Hmmm... I'll check my logs to see if Bagle.AT is ever caught. I don't record the virus names right now, but my new beta does... so I'll test it out and see.
Yes, any examples would be cool. I'll try the Zipped password protected zip file test and see if it fails. Those crafty virus writers will stop at nothing... eh? As for TCP/IP service... you can do some of that if you are using EWall in front of XMail. EWall is a transparent proxy. It "listens in" on the SMTP session and can jump in and modify the conversation between the two servers at any time. For example, if the remote computer is trying to figure out your user list by doing a million RCPT TO commands... XMail doesn't seem to mind... but, you can have EWall count the number of failed "RCPT TO" commands, and when it exceeds ? times, it will forcably break the connection and add the remote computer to a blacklist (and it can be a timed blacklist... that de-lists after ? minutes/hours/days). Tons more can happen there too... as it uses any scripting language (vbscript, javascript, etc) to do all this. Feel free to check out EWall, I think you'd be pretty surprised by it. My only complaint so far is that it can on very rare occassions switch connections... IP 1.2.3.4 connects to your server at exact same moment as 9.8.7.6 connects. EWall can make XMail think the IP of connection to first computer is 9.8.7.6 and that the IP of the second is 1.2.3.4. This is because EWall uses an LSP to pass the IP address along. Without it, XMail would see all incoming connections as coming from the EWall service (127.0.0.1 if running on same computer)... EWall doesn't have to run on the same PC... it can be a gateway... but as far as XMail knows, it thinks it is talking directly to the incoming connection. Very cool. ------------------------------------------------------------ Jason J Ellingson Technical Consultant 615.301.1682 : nashville 612.605.1132 : minneapolis www.ellingson.com [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dario Sent: Friday, November 05, 2004 10:22 AM To: [EMAIL PROTECTED] Subject: [xmail] R: Re: R: Re: RE: Re: Spam Filters Hi Jason, I admit I can be wrong about decoding with f-prot's latest release, seems like fpcmd grew quite a lot in size since 3.14 and that might be an improved decoder, it's nice to hear that. Winmail.dat files were caught by f-prot since 3.14 so I expected something new in the next release ;) The problem with f-prot is that still now bagle.at is not caught, but it was discovered on the 29th of October. And it's not the first time I'm seeing this lack of support. When I'll find some examples I used for f-prot, I'll test them on 3.15b and let you know if something goes wrong. One I can tell you about right now, although very unusual for virus packaging, is: take an eicar, zip it with password protection, and zip it again. XXencode is not used much anymore, mainly in unix world. Nice to hear you are coding an av filter for windows. And yes, it would be nice to have a fast production quality av filter. I think the way to go is a tcp/ip service that has auto blacklist, dns and rfc checking (pre-data) and other testing capabilities before passing data to the real av filter. But that's a long way... maybe one day ;) Dario - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
