RE: [Declude.JunkMail] CORRUPTEDVIRUS v1.0.0
Due to the very low hit rate, the possibility of somewhat random false positives without additional exceptions which in turn would limit the hit rate even further, I believe that this filter isn't worth the processing and I'm going to retire it. For the good catches that it made, I feel that these are best targeted with more specific filters such as ANTI-AV. As always, we appreciate your efforts and work. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] CORRUPTEDVIRUS v1.0.0
I just thought I would send an update about this filter. Given Declude's ability to detect zero-byte attachments as vulnerabilities in recent interim releases, much of the potential that would otherwise exist for this filter, doesn't. I upped the max file size for the test to 5K and found that it's catch rate was only about 1 in 10,000 messages, and it would trip on attachments that were formerly viruses but stripped by virus scanners and replaced the attachments with text messages but left indications of the original virus' name. All of these messages would have otherwise passed, and although they weren't dangerous, they were unwanted. I also found one message that was a false positive where there was a string of attached messages and the header code in one just so happened to hit all of the required strings, and didn't trip the exception found when there is a base64 attachment. I believe that this can be properly resolved by requiring the string base64, however this would also cause most of the good catches to not be caught since the base64 attachments were replaced by plain text. Due to the very low hit rate, the possibility of somewhat random false positives without additional exceptions which in turn would limit the hit rate even further, I believe that this filter isn't worth the processing and I'm going to retire it. For the good catches that it made, I feel that these are best targeted with more specific filters such as ANTI-AV. Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] CORRUPTEDVIRUS v1.0.0
This results in a zero-byte attachment and it will always get past Declude Virus, even if it has one of the commonly banned extensions associated with viruses (unless this has been addressed in a more recent interim that I'm not aware of ). I haven't hit a single file as yet with this filter. It may be that this was in fact fixed with a more recent version of Declude Virus ... FWIW, I can't recall any issue where the size of a file (even 0-byte) will prevent Declude Virus from banning the file based on the extension. Of course, a 0-byte file won't be blocked by the virus scanner (since it can't contain a virus), but Declude Virus should block it as expected. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] CORRUPTEDVIRUS v1.0.0
FWIW, I can't recall any issue where the size of a file (even 0-byte) will prevent Declude Virus from banning the file based on the extension. Of course, a 0-byte file won't be blocked by the virus scanner (since it can't contain a virus), but Declude Virus should block it as expected. Some of our customers today received messages containing a (encrypted?) zip file with no files inside. The body contains something like Password: 12345 I've forwarded one of this message to the virustrap address. As it doesn't contain any viral code it's not so problematic, but it creates a lot of doubt's on customer side if our mailboxes are realy protected. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] CORRUPTEDVIRUS v1.0.0
Some of our customers today received messages containing a (encrypted?) zip file with no files inside. The body contains something like Password: 12345 As it doesn't contain any viral code it's not so problematic, but it creates a lot of doubt's on customer side if our mailboxes are realy protected. Unfortunately, there is little that can be done about attachments that appear to be viruses but are not. That's something that filters in Declude JunkMail would probably handle best. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] CORRUPTEDVIRUS v1.0.0
Scott, I probably mistakened the zero-byte zips which most won't ban by extension. Declude Virus however seems to have introduced a bogus ZIP file vunerability in a more recent interim which is blocking these zero-byte zip files. I suppose that's good although it may have been unintentional. Yesterday's virus has huge problems with zero-byte files being sent. Matt R. Scott Perry wrote: Some of our customers today received messages containing a (encrypted?) zip file with no files inside. The body contains something like Password: 12345 As it doesn't contain any viral code it's not so problematic, but it creates a lot of doubt's on customer side if our mailboxes are realy protected. Unfortunately, there is little that can be done about attachments that appear to be viruses but are not. That's something that filters in Declude JunkMail would probably handle best. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] CORRUPTEDVIRUS v1.0.0
I think the vulnerability checks are catching 0/1 length files. I haven't seen one lately. That said, your e-mail numbers well surpass mine, so I might just be luckier. From my virus logs: 07/04/2004 08:13:21 Q024e0094005eb63a MIME file: message.zip [base64; Length=0 Checksum=1441] 07/04/2004 08:13:21 Q024e0094005eb63a Invalid ZIP Vulnerability 07/04/2004 08:13:21 Q024e0094005eb63a Found a bogus .zip file 07/04/2004 08:13:21 Q024e0094005eb63a File(s) are INFECTED [[Invalid ZIP Vulnerability]: 0] 07/16/2004 22:06:41 Q97bd04d80048162e MIME file: Document.scr [base64; Length=0 Checksum=2668] 07/16/2004 22:06:41 Q97bd04d80048162e Invalid SCR Vulnerability 07/06/2004 16:56:14 Q1ffd0209020ca170 MIME file: Info.scr [base64; Length=1 Checksum=2753] 07/06/2004 16:56:14 Q1ffd0209020ca170 Invalid SCR Vulnerability 07/06/2004 16:56:14 Q1ffd0209020ca170 Banning file with scr extension [application/octet-stream]. 07/06/2004 16:56:14 Q1ffd0209020ca170 MIME file: Sources.zip [base64; Length=1 Checksum=2753] 07/06/2004 16:56:15 Q1ffd0209020ca170 Invalid ZIP Vulnerability 07/06/2004 16:56:15 Q1ffd0209020ca170 Found a bogus .zip file [EMAIL PROTECTED] 7/19 4:58p I thought I would share this one with the list since it's been a while and the problem that this targets is rather problematic in nature, though not very threatening. This filter targets messages sent by virus infected computers that are missing the attachment but define the file. This results in a zero-byte attachment and it will always get past Declude Virus, even if it has one of the commonly banned extensions associated with viruses (unless this has been addressed in a more recent interim that I'm not aware of ). This filter uses the Size.vbs external test (which is also shared in the beta section of the site) to determine if the message is of a certain size. In the filter that I have provided, it is looking for a entry that matches SIZE-XS which on my system is set to 2K or smaller. If if finds such a message, it then checks to see if there are indications of an attachment and if so, is there an indication of BASE64 being properly encoded (always ends with two equal signs then a double line break), and if not, then it checks for an indication of one of 9 file extensions and scores them. The logic here is that a message containing an attachment of one of these types really shouldn't be smaller than 2K, and even if they were they should be properly encoded, but a corrupted virus that sends a zero-byte attachment should fail. Messages with very small attachments should not trip this test, however it has only been designed to work properly with BASE64 attachments which are the obvious mechanism for almost every mass mailing virus out there because of broad support. I haven't documented the file, so here's the configuration that I use for Size.vbs on my system as it corresponds to the test: SIZE-XXSexternal11CScript C:\IMail\Declude\Filters\Size.vbs //B //NoLogo //T:2 .5,2,30,100,300,1000 %WEIGHT% 2820 SIZE-XSexternal12CScript C:\IMail\Declude\Filters\Size.vbs //B //NoLogo //T:2 .5,2,30,100,300,1000 %WEIGHT% 2800 SIZE-Sexternal13CScript C:\IMail\Declude\Filters\Size.vbs //B //NoLogo //T:2 .5,2,30,100,300,1000 %WEIGHT% 2800 SIZE-Mexternal14CScript C:\IMail\Declude\Filters\Size.vbs //B //NoLogo //T:2 .5,2,30,100,300,1000 %WEIGHT% 2800 SIZE-Lexternal15CScript C:\IMail\Declude\Filters\Size.vbs //B //NoLogo //T:2 .5,2,30,100,300,1000 %WEIGHT% 2800 SIZE-XLexternal16CScript C:\IMail\Declude\Filters\Size.vbs //B //NoLogo //T:2 .5,2,30,100,300,1000 %WEIGHT% 28 00 SIZE-XXLexternal17CScrip --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] CORRUPTEDVIRUS v1.0.0
Strange, I do see similar entries in my logs today, but I had a client report two different zero length zip files that got through this morning. It could be that their system stripped the attachments and left them empty. It appears that F-Prot had issues with the new virus that was producing errors on zip files until an update around 6 p.m. today on my system and AVG wasn't catching it either. I haven't hit a single file as yet with this filter. It may be that this was in fact fixed with a more recent version of Declude Virus (I wish there were notes for this stuff so we wouldn't have to waste time). The filter should however potentially hit other corrupted viruses such as very short partial attachments that are bounced by some servers unless the new 'invalid' checks in Declude Virus are using much the same technique, or one that is indicative of the same thing (i.e. Base64 encoding that aren't ended properly). It might be more useful looking at files up to 5K in size. Thanks for the heads up. Matt Scott Fisher wrote: I think the vulnerability checks are catching 0/1 length files. I haven't seen one lately. That said, your e-mail numbers well surpass mine, so I might just be luckier. From my virus logs: 07/04/2004 08:13:21 Q024e0094005eb63a MIME file: message.zip [base64; Length=0 Checksum=1441] 07/04/2004 08:13:21 Q024e0094005eb63a Invalid ZIP Vulnerability 07/04/2004 08:13:21 Q024e0094005eb63a Found a bogus .zip file 07/04/2004 08:13:21 Q024e0094005eb63a File(s) are INFECTED [[Invalid ZIP Vulnerability]: 0] 07/16/2004 22:06:41 Q97bd04d80048162e MIME file: Document.scr [base64; Length=0 Checksum=2668] 07/16/2004 22:06:41 Q97bd04d80048162e Invalid SCR Vulnerability 07/06/2004 16:56:14 Q1ffd0209020ca170 MIME file: Info.scr [base64; Length=1 Checksum=2753] 07/06/2004 16:56:14 Q1ffd0209020ca170 Invalid SCR Vulnerability 07/06/2004 16:56:14 Q1ffd0209020ca170 Banning file with scr extension [application/octet-stream]. 07/06/2004 16:56:14 Q1ffd0209020ca170 MIME file: Sources.zip [base64; Length=1 Checksum=2753] 07/06/2004 16:56:15 Q1ffd0209020ca170 Invalid ZIP Vulnerability 07/06/2004 16:56:15 Q1ffd0209020ca170 Found a bogus .zip file [EMAIL PROTECTED] 7/19 4:58p I thought I would share this one with the list since it's been a while and the problem that this targets is rather problematic in nature, though not very threatening. This filter targets messages sent by virus infected computers that are missing the attachment but define the file. This results in a zero-byte attachment and it will always get past Declude Virus, even if it has one of the commonly banned extensions associated with viruses (unless this has been addressed in a more recent interim that I'm not aware of ). This filter uses the Size.vbs external test (which is also shared in the beta section of the site) to determine if the message is of a certain size. In the filter that I have provided, it is looking for a entry that matches SIZE-XS which on my system is set to 2K or smaller. If if finds such a message, it then checks to see if there are indications of an attachment and if so, is there an indication of BASE64 being properly encoded (always ends with two equal signs then a double line break), and if not, then it checks for an indication of one of 9 file extensions and scores them. The logic here is that a message containing an attachment of one of these types really shouldn't be smaller than 2K, and even if they were they should be properly encoded, but a corrupted virus that sends a zero-byte attachment should fail. Messages with very small attachments should not trip this test, however it has only been designed to work properly with BASE64 attachments which are the obvious mechanism for almost every mass mailing virus out there because of broad support. I haven't documented the file, so here's the configuration that I use for Size.vbs on my system as it corresponds to the test: SIZE-XXSexternal11CScript C:\IMail\Declude\Filters\Size.vbs //B //NoLogo //T:2 .5,2,30,100,300,1000 %WEIGHT% 2820 SIZE-XSexternal12CScript C:\IMail\Declude\Filters\Size.vbs //B //NoLogo //T:2 .5,2,30,100,300,1000 %WEIGHT% 2800 SIZE-Sexternal13CScript C:\IMail\Declude\Filters\Size.vbs //B //NoLogo //T:2 .5,2,30,100,300,1000 %WEIGHT% 2800 SIZE-Mexternal14CScript C:\IMail\Declude\Filters\Size.vbs //B //NoLogo //T:2 .5,2,30,100,300,1000 %WEIGHT% 2800 SIZE-Lexternal15CScript C:\IMail\Declude\Filters\Size.vbs //B //NoLogo //T:2 .5,2,30,100,300,1000 %WEIGHT% 2800 SIZE-XLexternal16CScript C:\IMail\Declude\Filters\Size.vbs //B //NoLogo //T:2 .5,2,30,100,300,1000 %WEIGHT% 28 00 SIZE-XXLexternal17CScrip --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the
