Rule to detect IE exploit.
Your mileage may vary.
Will match these exploits:
Replace ttp with http (so it will slip by my scanner and mcafee.)
ttp://[EMAIL PROTECTED]/malicious.html
ttp://[EMAIL PROTECTED]/malicious.html
ttp://[EMAIL PROTECTED]/malicious.html
ttp://[EMAIL PROTECTED]
ttp://[EMAIL
[EMAIL PROTECTED] said:
> About the only thing I can think of is to allow an option to quarantine
> any
> encrypted contents of an attached archive.
I covered this item a few months ago, including how to detect encrypted
files in uvscan.
Virus's are similar to biological creatures, they need to
[EMAIL PROTECTED] wrote:
I don't have any real expectation that Clam would be able to
recognize this in its JS-hta-wrapped form, now that I understand
it -- but I am interested in the idea that anyone can repackage an
existing Trojan in this way and slip by most scanners.
-royce
I have to d
On Thu, 22 Jan 2004 [EMAIL PROTECTED] wrote:
[...]
> Ah, you say - but if the .zip is encrypted, the user cannot open it either!
> Well, maybe they can and maybe they can't. The message body could include
> something like "Here's the pictures you wanted - the password to open the
> attachment i
> I don't have any real expectation that Clam would be able to
> recognize this in its JS-hta-wrapped form, now that I understand
> it -- but I am interested in the idea that anyone can repackage an
> existing Trojan in this way and slip by most scanners.
>
> -royce
I have to disagree with "most"
Hi List;
I have question: How I can qurantine file f.g. with dangerous
extension and exit from function without sending notification to
final recipient? I checked man page for mimedefanf-filter and found
only function to qurantine file with sending message to final
recipient.
Marian
--
Mari
Lucas Albers wrote:
Royce Williams wrote:
Our customer base got hit today with a virus that slipped through
via some wily obfuscation that I hadn't seen before. What it does,
in a nutshell, is a base64-encoded .hta file that has VBScript in it
to convert a long string of hex into a binary, s
Hi
I'm using mimedefang-2.39 spamassassin-2.63 clamav-0.65 file-scan-0.79
and the following tests slip through
5, 17, 18, 19 and 20
Tests 8 and 22 get through, but the attachment gets dropped because of
the extension.
Cheers
Bill
Cormack, Ken wrote:
The ones that slipped by for me were #17,#
On 1/23/04 4:29 AM, "Steven Ozoa" <[EMAIL PROTECTED]> wrote:
> We've been using MIMEDefang 2.33 for several months now, with no problems.
>
> Now I'm trying to upgrade to 2.39. It compiles and installs without errors,
> but when I start sendmail/mimedefang again I get the followin
Is there any known reason why a spam in a foreign language might get
through without seeming to get scanned for spam (no spam headers added)?
Jason Douglas
Network Support Technician
http://scopicmedia.ca/
http://scopicmedia.com/jasond/
___
Visi
We've been using MIMEDefang 2.33 for several months now, with no problems.
Now I'm trying to upgrade to 2.39. It compiles and installs without errors,
but when I start sendmail/mimedefang again I get the following errors in the
log:
Jan 21 15:11:48 mercury sendmail[27933]: [ID 702911 mail.info]
Alton Yu said:
> Does someone have a template on how to do this?
>
> I think this should be in the FAQ. What do you guys think?
>
> Thanks!
man mimedefang-filter.
lists code to do it as append_html_boilerplate
--
Luke Computer Science System Administrator
Security Administrator,College of Engine
> Royce Williams wrote:
>> Our customer base got hit today with a virus that slipped through
>> via some wily obfuscation that I hadn't seen before. What it does,
>> in a nutshell, is a base64-encoded .hta file that has VBScript in it
>> to convert a long string of hex into a binary, store it in y
On Thu, 22 Jan 2004, Andrzej Marecki wrote:
> Hmmm. Unavailability of free slaves may be transient. Don't you think
> a possibility of making a retry could be of any good in this context?
That's true, but if your server is overloaded, queueing won't help.
> All in all, tempfailing - IMVHO - is s
Royce Williams wrote:
> Our customer base got hit today with a virus that slipped through
> via some wily obfuscation that I hadn't seen before. What it does,
> in a nutshell, is a base64-encoded .hta file that has VBScript in it
> to convert a long string of hex into a binary, store it in your
>
>> Why are there *much more* messages of this kind:
>> mfconnect: No free slaves
>> ... than messages like this:
>> All slaves are busy: Queueing request (xx queued)
>> ... in my syslog?
> Because of the way queuing works.
> When a *new* SMTP session is opened, if there are no free slaves, the
>
- Original Message -
From: "Matt Cramer" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, January 22, 2004 7:13 AM
Subject: Re: [Mimedefang] implementing spamass RBL checks in MD
> On Wed, 21 Jan 2004, Lucas Albers wrote:
>
> > Matt Cramer said:
> > > The SA RBL checks make qu
On Thu, 22 Jan 2004, Andrzej Marecki wrote:
> Why are there *much more* messages of this kind:
> mfconnect: No free slaves
> ... than messages like this:
> All slaves are busy: Queueing request (xx queued)
> ... in my syslog?
Because of the way queuing works.
When a *new* SMTP session is opened,
On Thu, 22 Jan 2004, Steffen Kaiser wrote:
> could you please remove the JS-depend search link or re-add a plain one?
A non-JS-required search is at http://www.roaringpenguin.com/search/
Regards,
David.
___
Visit http://www.mimedefang.org and http://w
Hi folks.
I'm trying to use the clam Antivirus with mimedefang.
I follow the instructions of
http://sial.org/howto/mimedefang/clamav/
I configure the mimedefang-filter file like the how to says.
The mimedefang.pl has identified the clamd installed on my system.
This is my mailllog:
--
Jan 21
This is something I always wanted to know (but was afraid to ask ;-).
Why are there *much more* messages of this kind:
mfconnect: No free slaves
... than messages like this:
All slaves are busy: Queueing request (xx queued)
... in my syslog?
A naive expectation is that every instance of "No f
Does someone have a template on how to do this?
I think this should be in the FAQ. What do you guys think?
Thanks!
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mai
On Wed, 21 Jan 2004, Lucas Albers wrote:
> Matt Cramer said:
> > The SA RBL checks make quite a difference to the amount of spam I catch,
> > so I wrote some code in my filter to perform the checks, score them the
> > same as SA would (given both Bayes and networking enabled), and then
> > modify
>> "LA" == Lucas Albers <[EMAIL PROTECTED]> writes:
LA> I see this in my logs:
LA> did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
The only time I've seen these messages is when being scanned by
something or when testing. If you telnet to your mailservers port 25
and disconnect without
>> "FH" == Fredrik Hansen <[EMAIL PROTECTED]> writes:
Be careful with $date stuff since it is easy to make them mismatch
with the logs own formatting of times. I've stumbled over this kind
of issues many times.
Without actually testing I foresee your script generating false
positives without havi
Hello,
Testees: mimedefang-2.39 and mimedefang-2.33, with
MIME-tools-5.411a-RP-Patched-02
recently I found warnings in my logs about "Uninitialized values" of the
output triplet of message_contains_virus_fprotd().
The reason is this code snippet in mimedefang.pl, function sub
item_contains_virus
Hallo David,
could you please remove the JS-depend search link or re-add a plain one?
Bye,
--
Steffen Kaiser
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/
27 matches
Mail list logo