead of 'main.cvd'?
You don't give up do you?
Worked for Buzz Lightyear...
-Bart
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] virus incident response?

[Bart Silverstrim]

On Feb 16, 2005, at 7:04 PM, John Madden wrote:
In any case, Clam is a user supported project. ALL viruses are  
submitted
by
end users. So, the only way response will get any better is if you  
submit
new viruses you receive that get by clam.

It's not going to 'improve' any other way.
Well, that'd be my assumption as well.  What I'm poking for is the
potential for a means of making the process more formalized, like  
having a
team of officials per continent who volunteer to be on the spot for  
given
hours of the day?  Are [vendor] forums where outbreaks are discussed?
Does anyone watch releases from the major vendors to be able to develop
signatures for ClamAV?  Things like this have probably been mentioned
before, I suppose.

If ClamAV is to compete with companies who do nothing but develop virus
signatures, I would think we'd have to find a way of tapping into the  
same
resources or methodology somehow.
They get samples submitted or they arrive at their honeypots, they  
disassemble them, and integrate them into their signature databases.

Try searching for how long commercial vendors do updates.  I typically  
get updates every couple of hours from ClamAV, and have been extremely  
pleased with the timeliness of their updates.  Other vendors are NOT  
necessarily ahead of Clam.

Read up on it for some examples.
http://www.av-test.org/down/papers/2004-02_vb_outbreak.pdf
http://www.dslreports.com/forum/ 
remark,12249908~mode=flat~days=~start=20

There is a wide variation in vendor releases and their updates are not  
immediate to threats.

Timing is everything -- we don't have
to be the first, but we have to beat the outbreak.
There's always someone infected "first" and there's always more people  
getting infected in the time between discovery, analysis, updates,  
dispersing the update...

If you're in a situation where this is a gargantuan problem, run  
multiple AV's on your system.  Educate your users about checking email  
frequently and keeping their AV's up to date, use mime-defang, don't  
accept messages with executables attached...greatly restrict what can  
be attached to incoming messages and you have most of the battle won  
there.

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] clamav on gateway + sniffer to intercept mail attachments

[Bart Silverstrim]

On Feb 16, 2005, at 3:13 PM, vaida bogdan wrote:
Hy, I use postfix+mailscanner on my mail server to block a lot of
virii comming from my internal network. I would like to implement a
solution to block virii traffic on the internal gateway. The network
looks like this:
WIN-
WIN-   GW1-   -MAIL SERVER-   -GW2
WIN-
One WIN is infected but I don't know which of the 30 computers on the
network. I receive virused attachments on the MAIL SERVER from the
GW1's ip. WIN are on the internal network.
My first ideea would be to extract mail traffic passing through the
gateway in mbox format and scan it with clamav. I'm looking for better
ideeas/implementations. Also, please tell me which tool should I use
to sniff mail on GW1 or if there is a better solution.
ethereal or ettercap are my favorites for packet sniffing on UNIX 
systems.

Sometimes you can see things by sniffing traffic and see what machine 
is sending a lot of ARP queries for seemingly random IP's.

I found one infected system on our network once by seeing a huge number 
of cached routes on our Linux Squid gateway for a client computer.

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Very good (short) Article on New Technique by Virus Authors

[Bart Silverstrim]

On Jan 31, 2005, at 1:35 PM, Sam wrote:
Came across this and thought many of you may enjoy it.
http://www.eweek.com/article2/0,1759,1756636,00.asp? 
kc=ewnws013105dtx1k599
Is it better than the previous one I didn't think we'd ever see as  
working?

Write virus
email to random people with subject line "Run me!"
infect!
repeat...
:-)
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Phishing Questions

[Bart Silverstrim]

On Jan 27, 2005, at 11:29 AM, Tomasz Kojm wrote:
On Thu, 27 Jan 2005 11:27:00 -0500
Adam Tauno Williams <[EMAIL PROTECTED]> wrote:
Just my two cents - I agree with the other guy.  CLAM should blocks
virii and worms, and leave SPAM to something else.  Just think of the
Phishing IS NOT spam! Is that really so hard to understand?
As I understand it it doesn't execute code on the computer or spread to 
other systems without intervention either.

This entire thread is degenerating...it was hashed and rehashed 
already.  The ultimate decision goes to the Clam developers, and I 
believe they already decided it.  Everything that's bad would be 
blocked, so end users could live with it or use a different product.  
Our Windows computers are slowly being migrated to static images using 
Deep Freeze, and if users decide to hand out their bank account info 
without stopping to think that maybe they shouldn't give out sensitive 
information we couldn't really stop them.

I would have thought it would be more of a burden eventually to keep up 
with HTML messages going out to people asking for info along with the 
binary executables containing viruses so the scanner could catch them 
both, but oh well.  Maybe the UNIX-ish philosophy of specialized 
applications working together to accomplish goals is giving way to the 
more common Windows throw-everything-together mindset.  Maybe it's 
overlapping jobs.  This is certainly the way commercial AV's go about 
it now.  I've seen all sorts of hits on crap from the web cache on 
Windows machines...why?  Because the AV is hitting stuff the latest 
update to Spybot is hitting now.  And Ad-Aware/Spybot/etc. are hitting 
some mail viruses.  But it doesn't matter.  The Clam people made their 
decision, and the end user benefits from it, even if it does overlap 
with other systems in place for guarding against phishing/spam.  If a 
developer really resents it, they could fork the project.  Personally, 
I see having three programs doing the same thing as just bloat; 
phishing is annoying, hit delete or configure the spam filter to get 
it.  Others see it as having three systems increasing the chances of 
catching new crap as it comes out.  I'm tired of fighting with it and 
tired of the "administrators" who never turn off their collateral 
damage-causing "you sent me a virus!" notifications.  End users don't 
see any difference though, so companies pander to this mindset of 
protecting people from all that's potentially bad, period.

Regardless, If the developers wish to get input from users on the issue 
and are considering it one way or the other, then maybe a thread like 
this would be useful.  As it stands, discussing it again accomplishes 
nothing, and will inevitably lead to flames and arguments that 
still...accomplish...nothing.  Except sarcastic comments like mine 
about submitting win.com as a signature.

If all this crap has evolved to the point where 
spyware/trojans/phishing/spam are now one thing (magical MalWare!  
Software that's just *bad!*), then maybe someone should come up with a 
new email network that can truly work so we don't get this junk 
anymore, period.  Email was never meant for the five meg "look at the 
pictures!" attachments.  It wasn't meant for emailing programs to one 
another.  Does it really need to be a proxy for web pages by emailing 
people all this html-formatted crap that makes dancing images appear 
while compromising Explorer?  We can't even get people to stop with top 
posting or formatting email in a way that makes it easy to read, 
without twenty embedded sigs or munged headers.  We even have these 
sigs saying that the contents of the message are confidential meant 
only for the named recipient and if you get it in error...huh?  I 
already read the message!  What good is that?!  It's not even been 
tested in the courts as binding!  Why are you wasting ten lines of 
space at the end of every message telling me this?? It's the EULA of 
email...no one even reads them anymore.  Start an email network that 
uses clients with embedded encryption.  Voila', no more accidental 
reading.  Even makes it safer in transit.

Whew...I'm going to go lay down before I have an aneurism.
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Phishing Questions

[Bart Silverstrim]

On Jan 27, 2005, at 10:33 AM, Tomasz Kojm wrote:
No problem. As a bonus we will create a signature for your domain name
;-)
Just kidding!  Honest!  I'd NEVER think of having Windows thought of as 
a virus... :-)

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Phishing Questions

[Bart Silverstrim]

On Jan 27, 2005, at 10:25 AM, Damian Menscher wrote:
There was a discussion about this several months ago.  Unfortunately, 
many people (including part of the signature-generation team) are too 
dogmatic about their feelings that "phishing is bad, so we should 
block it" to look at it logically.
Can I submit win.com for inclusion as a signature? :-)

-Bart
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Are we safe - WORM_BAGLE.AZ

[Bart Silverstrim]

On Jan 27, 2005, at 10:13 AM, <[EMAIL PROTECTED]> wrote:
Craig Daters
Wow, that was some time ago, and TrendNet is only just now putting out
an update! That's scarry!
Thanks Trog
What concerns me (if it is true that ClamAV has detected this specific
variant since November) is that ClamAV is not performing due diligence
and sharing samples to protect users of other products on the Internet.
AV teams working together is a good thing, and I personally share all 
of
my samples with over 20+ AV vendors.
I know there are lots of people that keep sharing samples.  ClamAV is 
blocking them from our mail server every day.

And AV teams do NOT necessarily share their samples all the time.  
Otherwise they lose their competitive edge over one another (and you 
wouldn't find disparate names and number of detected viruses among 
different vendors).

Last, if they want to get to Clam's signatures, it's open source...I'm 
sure they can (and probably do) get updates of Clam's database.   It's 
not the ClamAV team's responsibility to help boost some other company's 
profit margin.

-Bart
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Good job ClamAV team!

[Bart Silverstrim]

On Nov 16, 2004, at 12:52 PM, Minica, Nelson (EDS) wrote:
1024 viruses blocked in the last month (after 152,000 emails blocked 
by RBL's,etc)
 68 were phishing attacks my users appreciated not seeing
 Then SpamAssassin flagged 1500 and Mimedefang removed 1300 
attachments…

Overlapping products and multiple lines of defense are a great idea.  
I'd much rather have overlap than "underlap".  :)
Although I agree with the subject line sentiment, I thought the 
discussion/argument/etc. over philosophy and ideas was declared over 
and pointless?

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing andother social engineering attacks

[Bart Silverstrim]

On Nov 15, 2004, at 4:44 PM, Dave Goodrich wrote:
Bart Silverstrim wrote:
I find it interesting though that I've yet to hear from anyone 
commenting on my proposal to create a filter that will extract and 
convert all emails into pure text, or reformat it so only certain 
things can get through as an attachment with a pure text message so 
it would be "defanged" of scripts, web content, potential scripting 
exploits, etc...I'm honestly beginning to wonder how hard that would 
be to make and whether it may be of use for some sites.  Draconian, 
yet it would be extremely handy in stopping the maliciousness of 
viruses or spam tricks...dynamically rewriting all email to a 
"standard" format.
Anyone?  Does this already exist?  A prefilter thing...not halfway to 
the task, like using MIMEDefang, but a whole "here's the email 
stripped of HTML and in a standard format for the mail system" type 
filter...

I was listening ;^) and I like the idea. I am highly in favor of all 
ascii email, not even attachments. The enormous amount of bandwidth I 
could regain would be a money saver.

I would have to look, but given the amount of customization I've been 
able to do already I would think MailScanner could do this, if not get 
darn close to it.
I'd love a program that can be daemonised so I could use it to filter 
incoming mail as a pre-filter...ESPECIALLY from the bloody Exchange 
server.  Talk about mangling.

It there was an easy way to do this I'd love to do it.  If it could 
reformat incoming mail to eliminate top posting as well I'd probably 
pay the developer to do it :-)

-Bart
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing andother social engineering attacks

[Bart Silverstrim]

On Nov 15, 2004, at 5:35 PM, Nigel Horne wrote:
On Monday 15 Nov 2004 9:23 pm, Bart Silverstrim wrote:
Since I don't know any of the developers
You can find our names in .../AUTHORS.
-Bart
-Nigel
Well...I still don't *KNOW* you :-)
Nice to kinda sorta meet you though.  You and the rest of ../AUTHORS 
are doing a wonderful job with ClamAV, BTW :-)

-Bart
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing andothersocial engineering attacks

[Bart Silverstrim]

On Nov 15, 2004, at 4:41 PM, <[EMAIL PROTECTED]> wrote:
Bart Silverstrim wrote:
I find it interesting though that I've yet to hear from anyone
commenting on my proposal to create a filter that will extract and
convert all emails into pure text, or reformat it so only certain
things can get through as an attachment with a pure text message so it
would be "defanged" of scripts, web content, potential scripting
exploits, etc...I'm honestly beginning to wonder how hard
that would be to make and whether it may be of use for some sites.
Microsoft SMTP Server allows this via CDO.Message
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ 
cdosys/html/_cdosys_imessage_htmlbody.asp

"When... you set the HTMLBody property, Microsoft Collaboration Data  
Objects (CDO) automatically sets the TextBody property to the plain  
text equivalent."
Ironically it's MS's interpretation of HTML that usually leads to  
problems... :-)

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishingandothersocial engineering attacks

[Bart Silverstrim]

On Nov 15, 2004, at 4:39 PM, Kevin W. Gagel wrote:
If I could use a single package to virus scan, spam scan and
protect my users and company against phishing attacks then I
would gladly use it (provided of course it was reliable).
If I could use one operating system free from most bugs and glitches 
and flaws that allow exploits to run by viewing messages, and uses junk 
filtering that is 99.9 percent accurate and effective against spam, 
adware, and viruses, I'd use it.

Problem is it doesn't exist.  well, actually, what I'm using is pretty 
close...OS X with Mail.app's junk filter.

I think the programers that volunteer their time to the
clamav project have done an excellent job of providing an
opensource alternative to high priced slow updates and poor
service "paid for" packages.
Most heartily agree.
I bet they are more than
qualified to gradually add scanning for any threat. All the
framework is in place for them to add it so in my view "why
not?".
I'm not on the team so I can't comment, but I can say I've seen plenty 
of examples of projects having one focus, shift it to add 
functionality, and in the process losing focus and adding security 
problems and bugs.

-Bart
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishingandothersocial engineering attacks

[Bart Silverstrim]

On Nov 15, 2004, at 4:27 PM, Dennis Skinner wrote:
Dave Goodrich wrote:
My preference has been stated. I would prefer SpamAssassin do the 
puzzle solving of message bodies, headers, URI lookups, message 
obfuscation, etc and let ClamAV do the signature matching of 
attachments.
SA uses many more resources than ClamAV.  Clam is going to scan the 
msg anyway.  The more dangerous email I can reject before it gets to 
SA, the better, IMO.
That implies you're going to have it go through SA anyway.  Why not 
have Clam scan for every known spam and see how many resources it 
starts to take up on top of what used to be just scanning for known 
viruses?

SA has been asked about viruses.  they say "that's viruses...use clamav 
or some other AV.  We do spam."  Why move the project into their 
territory?

If these are known spam, known attacks, it would already be in SA's 
arsenal.  Or if it's already known put it through procmail recipes to 
reject before it hits SA.

Wouldn't these also work?
-Bart
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishingandothersocial engineering attacks

[Bart Silverstrim]

On Nov 15, 2004, at 2:41 PM, Ken Jones wrote:
Phising poses a threat to your users. The line between malware and 
virus'
is a very grey one.
Phishing is a threat if they supply information.  How do you stop 
people from voluntarily giving information over?  Scan every mail for 
text or formatting that may look like it's asking for you to click a 
link and visit a site for inputting information?

that sounds like what SA does.  The phishing email doesn't do anything, 
doesn't carry an attachment that is dangerous, and doesn't carry a 
payload.  It's asking a user to do something foolish or takes advantage 
of their ignorance.  If I get an email from my friend asking for my 
credit card number and I email it to him and he spends a lot of my 
money, whose fault is it?  Or if I mail it and it bounce to an admin at 
a different site...whose fault is it when the information leaks?

Knowing two "freinds" that have responded to phising emails and what it
took afterwards to correct the problem . they would beg you to 
remove
the possability of this threat.
I would hope they now know not to trust these messages.  I've tried 
telling users not to do things before and some will anyway.  I can't 
guarantee anything about blocking it, only that I will try to keep SA 
updated enough to catch them.

The key here is not whether or not we should block these messages.  The 
discussion was about Clam having this added.  Philosophically, there 
are those who want it and those who don't.  You want more spam 
checking, alter your spam checker with SA to use all the rules and 
bayes the heck out of mail servers.  Use SPF.  Use reverse mapping.   
Personally, I want Clam to fight viruses.  Focus on those, focus on 
doing it well.  if people want to improve fighting spam, contribute to 
SA and various rule sets that are out there, and not duplicate efforts.

Having cross-over of functionality can / is in many cases a good thing.
Then that is a philosophical difference...I'd rather not duplicate 
efforts on the same system.  Otherwise there's no reason to pretend it 
is a virus scanner...it's some mutant spirus scanner or malware 
detector.  Then there comes the slippery slope of what it should and 
shouldn't detect.  I'd rather just filter and rewrite every message to 
plain text and then we wouldn't need to worry about the viruses or 
malware, would we?  We'd make it more work for the users to go through 
the hassle of getting themselves into trouble.

The other day, a virus made it by clamav. It made it past McAfee on the
users machine. By the time they opened the mail and it started spamming
the network with email, clamav had updated their defs and it was 
stopped.
It took a few more hours before McAfee had a new defs file out. In this
case, multiple virus scanners was a good thing.
Multiple fronts are fine. BUT you are running multiple virus scanners.  
Run multiple spam slammers if that's your prerogative.  But I'd rather 
have a virus scanner that scans for viruses and a spam filter that 
filters for spam without needing to overlap the two.  A virus scanner 
for viruses, a spam filter for spams; if it works well, keep it.  If it 
doesn't, yank that module/program and put in another.  I am looking for 
a good virus scanner, not a good virus scanner that is also a mediocre 
spam blocker and may or may not complicate the flow of mail by adding 
different headers or putting it into a different quarantine folder when 
users ask where a message from "x" went because it was incorrect.  You 
have the sig for a particular spam?  Send it to the SA team.

Please don't think I am saying I want clamav to become a spam filter as
well, but adding in the sigs for items like the phising mail I think is
great.
I think it's heading down a road that leads to losing focus for the 
team.  Ultimately though it's their call :-)

-Bart
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing andother social engineering attacks

[Bart Silverstrim]

On Nov 15, 2004, at 2:02 PM, jef moskot wrote:
On Mon, 15 Nov 2004, Bart Silverstrim wrote:
...if you're going to start moving it into another direction, it may 
be
best to fork that and leave the original recipe alone until the new
direction...
I think you're overstating what the ClamAV team is trying to accomplish
here.  Forget the "slippery slope" and look at what they're actually
doing.
Since I don't know any of the developers and I don't know if any have 
commented on this aspect...we can let this part drop :-)  They'd have 
to answer that.

Personally I don't like the idea of protecting users from their own
stupidity...
As a sys admin, this is part of my job.  A large portion of my 
userbase is
unsophisticated, and a philsophical argument about why they need to 
learn
to protect themselves wouldn't fly with the boss.
Then that's your job description.  Some people are in the position 
where they need to coach users not to touch hot stovetops.  Others have 
users who resent it...ie, ISP customers.  They would not always 
appreciate having mail tampered with.

Again, I don't have any problem with Julian's basic premise, but I 
think
this discussion has shown that we can't even agree on what "social
engineering" means.
Getting a user to do something by merely tricking them?
Social engineering involves asking and posing as something you're not 
to get something.  If the message asks you to click something, you can 
ignore it or click it.  Either way the message is *harmless* in itself. 
 It is just text.  It can be saved, forwarded, scanned, whatever...it 
doesn't *run* anything, and it doesn't take advantage of an OS flaw.

It relies *entirely* on user stupidity.  "We're from your bank, and we 
have a database problem so we need you to verify your name, social 
security number, account number, how much money is in your checking 
account and your address at this handy website! CLICK HERE!" The 
message *does* nothing.  It relies on the user to do something, and 
it's entirely cross platform because there's no executable script or 
binary attachment.

If you want to argue "well, a virus tells you to click the icon in 
order to run,..." yes, that's social engineering.  It's also a binary 
attachment containing harmful code.

All squares are rectangles, but not all rectangles are squares.  
Viruses can use social engineering, but not all social engineering  
involves viruses.  I think he was referring to "the subset with the 
code right here...a blob of binary that if I run it it will infect my 
PC..." as technical.  The other is nothing but text, nothing but a 
fishing line asking the user to hook their finger.  It is no more 
dangerous than an email that gives detailed instructions on how to 
disable the safety on my microwave and stick my head in and start 
baking for 20 minutes because it gives a "real rush".  It's harmless 
until I'm stupid enough to go through the effort to hurt myself.  
That's purely social engineering.

Given that, maybe adding a flag that allows you to
ignore signatures with certain prefixes makes sense, but I don't see 
the
benefit of putting too much effort into being overly specific about the
specific path a virus takes from unsolicited e-mail to user hard drive.
After seeing the lengths users will go to to avoid learning something 
and how hard they work to hurt their systems sometimes, methinks the 
best thing to do is just whitelist email servers and block everything 
else at the rate we're going.  There's just too much to ask in the 
effort to protect users from themselves, and while some admins (I truly 
pity them) have that in their job descriptions (to protect people from 
themselves), I think there's only so much we can do and just so far we 
can go before it can be a detriment to the project we're discussing.

I find it interesting though that I've yet to hear from anyone 
commenting on my proposal to create a filter that will extract and 
convert all emails into pure text, or reformat it so only certain 
things can get through as an attachment with a pure text message so it 
would be "defanged" of scripts, web content, potential scripting 
exploits, etc...I'm honestly beginning to wonder how hard that would be 
to make and whether it may be of use for some sites.  Draconian, yet it 
would be extremely handy in stopping the maliciousness of viruses or 
spam tricks...dynamically rewriting all email to a "standard" format.

Anyone?  Does this already exist?  A prefilter thing...not halfway to 
the task, like using MIMEDefang, but a whole "here's the email stripped 
of HTML and in a standard format for the mail system" type filter...

-Bart
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

[Bart Silverstrim]

On Nov 15, 2004, at 12:43 PM, Matt wrote:
 If the standard database was segregated, some people would inevitably
cock up their configs and run with partial protection. This can cause
problems not only for themselves, but others, in the case of 
propogation.
Whitelist all traffic you want to allow! Mail servers, web 
sites...there must be a way.  After reading how Lexmark is apparently 
having their *drivers* phone home, and the number of emails from 
spammers that may link to pages where users happily click away their 
lifesavingsand...there's just getting to be too much.  It is 
getting utterly hopeless to have some kind of order arise from the 
UBE/UCE/Spam/Spim/trojan/virus/worm/scammer/ad content/spyware/etc. 
muck and mire we're currently dealing with.

I need a new career :-(
 There is also the fact, and I am sure that I am not alone, in being 
very
draconian. You control the machines, the users get what they are given 
:)
This is why UNIX had the "modular black box" model, as I recall...take 
the app, make it focus on it's task, and if you need other 
functionality, it was done in another app.  Chain together.  Repeat as 
necessary.

Some...many...ISPs would want a scoring system for spam so users can 
have an opportunity to filter themselves or decide their tolerance and 
training levels.

Others, like my school, need to make decisions FOR everyone because 
there's too many users that just don't take the time to learn how to 
use it.  We have too much user turnover and it's impractical with our 
human resources to keep people up to speed when they really don't give 
a hoot about such things.

Some people don't like their messages being filtered at all...they 
prefer it done by themselves at the desktop.  Some people combine it, 
some at the server, some at the desktop.

The modular model makes all these possible with ClamAV without ClamAV 
being twisted or bent to fit.  It plugs in and does it's job, nothing 
more nothing less.

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

[Bart Silverstrim]

On Nov 15, 2004, at 12:32 PM, Dennis Skinner wrote:
How little user interaction is required before it is considered a 
"technical" enough?  Require the user to open the attachment?  Require 
the user to pop their mail?

Technically, most viruses these days are social engineered in some 
way.  Unlike the the boot sector viruses that seem to have gone the 
way of the floppy disc.

Given the new push for integration between the internet and local 
computers, limiting an AV scanner to only protecting against viruses 
physically included in an email is a bit short-sighted in my opinion. 
It's getting to the point where users are unable to distinguish 
between what is remote and local content.
Well...how about this counterproposal...
Let's make ClamAV into a filter that takes ALL mail, strips HTML, 
converts it into plain text, and strips all scripting out of the 
message whatsoever, as well as attachments?  It could move them to a 
configured "mail website" where you click a link that Clam inserts into 
the mail message (plain old URL) if you're interested in getting it, 
and you can browse whatever graphics or attachments were meant for that 
message and were instead stripped?  Of course this would mean setting 
up a web server and database server, but those tools exist already.  
This way it doesn't matter what new threat comes out, your mail is 
already defanged, demangled, demimed and sanitized for the user's 
protection!  It could protect from click traps, malware attachments, 
script exploits...users just lose their dancing icons and pretty pretty 
backgrounds.  It could also make previously hidden text visible from 
spam.

On one hand, it's sarcastic as heck.  On the other, it might not be a 
bad idea.

-Bart
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

[Bart Silverstrim]

On Nov 15, 2004, at 12:29 PM, Daniel J McDonald wrote:
clamav kills bad things - that's good, and I'd like it to be able to
continue to kill bad things in the same expedient manner that it has in
the past.
That's not entirely true.  There are people who installed it on Windows 
and Windows still booted afterwards.

:-)
-Bart
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

[Bart Silverstrim]

On Nov 15, 2004, at 12:25 PM, Chris Meadors wrote:
On Mon, 2004-11-15 at 12:12 -0500, Bart Silverstrim wrote:
If it's a bunch of flashy graphics telling you to visit a website for
fantastic deals on hiding money from third world countries while
getting fantastic mortgage rates on your pen1s enlargement ointment,
it's for a spam filter.
If it only does harm if you follow a link and then consciously give
your account information, be it ebay or bank or paypal, to a third
party site, it's for the spam filter.
howzat? :-)
How about an e-mail that contains a link that takes one to a webpage
that exploits the web browser to install a program that will intercept
the account information the next time the actual site is visited?
Hmm...if it is scripted so no user intervention is necessary for it to 
run, it's an executable script, so it's clam.

If it is something like "click here to see Anna Kournakova NUDE!" and 
is just a plain URL, no exploit, then it's spam.

Otherwise, you're talking about something that makes just as much sense 
to integrate Clam into Squid to scan all traffic streaming through the 
web proxy...keep users from being able to view this site, it contains 
harmful code for their computer!  Actually if this is a threat, maybe 
more work should be put into making the file-access-scanner daemon more 
stable and keeping definitions on the users Windows machine updated for 
their Windows AV scanner.

The actual harm to the computer in your example still came from the 
user doing something beyond reasonable safety...being duped into going 
to a website.  The mail itself was harmless.  The bug should be patched 
in the browser so it shouldn't happen.  The program getting on the 
system is no different from any other spyware vector installation.

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

[Bart Silverstrim]

On Nov 15, 2004, at 11:54 AM, Brian Morrison wrote:
On Mon, 15 Nov 2004 17:48:35 +0100 in
[EMAIL PROTECTED] "Julian Mehnle"
<[EMAIL PROTECTED]> wrote:
 But there definitely is a distinction between technical attacks and
 social engineering attacks, even though they're somewhat overlapping.
I can't see logically how things that are distinct can also be
overlapping. Is that really the description you want to use?
You get a mail...
If it has an attachment that will run in the background on your 
computer for the express reason of propagating itself, it's for clam.

If it has an attachment that will spread to other computers to cause 
harm, it's for clam.

If it was sent to you by a worm with itself as a payload, it's for clam.
If viewing the message takes advantage of an OS bug to alter the 
computer without your knowledge, it's for clam.

If it's a bunch of flashy graphics telling you to visit a website for 
fantastic deals on hiding money from third world countries while 
getting fantastic mortgage rates on your pen1s enlargement ointment, 
it's for a spam filter.

If it only does harm if you follow a link and then consciously give 
your account information, be it ebay or bank or paypal, to a third 
party site, it's for the spam filter.

howzat? :-)
-Bart
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

[Bart Silverstrim]

On Nov 15, 2004, at 11:48 AM, Trog wrote:
Not one of the Clam developers have proposed adding general spam
detection to ClamAV.
You're right.  This was an idea being proposed, I thought...a 
suggestion.  Isn't this something worth going over on a "users" list as 
discussion?

Sorry if not... :-/
-Bart
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

[Bart Silverstrim]

On Nov 15, 2004, at 11:48 AM, Julian Mehnle wrote:
Matt [EMAIL PROTECTED] wrote:
The problem is that, as yourself and others have mentioned, the
distinction between the different categories are dependant upon 
personal
interpretation. What one classes as social engineering, someone else 
may
class as, for example, malware. Even though they can technically be 
the
same thing, perceptions vary, thereby making it a nigh on impossible
question to answer.
Following that logic, any distinction between spam and malware would be
artificial, too.  Sorry, but I don't subscribe to this sort of 
nihilism.
;-)
Because there is still a difference..."commonly accepted definitions" 
are watering them down though :-)

Malware...bad software with bad intentions.
I think the line is pretty easy to find between viruses/worms and 
trojans and spam/UCE/UBE and social engineering attacks.  The lines 
blur as they start using each other to their own advantage (viruses 
spreading spam from infected machines, for example) but it's clear 
enough that the actual virus or worm is the executable code or script, 
while the "click here for amazing rates!" is simply spam, and the 
techniques for fighting spam can be quite different from those used to 
stop an infectious file attachment.

I have not tried to make a distinction between social engineering and
malware.  Those are orthogonal concepts.  But there definitely is a
distinction between technical attacks and social engineering attacks, 
even
though they're somewhat overlapping.
Very correct.  There's a difference between me taking your wallet and 
me telling you about a wonderful investment opportunity where you can 
double...no...triple your money in two weeks!

If it takes advantage of a bug in the OS or contains executable code or 
scripts that carry the intention of "infecting"...spreading/running 
without the user's knowledge...then I would think it's Clam's job to 
stop it.  If it's someone trying to triple my money or beg for a place 
to hide a billion dollars while the sender's government falls, it's 
SA's job to stop it.  If I wanted overlap, I'd install multiple spam 
filters and multiple virus filters, I don't need multiple spirus 
filters to try to diagnose and maintain :-)

-Bart
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing andother social engineering attacks

[Bart Silverstrim]

On Nov 15, 2004, at 11:14 AM, jef moskot wrote:
On Mon, 15 Nov 2004, Bart Silverstrim wrote:
I'd say leave it to the antispammers to hammer out, and to the people
who focus on bayes filters...
In my case, if Clam has a chance to see the phishing e-mail, the 
anti-spam
tactics have already failed.  So, from my point of view, this is extra
protection which would not otherwise have been offered.
In your case, surebut it is supposed to be a flexible solution for 
a myriad of implementation methods.

I'm not going to comment on the technical aspects of blocking these
messages, except to say that I've always found the ClamAV team to be
incredibly competent, and if they've chosen to take up this task, then
they probably think they can do it effectively.
They have been, yes, very competent and Clam is wonderful.  One of my 
points has been that it is working very well, so if you're going to 
start moving it into another direction, it may be best to fork that and 
leave the original recipe alone until the new direction, off-focus from 
the original intent, can be shown to work well...as well as or better 
than the current incarnation.

May be doing them a disservice if the signature mismatch a legit mail,
though.
This is true of any pattern-matching system.
Yes.  Definitely...and currently, I can tune my settings through 
SpamAssassin and Amavisd-New as to how to handle things and how I'd 
like it reported.  That's the modular aspect of these programs...they 
focus on doing a particular task very well.  Clam is excellent against 
viruses.  Spam...if it were that easy to tackle through signatures, 
they'd probably have done it by now.  Social engineering...good luck 
finding sigs against all those.  Will these efforts water down or bog 
down the virus scanner or make Clam lose focus?

Bolting more functions to a program, extending it beyond the original
design, is a good way to start introducing problems and losing focus 
of
the project.
I agree, but I think the basic usage of ClamAV is as a mailscanner, so
this is hardly a stretch.  For the same reason, I think your argument
about scanning Word docs for phishiness being a waste is not really 
that
persuasive.
It's popularly used as a mail scanner, I agree.  But one of the 
components that comes with it is clamscan for scanning home directories 
on shared folders, and I use it for analyzing things as they come in.  
Some mail scanners can also be configured to run clamscan on files.  
It's not a stretch.  Some messages talk about using "real time 
scanning" on file access...would that have use of scanning for phishing 
attacks on home directory contents?

Also, in the big picture here, it looks like they're only adding very
prevalent phishing schemes.  This doesn't seem to be a proposed 
anti-spam
solution or even a method for stamping out all phish traffic.  The
"slippery slope" argument is something to keep in mind, but it also
shouldn't prevent simple no-brainer solutions to easily solved problems
from being made available.
I'm not trying to rain on people's ideas...just point out some 
counter-arguments that maybe people didn't think of.  Personally I 
don't like the idea of protecting users from their own stupidity when 
tackling that kind of message...something that could so easily reject 
messages accidentally...is outside the original focus of Clam.  Right 
now I have at my site, as I'm sure many other admins have, a setup I 
like at the moment for filtering.  It's adequately divided that I can 
search for messages and diagnose where a breakdown occurred.  If it's 
in the spam rules that a message is "lost", I know where it would have 
happened.  I don't want to have to diagnose whether it's in spam 
quarantine or virus quarantine when it wasn't a virus problem, and I 
don't need to determine if there's a problem with the virus scanner 
that uncle phil's message was lost because he put too much of that rich 
text HTML crap in his message and it match a signature for some other 
message.

The work that would be added in trying to get clam to stop spam is 
already being done in other projects...maybe their efforts are worth 
contributing to instead of changing the focus of Clam.  Just something 
I was throwing out there for people to mull over... :-)

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishingandothersocial engineering attacks

[Bart Silverstrim]

On Nov 15, 2004, at 10:40 AM, Dennis Skinner wrote:
Julian Mehnle wrote:
 Besides, if mail servers started
using SPF (or similar authentication techniques) to verify envelope 
sender
addresses, whoever publishes SPF records for his domains would be
Not to start another flame war, but I find it interesting that you 
take such a hard-nosed approach to what is and is not technically a 
virus, but are willing to use something that is considered by some 
hard-nosed types to be a bastardization of the SMTP and DNS protocols.
I didn't think this was becoming a flamewar...anyone else?I thought 
this might be an interesting discussion.

It is not a hard nosed approach to protocols or what is or isn't a 
virus, it's (to me) the possibility that taking on spam with signatures 
is losing focus of the objective to Clam.  When projects lose focus, 
the quality degrades, and there's greater chance of bugs being 
introduced.

I think (julian's?) original problem was that he didn't see why a virus 
scanner should shoulder the responsibility for every message that goes 
out saying "Hey, click here for k3wl new deals on Mort Gage rat3s!  
Yoove been approved!", when it's not a virus, it's something that is 
enticing people who should know better to click on it for free crap and 
more spam.

The "bastardization" of protocols is a response to the fact that 
administrators are quickly getting overwhelmed...people want a "free 
internet" but none of the unhappy stuff that comes with it, and 
administrators are getting saddled with the complaints.  It's wearing 
people down.  As patience grows thinner and complaints increase to a 
dull roar, the only "solution" would ultimately be whitelisting all 
mail servers that are "certified known good" and if you're not on that 
list, well, sorry buddy.

People recoil at that and are shocked...that would stifle the Internet 
and my access!!  Well...that's where the compromise of "bastardized" 
protocols is being explored.  So much time and resources are being 
poured into maintaining systems with so many people on them that the 
burden of fighting spam, viruses, spiruses, and now users that 
apparently lack enough sense not to respond to the low MoRtg Age rate 
mails and pleas to save Abu Demar's ailing sister with the promise of 
several million dollars to an offshore account that administrators are 
going to have to do SOMETHING radical before the signal to noise ratio 
on the Internet makes it, in the end, utterly useless to everyone and 
it all burns down into a useless pile of digital slag.

Oh,..and ClamAV and the Clam team have done a wonderful job so far with 
the antivirus thing.  Please keep up the good work on that.  But I'd 
still beg people favoring the idea of the spam fighting integration to 
instead volunteer to help the teams behind Spamassassin or other OSS 
spam filtering software efforts...they've been trying for quite some 
time more than the Clam team has, and that is precisely what their 
focus always has been.  Otherwise, maybe consider a fork of code for 
ClamAV and another for ClamSpam or something like that, to show that 
this idea *could* be done without hurting the quality of the antivirus 
scanner or getting too many false positives or killing performance.  I 
just see too much overlap between functionality between what people are 
proposing and what is already heavily used out there, and I'm sure the 
current anti-spam project teams would welcome volunteers who may have 
ideas on how to improve their programs in the war on 
idiots...er,...spammers.

-Bart
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing andother social engineering attacks

[Bart Silverstrim]

On Nov 15, 2004, at 8:26 AM, jef moskot wrote:
On Mon, 15 Nov 2004, Trog wrote:
For example, the last Bagle (or Bofra) outbreak simply sent an email 
to
it's target victims, who then have to click on a link to download the
Worm. According to your definition, that is a 'social' attack, and
should not be blocked.
I was going to make this same point.
I understand what Julian is trying to say, and I don't object to a 
ClamAV
option that would allow him to receive all the unwanted garbage he 
wants,
but I don't really buy his logic.

He says some people might want to receive 419 scams and such, but some
people might also want to receive viruses.  Sys admins often make the 
call
that people can't have free access to viruses, for the good of the
community, and I see granting people easy access to spread malware 
(either
accidentally or purposely) or encourage phishing falling into the same
category.
It becomes a question of degree, though.  Yes, it's harmful if you're 
dumb enough to give your life's savings to a stranger in another 
country.  It's stupid to buy p3n1s enhancements from UBE.  But we can't 
protect users from every single scam out there.  There's already 
programs that administrators can use to try to fight that available, 
and they have quite a bit of lead time on ClamAV in that respect.  It's 
a whole other fight...you can protect users from binary attachments of 
malware, but you can't protect them from stupidity.  I'd say leave it 
to the antispammers to hammer out, and to the people who focus on bayes 
filters...let the Clam team focus on analyzing the latest binaries 
floating around out there.

The binaries are one thing...it's easier to find those attachments and 
create sigs for them.  If it were easy to break spam and assorted 
click-here-for-her-pleasure mails into signatures I'm sure SpamAssassin 
and it's brethren would have stamped out the bulk mail business a long 
time ago.  At least with viruses, the Clam team can stamp them out as 
they crawl from the woodwork while spam is more like a bottomless can 
of prank peanut brittle.  The spam just keeps coming no matter what 
defense is put in place.

I appreciate the intellectual argument that ClamAV should remain
"modular", but in basic practice, anyone who is preventing users from
receiving all the viruses their inboxes can handle isn't doing them a
disservice by closing off another malware avenue.
May be doing them a disservice if the signature mismatch a legit mail, 
though.  Or introduce more bugs because the coding for the scanning 
engine gets more complex.  The tools are out there already to fight 
spam, it may be better to support their efforts instead of bolting more 
functionality to ClamAV.  Bolting more functions to a program, 
extending it beyond the original design, is a good way to start 
introducing problems and losing focus of the project.

I'd beg people who want more anti-phishing/spam functions to instead 
support the teams that are already waging that war...contribute recipes 
and code to the SpamAssassin teams or another OSS filtering team.  Make 
ClamAV the best virus blocker available for working *with* those 
programs to provide a solid anti-malware platform.

Personally, I don't think much of SpamCop, but I do see that as 
Julian's
most compelling argument.  I think that warrants a ClamAV option, but I
also think it would be ill-advised to use it.
I think a lot of the the proposal should probably be tabled unless the 
core Clam team expresses an interest in tackling this type of 
direction, and also could provide some tests to show how accurate it 
is...how much benefit there is to doing it this way versus how much of 
a system cost it would impose (database size, scan time, 
etc.)...keeping in mind that some people also use Clam to scan files on 
a hard drive.  Why add scanning for phishing attacks on a .doc file 
saved in my file share?  If you want to allow classification of code as 
phishing vs. virus vs. social engineering, how will this impact the 
team's time efforts and efficiency of scanning files on the hard disk?  
It would be nice to know just what kind of a performance hit this will 
introduce, especially after the recent discussions on new ways to ease 
the load on the servers for downloading signatures and distributing 
update notices via DNS servers...how big will the database get if there 
is a "spam signature repository" added?

Most solutions that I've found on the Internet for ClamAV scanning mail 
already include spam filtering and spam scanning via another OSS 
project...Amavisd-New expects that separation of virus vs. spam 
functionality precisely because it fights with different methods and 
spammers are notoriously clever at circumventing signatures.

-Bart
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks

[Bart Silverstrim]

On Nov 14, 2004, at 9:14 PM, Jason Haar wrote:
This is a "me too". I am ABSOLUTELY in love with ClamAV due to the 
fact it has gone beyond what most commercial AV players are doing, and 
is incorporating scanning for phishing and spyware.

If you follow the industry, you will see that most AV vendors are 
bringing out *separate* products to detect spyware - i.e they want us 
the consumers to pay TWICE to gain full protection.

I think it's a crock - and I'm glad to see the ClamAV developers do 
too. Viruses/trojans/phishing/spyware - it's all rubbish I would 
rather was not in my end-users mailboxes.
If it is incorporated, I also think it should be something that can be 
disabled as well.  I think I'd prefer not having false positives caused 
by spam blocking and the heuristics going wonky.  Clam is very reliable 
when it comes to stopping viruses, but I've never found something that 
can stop all the spam crap flowing on the Internet; the UNIX philosophy 
has always been one of modularity and creating programs for doing 
focused tasks and combining different "modules" for a solution.  We've 
been happy with our virus solution for the mail server, and I'd prefer 
not having to justify it when the spam level that it may start 
promising to stop is instead letting things through or mis-quarantining 
it.

phishing attacks should be handled by things like Spamassassin and the 
bayes filters...also free, focused on stopping those specific problems 
and having administrators needing to check two separate quarantines or 
lists (one from Clam and one from their spam solution) to hunt down a 
possible mislabeled message.

One question though...if it is going to block spam and phishing 
attacks, how are signatures going to be instituted?  I mean, how 
accurate would the signature system be...with all the spam out there, 
is it going to recognize a general pattern so one sig would stop maybe 
four or five common spams, or will the virus definitions suddenly 
balloon up in size to cover every p3nis, pen1s, pen is variation out 
there hitting the mail servers?  If there were some way of knowing how 
flexible and accurate the signatures are, maybe it could alleviate some 
of my fears personally.  I just find it hard to believe that signatures 
would be a good solution to phishing and spam, or systems like 
SpamAssassin would probably have moved to it by now.

-Bart
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing andother social engineering attacks

[Bart Silverstrim]

On Nov 14, 2004, at 10:01 AM, John Jolet wrote:
On the issue of manually reviewing the mails to submitisn't this 
the
purpose of the quarantine directory?  When it detects a phishing 
malware,
look at the file in the quarantine directory.
I think he's thinking that this is more time and labor 
consuming...before Clam only concentrated on "Here's a malware 
binary...into the quarantine with you!", whereas now it's also 
detecting things that only affect users if they are the kind to not 
stop and think before acting.

How many phishing permutations are out there?  How accurate are the 
signatures, I.e., how many phish attacks get through by changing just a 
couple details that alter the signature significantly?

-Bart
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users