Re: [Mimedefang] Zip --> Zip --> PIF
On Fri, 18 Feb 2005, David Eisner wrote: > The problem is that in general there is a delay between the time a virus > outbreak occurs, and the time that virus scanners have updated DATs that > detect it. That's one of the great things about Mimedefang -- it > removes the potentially harmful attachment during this window. MIMEDefang won't recursively scan a zip file. To scan the "table of contents" of a zip file is relatively safe, and if you have Archive::Zip, you can use re_match_in_zip_directory to detect "dangerous" files in a zip. However, to actually decompress a zip file is not safe (decompression bombs can hurt), so we don't do that. Regards, David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Basic question on start/stop
The init script expects a redhat (redhat like) Linux, the multiplexer uses a hardcoded kill -0 but the daemon uses a function called killproc that most redhat init scripts use... killproc expects pids in /var/run as well and is located in: /etc/rc.d/init.d/functions I expect the issue is this function is not available on your system? Jim On Thu, 17 Feb 2005 15:50:07 -0500, Lavoie,Alain [CMC] wrote > Hello, > >I'm using the init-script file in the examples directory to > start/stop mimedefang. > However, I saw many mimedefang hanging from my previous stop and restart > of the application. > I looked in the script to see it used the command "kill". The path > and the pid number are right in the script. Even at the command line > a kill of the pid don't work. I don't want to do a "kill -9". Is it > something I'm doing wrong? or there is another way to terminate > mimedefang. BTW, the multiplexor start and stop correctly. > > Thank you! > Levoy > > ___ > Visit http://www.mimedefang.org and http://www.canit.ca > MIMEDefang mailing list > MIMEDefang@lists.roaringpenguin.com > http://lists.roaringpenguin.com/mailman/listinfo/mimedefang -- EsisNet.com Webmail Client ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Zip --> Zip --> PIF
David Eisner wrote: > Arthur Corliss wrote: >> Mimedefang may not recursively unzip attachments, but if you're >> using a scanner like Clamav with it, that should handle and stop >> viruses like that from getting through. >> > ... > The problem is that in general there is a delay between the time a > virus outbreak occurs, and the time that virus scanners have updated > DATs that detect it. > ... we're using McAfee Virusscan. Oddly, it still doesn't > detect this worm. ClamAV has a good reputation for getting DATs out quickly... in part due to a revolutionary method of posting the timestamp of the latest DAT file via DNS TXT record to save on bandwidth. In general, having redundant virus scanners from different vendors decreases the time you are vulnerable. Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg," ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Zip --> Zip --> PIF
On Fri, 18 Feb 2005, David Eisner wrote: > I'm not suggesting the behavior of Mimedefang is wrong, I just want to > make sure I understand what it's doing. > > The problem is that in general there is a delay between the time a virus > outbreak occurs, and the time that virus scanners have updated DATs that > detect it. That's one of the great things about Mimedefang -- it > removes the potentially harmful attachment during this window. > > In our case, we're using McAfee Virusscan. Oddly, it still doesn't > detect this worm. Gotcha, you're worried less about the scanning bit then you are about the dangerous/banned attachment bit. In that case, you have a valid concern. Personally, I'll still leave that in the hands of the user. My greatest concern with executable types is those exploits that can auto-execute due to unsafe scripting in HTMLified clients. A zip file shouldn't be able to be used as such a payload, so if people are opening files *within* archives from strangers, they shouldn't be using computers. ;-) If a recursive unarchiving happens within mimedefang in the future (and I don't think this should be the default action) there should be a configurable recursion limit to prevent DoS attacks. --Arthur Corliss Bolverk's Lair -- http://arthur.corlissfamily.org/ Digital Mages -- http://www.digitalmages.com/ "Live Free or Die, the Only Way to Live" -- NH State Motto ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Zip --> Zip --> PIF
Arthur Corliss wrote: >On Fri, 18 Feb 2005, David Eisner wrote: > > > >>I just received an interesting virus. It's a fake bounce with an >>attachment named letter.zip. It made it through mimedefang (2.49) >>unscathed. >> >>I unzipped letter.zip, which contained a single file, named . . . >>letter.zip (kind of like Russian dolls). >>I unzipped the interior letter.zip, which contained a Letter.pif. It >>appears to be Win32.Mydoom.am (according to Kasperky.com): >>http://www.viruslist.com/en/viruses/encyclopedia?virusid=74056 >> >>Am I correct that mimedefang will not recursively unzip files when >>searching for harmful attachments? >> >> > >Mimedefang may not recursively unzip attachments, but if you're using a >scanner like Clamav with it, that should handle and stop viruses like that >from getting through. > I'm not suggesting the behavior of Mimedefang is wrong, I just want to make sure I understand what it's doing. The problem is that in general there is a delay between the time a virus outbreak occurs, and the time that virus scanners have updated DATs that detect it. That's one of the great things about Mimedefang -- it removes the potentially harmful attachment during this window. In our case, we're using McAfee Virusscan. Oddly, it still doesn't detect this worm. -David - D a v i d E i s n e rc r a d l e @ u m d . e d u CALCE EPSC University of Maryland ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] off topic: rfc-ignorant
On Fri, 18 Feb 2005, Aleksandar Milivojevic wrote: May make couple of people here smile (at least). The rfc-ignorant seems to be ignorant themself. My log files are full of these: lame server resolving '4.3.2.1.ipwhois.rfc-ignorant.org'(in 'ipwhois.rfc-ignorant.ORG'?): 127.0.0.1#53 They are delegating ipwhois.rfc-ignorant.org to localhost (127.0.0.1). Because of changes in RFCs ipwhois was discontinued from rfc-ignorant end of last year, there is a link to announcement about it on their website. Completewhois took most of the data and incorporated it into our invalid whois project database, you can use it for blocklisting as invalidipwhois.dnsiplists.completewhois.com Or in combination with bogons & hijacked lists: combined-hib.dnsiplists.completewhois.com For more information see http://www.completewhois.com/invalidwhois/invalid_ipblocks.htm http://www.completewhois.com/bogons/using_bogon_lists.htm Wooohooo :-) (OK, I haven't checked RFCs, but delegating domain to localhost is simply plain wrong) Its not against any RFC and its not wrong. Its rather common trick used when previously public page is no longer public and website owner does not want (or can not by order court, etc) maintain any info about it on its webiste, but removing its dns completely can not be done for some reason. Whoever queries and sees 127.0.0.1 will understand (including based on the logs like you did) that resource is no longer available and will hopefully not query for it any more. As you can understand this is what they they want, because if they just removed ipwhois.rfc-ignorant then you'd continue to get NXDOMAIN and will never know to stop querying for it. --- William Leibzon mailto: [EMAIL PROTECTED] Anti-Spam and Email Security Research Worksite: http://www.elan.net/~william/emailsecurity/ Whois & DNS Network Investigation Tools: http://www.completewhois.com smime.p7s Description: S/MIME Cryptographic Signature ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] setlogsock error
On Fri, 18 Feb 2005, Daniel Zachary wrote: > When I upgraded to mimedefang 2.51 I began encountering the following error: > > Feb 18 14:23:17 ma2 mimedefang-multiplexor[30721]: Slave 1 stderr: > Undefined subroutine &main::setlogsock called at > /etc/mail/mimedefang-filter line 251. > > This line is: > ># Log all information so we have a trail. >setlogsock('unix'); >openlog( "mimedefang-filter", "pid", "local2" ); >syslog( 'err', "Sender: $Sender, Subject: $Subject" ); > > This line has been in the mimedefang-filter for some time. Looks like > the Sys::syslog module can't be found? > > Yet during the ./compile stage, there are comments that indicate that > setlogsock is found and working. > > I can comment out the setlogsock line and then logging entries come to > the console instead of the log file. > > Any ideas what we broke? What platform are you one, w/what version of Sys::Syslog? I'm running 2.51 on Linux without any such symptoms... --Arthur Corliss Bolverk's Lair -- http://arthur.corlissfamily.org/ Digital Mages -- http://www.digitalmages.com/ "Live Free or Die, the Only Way to Live" -- NH State Motto ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] off topic: rfc-ignorant
May make couple of people here smile (at least). The rfc-ignorant seems to be ignorant themself. My log files are full of these: lame server resolving '4.3.2.1.ipwhois.rfc-ignorant.org'(in 'ipwhois.rfc-ignorant.ORG'?): 127.0.0.1#53 They are delegating ipwhois.rfc-ignorant.org to localhost (127.0.0.1). Wooohooo :-) (OK, I haven't checked RFCs, but delegating domain to localhost is simply plain wrong) -- Aleksandar Milivojevic <[EMAIL PROTECTED]>Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7 ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Zip --> Zip --> PIF
On Fri, 18 Feb 2005, David Eisner wrote: > I just received an interesting virus. It's a fake bounce with an > attachment named letter.zip. It made it through mimedefang (2.49) > unscathed. > > I unzipped letter.zip, which contained a single file, named . . . > letter.zip (kind of like Russian dolls). > I unzipped the interior letter.zip, which contained a Letter.pif. It > appears to be Win32.Mydoom.am (according to Kasperky.com): > http://www.viruslist.com/en/viruses/encyclopedia?virusid=74056 > > Am I correct that mimedefang will not recursively unzip files when > searching for harmful attachments? Mimedefang may not recursively unzip attachments, but if you're using a scanner like Clamav with it, that should handle and stop viruses like that from getting through. Personally, I don't think mimedefang should even have to do that out of the box. Ideally it should just decode the original attachments and let the scanner scan the applicable archives itself. Besides, it's trivial to code your own recursive decompressor if you really need/want it. --Arthur Corliss Bolverk's Lair -- http://arthur.corlissfamily.org/ Digital Mages -- http://www.digitalmages.com/ "Live Free or Die, the Only Way to Live" -- NH State Motto ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] setlogsock error
When I upgraded to mimedefang 2.51 I began encountering the following error: Feb 18 14:23:17 ma2 mimedefang-multiplexor[30721]: Slave 1 stderr: Undefined subroutine &main::setlogsock called at /etc/mail/mimedefang-filter line 251. This line is: # Log all information so we have a trail. setlogsock('unix'); openlog( "mimedefang-filter", "pid", "local2" ); syslog( 'err', "Sender: $Sender, Subject: $Subject" ); This line has been in the mimedefang-filter for some time. Looks like the Sys::syslog module can't be found? Yet during the ./compile stage, there are comments that indicate that setlogsock is found and working. I can comment out the setlogsock line and then logging entries come to the console instead of the log file. Any ideas what we broke? Dan Zachary ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Zip --> Zip --> PIF
I just received an interesting virus. It's a fake bounce with an attachment named letter.zip. It made it through mimedefang (2.49) unscathed. I unzipped letter.zip, which contained a single file, named . . . letter.zip (kind of like Russian dolls). I unzipped the interior letter.zip, which contained a Letter.pif. It appears to be Win32.Mydoom.am (according to Kasperky.com): http://www.viruslist.com/en/viruses/encyclopedia?virusid=74056 Am I correct that mimedefang will not recursively unzip files when searching for harmful attachments? -David - D a v i d E i s n e rc r a d l e @ u m d . e d u CALCE EPSC University of Maryland ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] setlogsock error
When I upgraded to mimedefang 2.51 I began encountering the following error: Feb 18 14:23:17 ma2 mimedefang-multiplexor[30721]: Slave 1 stderr: Undefined subroutine &main::setlogsock called at /etc/mail/mimedefang-filter line 251. This line is: # Log all information so we have a trail. setlogsock('unix'); openlog( "mimedefang-filter", "pid", "local2" ); syslog( 'err', "Sender: $Sender, Subject: $Subject" ); This line has been in the mimedefang-filter for some time. Looks like the Sys::syslog module can't be found? Yet during the ./compile stage, there are comments that indicate that setlogsock is found and working. I can comment out the setlogsock line and then logging entries come to the console instead of the log file. Any ideas what we broke? Dan Zachary ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Scary... Filtering on the outbound.
On inbound we are using the same sort of tracking - log and count number of bad recipients from one IP as a ratio to good recipients during the envelope stage, we will discard a message before the data stage if it hits 5 bad receipients with no good ones. I think others do something similar, because I have seen the average number of recipients per message keep dropping. During one dictionary spam run inbound to ONE of our domains we saw 538K "no such user" events in 75K messages from 24K Ip addresses, with multiple messages per IP! That is only 22 recipients per IP and a little over 7 per message. That is one reason we have started using iptables to block at the interface - think of the denial of service attack 24K infected PCs could do if they were focused on one domain. John - Original Message - From: "David F. Skoll" <[EMAIL PROTECTED]> To: Sent: Friday, February 18, 2005 7:24 AM Subject: Re: [Mimedefang] Scary... Filtering on the outbound. On Thu, 17 Feb 2005, Les Mikesell wrote: Are you looking at the number of recipient addresses or the number of messages for this test? Or does the current crop of spam-worms generally send a message per recipient? Interesting point! I bet ISPs lower MaxRecipientsPerMessage to something like 10 or so... Regards, David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang This message scanned for viruses by Lifegiver.net For more information on our filtered email and dial up internet service please visit http://www.lifegiver.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Scary... Filtering on the outbound.
We watch number of recipients and number of messages - the spammer worms seem to be sending no more than five recipients per message now. We also keep track of the blocking history of the sending IP if inbound or real user if outbound, and scale the time we block up for repeat senders as well as becoming more sensitive. Like this: If a user who we have not blocked in the last 30 days starts sending high spam score messages they could send a fair number before we block them, and the initial block might be for 15 minutes (we are still playing with this figure). After they are unblocked they start again, we erspond faster and block for one hour. After the third block in one day we are hitting them on the FIRST message...so nothing is going out. But it is self-healing - they wait an hour and send a normal message it goes right out. We are also working on improving the message we send to the infected user when they are our email user - let them know it is likely a worm, include links to free scanners etc. - Original Message - From: "Les Mikesell" <[EMAIL PROTECTED]> To: Sent: Friday, February 18, 2005 12:55 AM Subject: Re: [Mimedefang] Scary... Filtering on the outbound. On Thu, 2005-02-17 at 21:47, John Scully wrote: A sub could send a few emails scoring anything (could be a personal porn-o-gram to someone :) but the higher the number of messages the lower the average score can be to trigger blocking. Rate of transmission also weights the decision - sending 100 in a few minutes is treated like sending 1,000 over a longer time. Are you looking at the number of recipient addresses or the number of messages for this test? Or does the current crop of spam-worms generally send a message per recipient? -- Les Mikesell [EMAIL PROTECTED] ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang This message scanned for viruses by Lifegiver.net For more information on our filtered email and dial up internet service please visit http://www.lifegiver.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Scary... Filtering on the outbound.
On Fri, Feb 18, 2005 at 07:24:45AM -0500, David F. Skoll wrote: > On Thu, 17 Feb 2005, Les Mikesell wrote: > > > Are you looking at the number of recipient addresses or the number > > of messages for this test? Or does the current crop of spam-worms > > generally send a message per recipient? > > Interesting point! I bet ISPs lower MaxRecipientsPerMessage to something > like 10 or so... Hah! We (xs4all, ISP) just lowered MaxRecipientsPerMessage to 100, and we had all sorts of customers complaining that their outlook would no longer process their homegrown "mailinglists" in the Bcc field. Which is a feature, of course, but the customers sometimes have trouble seeing that :) -- #!perl -wpl # mmfppfmpmmpp mmpffm <[EMAIL PROTECTED]> $p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+ $_[2]}->(map{/p|f/i+/f/i}split//,$&)+97):qw(m p f)[map{((ord$&)%32-1)/$_%3}(9, 3,1)]),5,1)='`'lt$&;$f.eig;# Jan-Pieter Cornet ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Scary... Filtering on the outbound.
On Thu, 17 Feb 2005, Les Mikesell wrote: > Are you looking at the number of recipient addresses or the number > of messages for this test? Or does the current crop of spam-worms > generally send a message per recipient? Interesting point! I bet ISPs lower MaxRecipientsPerMessage to something like 10 or so... Regards, David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Quarantining msg, modifications not being saved
On Fri, 18 Feb 2005, Mack wrote: > I'm trying to get the quarantining working properly, I have no > problems getting the msg saved, but any modifications > are lost, eg X-scanned-by, X-Spam-Score headers and the boilerplate That's correct. Modifications only happen when the milter library communicates the changes back to Sendmail. If you want to save your modifications, you need to write your own modified file into the quarantine directory. Regards, David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Quarantining msg, modifications not being saved
Hi all, I'm trying to get the quarantining working properly, I have no problems getting the msg saved, but any modifications are lost, eg X-scanned-by, X-Spam-Score headers and the boilerplate The code i'm using in filter end is if ($domboilerplateenabled==1){ if ($domboilerplatelocation==0){ append_text_boilerplate_at_start($entity,"$domboilerplatetext", 0); append_html_boilerplate_at_start($entity,"$domboilerplatehtml", 0); }else{ append_text_boilerplate($entity,"$domboilerplatetext", 0); append_html_boilerplate($entity,"$domboilerplatehtml", 0); } } action_quarantine_entire_message(); Which happily saves the message, but the boilerplate is not added. (checking the ENTIRE_MESSAGE file in the dir does not have modifications either) when i release it with sendmail -oi -Am -f `cat SENDER` `cat RECIPIENTS` < ENTIRE_MESSAGE the message is not reprocessed through MD but released straight out I guess i'm missing summit that will rebuild the message before quarantine? TIA Mack ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang