[Mimedefang] TESTVIRUS.org - test question
I came across testvirus.org yesterday (a simple way to email yourself various ways of encoding EICAR) and was fairly happy with the result. Of the 17 tests, 3 failed with MD+CLAMAV+F-PROT. Neither CLAMAV nor F-PROT detected the BinHex encoded copies of EICAR, though the scanners further down the line did. Fairly impressively MD did catch the Outlook CR vulnerability, but nothing (not MD, not any of the later scanners) caught the Outlook space gap vulnerability test. Fortunately at that point Outlook blocked the attachment :) I'm already discussing the BinHex problem on the CLAMAV list, but was wondering if anybody knew of a way to solve the space gap problem with MimeDefang. TIA -- Rob MacGregor (BOFH) [PGP key ID 0x1E51BF5A] If I cannot bend Heaven, I shall move Hell. -- Publius Vergilius Maro (Virgil). ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] TESTVIRUS.org - test question
At 09.04 28/02/2004, you wrote: I came across testvirus.org yesterday (a simple way to email yourself various ways of encoding EICAR) and was fairly happy with the result. I'm using sophos and it didn't catch the binhex encoded virus. I'm also interested in solving the 'space gap' with MD, if possible Of the 17 tests, 3 failed with MD+CLAMAV+F-PROT. Neither CLAMAV nor F-PROT detected the BinHex encoded copies of EICAR, though the scanners further down the line did. Fairly impressively MD did catch the Outlook CR vulnerability, but nothing (not MD, not any of the later scanners) caught the Outlook space gap vulnerability test. Fortunately at that point Outlook blocked the attachment :) I'm already discussing the BinHex problem on the CLAMAV list, but was wondering if anybody knew of a way to solve the space gap problem with MimeDefang. TIA -- Rob MacGregor (BOFH) [PGP key ID 0x1E51BF5A] If I cannot bend Heaven, I shall move Hell. -- Publius Vergilius Maro (Virgil). ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang --- Computers are machines to help you solve problems you wouldn't have if you didn't have a computer. --- Ing. Andrea Gabellini Email: [EMAIL PROTECTED] Tel: 0549 886111 (Italy) Tel. +378 0549 886111 (International) Intelcom San Marino S.p.A. Strada degli Angariari, 3 47891 Rovereta Repubblic of San Marino http://www.omniway.sm http://www.intelcom.sm ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] TESTVIRUS.org - test question
On Sat, 28 Feb 2004, Andrea Gabellini wrote: At 09.04 28/02/2004, you wrote: I came across testvirus.org yesterday (a simple way to email yourself various ways of encoding EICAR) and was fairly happy with the result. I'm using sophos and it didn't catch the binhex encoded virus. Same here, and it also passed through the space gap test too - however, the file that I saved was not eicar.com! Either pine mis-decoded it, or they wrongly encoded it at source. A real copy of eicar.com: gordon @ lion: od -x eicar.com 000 3558 214f 2550 4140 5b50 5c34 5a50 3558 020 2834 5e50 3729 4343 3729 247d 4945 4143 040 2d52 5453 4e41 4144 4452 412d 544e 5649 060 5249 5355 542d 5345 2d54 4946 454c 2421 100 2b48 2a48 000a The version pine saved from the space gap test: gordon @ unicorn: od -x eicar.com 000 6559 5996 9665 6559 5996 9665 6559 5996 020 9665 6559 5996 9665 6559 5996 9665 6559 040 5996 9665 6559 5996 9665 6559 5996 9665 060 6559 5996 9665 6559 5996 9665 6559 5996 100 9665 2a48 0020 So somethings wring somewhere.. Gordon ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] TESTVIRUS.org - test question
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andrea Gabellini I'm using sophos and it didn't catch the binhex encoded virus. I've found that clamav *will* catch it (the binhex test), assuming it's not sent directly. The problem is that clamav only enables the mail decoding function if the first word of the file passed to it is one of a number of key words. Where a previous MTA has stuck a Received: header as the first line all is well, however when it's sent directly (as from testvirus.org) that magic header isn't there and clamav treats it like a plain file. I've asked the clamav folks if some flag can be set to tell clamav to treat every file as a mail file, for use in mail scanners. If they don't object I may just look at working a patch for them. PLEASE - keep list traffic on the list. Email sent directly to me may be ignored utterly. -- Rob | What part of no was it you didn't understand? ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] TESTVIRUS.org - test question
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dirk Mueller No, this is not the problem. mimedefang does not pass the original mail to ClamAV. it extracts all mime parts, and then calls the virus scanner on those files, since not all virus scanners can handle raw mails. The virus scanner never actually sees the original, unmodified mail with mimedefang. So this is a mimedefang-only bug. Not a bug in ClamAV. Well, I'd call it a bug (or maybe a feature) of both :) I would say that the problem is that MD only does part of the job of extracting parts. Rather than fully decoding the email it does a half-hearted job (and no, I'm not having a go - it's a design choice I can fully understand). This means that any smart scanners get only part of the story. Ideally MD would not just pass the decoded parts but the original email, as is, to the scanner. There would be some overhead, but it's better than the current situation. BTW, my workaround for letting ClamAV handle mails directly is to prepend the mail with a From [EMAIL PROTECTED] before passing it down to clamdscan --mbox. This way it will always handle it as email. I had thought about that myself :) But again, to avoid misunderstandings: this is not needed with mimedefang, since mimedefang never runs the virus scanner on the mail itself. Yeah, I solved the problem by using clamav-milter itself. I'd rather not have something else in the loop (more things to break), but I'll live with it. PLEASE - keep list traffic on the list. Email sent directly to me may be ignored utterly. -- Rob | What part of no was it you didn't understand? ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] TESTVIRUS.org - test question
On Sat, 28 Feb 2004, Rob wrote: I would say that the problem is that MD only does part of the job of extracting parts. Rather than fully decoding the email it does a half-hearted job (and no, I'm not having a go - it's a design choice I can fully understand). This means that any smart scanners get only part of the story. Ideally MD would not just pass the decoded parts but the original email, as is, to the scanner. There would be some overhead, but it's better than the current situation. It's pretty easy -- before you call message_contains_virus, put this in your filter: copy_or_link(./INPUTMSG, ./Work/INPUTMSG); This ensures that the original raw message is sitting in Work/, ready for scanning. You might need to give the virus scanner special options to get it to decode a mail message, but it's not too hard. -- David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] TESTVIRUS.org - test question
On Saturday 28 February 2004 19:28, Rob wrote: So this is a mimedefang-only bug. Not a bug in ClamAV. Well, I'd call it a bug (or maybe a feature) of both :) As currently ClamAV never actually sees the faulty bit, it can't be a bug in ClamAV. On the contrary, I would consider a bug in ClamAV when it starts to decode inline binhex in arbitrary files (not (!) emails). email, as is, to the scanner. There would be some overhead, but it's better than the current situation. Its not a half-hearted solution. What would you think about ClamAV detecting a virus in a mail, but then not finding the entity containing the virus (like for dropping it in your filter). sure you would consider that a bug too.. right? Yeah, I solved the problem by using clamav-milter itself. I'd rather not have something else in the loop (more things to break), but I'll live with it. Well, more things in the loop can also prevent a single thing to break if combined cleverly (like using two virus scanners instead of one, since one alone always tends to be out of date just the very second you would need it). Dirk ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] TESTVIRUS.org - test question
On Sat, 2004-02-28 at 13:44, Dirk Mueller wrote: So this is a mimedefang-only bug. Not a bug in ClamAV. Well, I'd call it a bug (or maybe a feature) of both :) As currently ClamAV never actually sees the faulty bit, it can't be a bug in ClamAV. On the contrary, I would consider a bug in ClamAV when it starts to decode inline binhex in arbitrary files (not (!) emails). I'm not sure I followed all the steps here, but if MimeDefang saves the attachment in the same form that a mail user agent would if you told it to save to a file that sounds correct to me. If ClamAV doesn't detect a virus when it scans that file, whether saved by an MUA or MimeDefang, then it seems like a bug in ClamAV. --- Les Mikesell [EMAIL PROTECTED] ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] action_quarantine_entire_message
Hi, man mimedefang-filter reads: action_quarantine_entire_message($msg) Quarantines the entire message in a quarantine directory on the mail server, but does not otherwise affect disposition of the message. If $msg is non-empty, it is included in any administrator notification. To my surprise, it seems that action_quarantine_entire_message's parameter, $msg, is added inline to the actual message. That was... ehh, quite surprising, since the messages were politically incorrect debug messages, and which confused the hell out of the actual recipient, since they suddenly appeared in the middle of a legitimate, nonspam, nonvirus email. Is this a bug in mimedefang? is this a bug in the documentation? Using 2.39 here. There should be a huge warning in the documentation, since this behaviour was entirely nonobvious to me. I made a quick patch to fix the issue for me (@Warnings was used for Quarantine notification warnings as well as for recipient warnings, which is .. eh .. bad. ). Not well tested, but I was assuming that the code is easy enough for me to grasp. Dirk --- mimedefang.pl 2004-02-27 14:31:35.0 +0100 +++ /usr/local/bin/mimedefang.pl 2004-02-28 21:37:50.523103387 +0100 @@ -40,7 +40,7 @@ $NotifySenderSubject $NotifyAdministratorSubject $ValidateIPHeader $QuarantineSubject $SALocalTestsOnly $NotifyNoPreamble - %Actions %Stupidity @FlatParts @Recipients @Warnings %Features + %Actions %Stupidity @FlatParts @Recipients @QuarantineWarnings @Warnings %Features $SyslogFacility $GraphDefangSyslogFacility $MaxMIMEParts $InMessageContext $InFilterContext $PrivateMyHostName $EnumerateRecipients $InFilterEnd $FilterEndReplacementEntity @@ -1095,7 +1095,7 @@ $Actions{'quarantine_entire_message'}++; if (defined($msg) ($msg ne )) { - push(@Warnings, $msg\n); + push(@QuarantineWarnings, $msg\n); if (open(OUT, $QuarantineSubdir/MSG.0)) { print OUT $msg\n; close(OUT); @@ -1404,7 +1404,7 @@ close(IN); } } - if ($#Warnings = 0) { + if ($#QuarantineWarnings = 0) { $body .= \n--\nHere are the warning details:\n\n; $body .= @Warnings; } @@ -4475,6 +4475,7 @@ undef @FlatParts; undef @Recipients; undef @Warnings; +undef @QuarantineWarnings; } #*** ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] action_quarantine_entire_message
On Saturday 28 February 2004 21:48, Dirk Mueller wrote: is .. eh .. bad. ). Not well tested, but I was assuming that the code is easy enough for me to grasp. Grrr.. @QuarantineWarnings missing here: - if ($#Warnings = 0) { + if ($#QuarantineWarnings = 0) { $body .= \n--\nHere are the warning details:\n\n; $body .= @Warnings; Dirk ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] TESTVIRUS.org - test question
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David F. Skoll It's pretty easy -- before you call message_contains_virus, put this in your filter: copy_or_link(./INPUTMSG, ./Work/INPUTMSG); This ensures that the original raw message is sitting in Work/, ready for scanning. You might need to give the virus scanner special options to get it to decode a mail message, but it's not too hard. That's worth knowing - I may have a play with that later. Fortunately with clamd you can enable the scanning of mail files as a default, so if it detects the magic word at the start of the file it'll know what it is. Thanks. PLEASE - keep list traffic on the list. Email sent directly to me may be ignored utterly. -- Rob | What part of no was it you didn't understand? ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] TESTVIRUS.org - test question
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dirk Mueller Its not a half-hearted solution. What would you think about ClamAV detecting a virus in a mail, but then not finding the entity containing the virus (like for dropping it in your filter). sure you would consider that a bug too.. right? Why should I care - if it finds a virus in the email then the email gets dropped in the bit bucket (or quarantined). At that point it becomes utterly irrelevant *where* the virus is in the email. Yes, there's always the option of stripping out the virus from the email - but why? It's pretty unlikely (for values of unlikely approximating zero) that there will be any legitimate content in a virus infected email. Yeah, I solved the problem by using clamav-milter itself. I'd rather not have something else in the loop (more things to break), but I'll live with it. Well, more things in the loop can also prevent a single thing to break if combined cleverly (like using two virus scanners instead of one, since one alone always tends to be out of date just the very second you would need it). Which is why I've got more than one in the loop. By the time any email gets to my mail client it's been through 4 different scanners :) So far (touch wood) nothing's got through to the client, yet. I'd like to only use MD, not MD and clamav-milter, purely to keep overheads minimal. I'll probably play with David's suggestion later next week and see if it works for me, in which case I can junk clamav-milter. PLEASE - keep list traffic on the list. Email sent directly to me may be ignored utterly. -- Rob | What part of no was it you didn't understand? ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] TESTVIRUS.org - test question
On Saturday 28 February 2004 23:09, Rob wrote: clamd you can enable the scanning of mail files as a default, so if it detects the magic word at the start of the file it'll know what it is. I've added this code to message_contains_virus_clamd(): # copy message for clamd open(I, INPUTMSG); open(O, Work/COMPLETE_MSG); # give ClamAV the hint to treat it as mbox, otherwise # it doesn't detect all the inline files. print O From [EMAIL PROTECTED] 1 Jan 2004\r\n; while(I) { print O; } close(I);close(O); which is great for detecting attachments in MIME-broken emails (like qmail-send bounces). those otherwise slip by ClamAV (the same needs to be done for the non-daemon version of ClamAV checking, but I don't use that code). ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] TESTVIRUS.org - test question
On Saturday 28 February 2004 23:15, Rob wrote: Why should I care - if it finds a virus in the email then the email gets dropped in the bit bucket (or quarantined). At that point it becomes utterly irrelevant *where* the virus is in the email. That might be the case for your filter, but anybody not running it for his own pleasure most likely does not run such a configuration. Besides that, there are things called false positives which do happen from time to time. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] RE: Huge messages causing try again later
if (lc($ext) =~ /zip/ -s './INPUTMSG' = 100*1024) { MyDoom isn't going to be bigger than 30KB anyway... Don't know if somebody else pointed this out yet, but there are Mydoom.f messages running around that are 34KB, I had to get mine up to 35 KB to catch them. Jim Shewmaker ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang