Mailinglist Archive: opensuse-security (116 mails)
| < Previous | Next > |
Re: [suse-security] Virus detecting
- From: Tomasz Papszun <tomek-suse-sec@xxxxxxxxxxxx>
- Date: Sun, 25 Sep 2005 03:25:44 +0200
- Message-id: <20050925012544.GE31418@xxxxxxxxxxxx>
On Sun, 25 Sep 2005 at 2:09:37 +0200, Carlos E. R. wrote:
> The Saturday 2005-09-24 at 22:59 +0200, Tomasz Papszun wrote:
>
> Weird. You are using Mutt, but your email broke the thread. Something
> funny going on :-?
Nothing special. I forgot that this list requires not only the "From: "
address, but also the "From " one to be subscribed to be able to post,
and I forgot to ":set envelope_from=yes" before posting. The message
bounced, so I used the copy from =sent folder, but this time forgot to
manually paste the "References: " field from your message :-) .
> > > I got some emails that I forwarded to somebody else, and his mail server
> > > antivirus said they contained html viruses:
> > >
> > > HTML.Phishing.GB-gen
> > > HTML.Phishing.DB-1
> >
> > These are names of signatures by ClamAV.
>
> Ah, Clamav. Interesting :-)
Indeed :-) .
> > Nowadays it's almost impossible to have detection of all
> > malware/phishing, and surely entirely impossible to have it immediately.
> > There are too many of them.
>
> I know. I just wanted to report them, and I can't.
Abuse-like addresses and addresses for reporting malware should _not_ be
protected against spam and malware - for obvious reason.
> > > Now, my question:
> > >
> > > To whom do I email a sample of those viruses [...]
> >
> > They are not real viruses. Just phishing messages. No need to worry to
> > much.
>
> But they are detected as viruses, and bounced:
>
> | VIRUS ALERT
> |
> | Our content checker found
> | virus: HTML.Phishing.GB-gen
> | in your email to the following recipient:
> | -> phishing@....org
> |
> | Please check your system for viruses,
> | or ask your system administrator to do so.
> |
> | Delivery of the email was stopped!
This error message is most likely from amavis. Not from ClamAV in any
case. Infected messages should not be bounced (*) and it was not ClamAV's
fault that it was bounced, but of improperly configured script.
(*) Because most worms and spams use forged sender addresses. Bouncing
them is pointless and harmful as almost always the bounce goes to
innocent person.
> I know they are phising attempts, but they are also viruses. The one above
> contains javascript code.
>
> The idea is that an organization here is keen in being sent phising
> attempts, so they can investigate the emails;
So they should not filter messages addressed to the account for
receiving phishing messages. In amavisd-new one can easily "whitelist"
such recipients.
> they forward the bad ones to
> the authorities and the banks involved, closing the faked web sites as
> soon as possible. I know they get results, some of those web pages have
> been closed already.
>
> The snag is that some of those phisings attempts, those in german, are
> bounced by the virus scaner of their mail service, and I have to remail
> inside a zip file with password. If my antivirus detected them, it would
> save some time. That's why I wanted to report them to H+BEDV, but the
> email I had bounced (no such user, I think), and I couldn't find an
> address at their web page, which is confusing, anyhow.
At http://www.antivir.de/en/support/suspicious_files/index.html there
is a form to uploading suspicious files. There is also the email address
listed there for that purpose: virus@xxxxxxxxxx .
BTW, the ClamAV's form for such purpose is at
http://www.clamav.net/sendvirus.html .
> On the other hand, if they are really only phising attempts, not viruses
> (despite the javascript code), then this organization has got to talk to
> their mail host admin so that some viruses do not get blocked.
Right.
--
Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only
tomek at lodz.tpsa.pl http://www.lodz.tpsa.pl/iso/ | ones and zeros.
tomek at clamav.net http://www.ClamAV.net/ A GPL virus scanner
> The Saturday 2005-09-24 at 22:59 +0200, Tomasz Papszun wrote:
>
> Weird. You are using Mutt, but your email broke the thread. Something
> funny going on :-?
Nothing special. I forgot that this list requires not only the "From: "
address, but also the "From " one to be subscribed to be able to post,
and I forgot to ":set envelope_from=yes" before posting. The message
bounced, so I used the copy from =sent folder, but this time forgot to
manually paste the "References: " field from your message :-) .
> > > I got some emails that I forwarded to somebody else, and his mail server
> > > antivirus said they contained html viruses:
> > >
> > > HTML.Phishing.GB-gen
> > > HTML.Phishing.DB-1
> >
> > These are names of signatures by ClamAV.
>
> Ah, Clamav. Interesting :-)
Indeed :-) .
> > Nowadays it's almost impossible to have detection of all
> > malware/phishing, and surely entirely impossible to have it immediately.
> > There are too many of them.
>
> I know. I just wanted to report them, and I can't.
Abuse-like addresses and addresses for reporting malware should _not_ be
protected against spam and malware - for obvious reason.
> > > Now, my question:
> > >
> > > To whom do I email a sample of those viruses [...]
> >
> > They are not real viruses. Just phishing messages. No need to worry to
> > much.
>
> But they are detected as viruses, and bounced:
>
> | VIRUS ALERT
> |
> | Our content checker found
> | virus: HTML.Phishing.GB-gen
> | in your email to the following recipient:
> | -> phishing@....org
> |
> | Please check your system for viruses,
> | or ask your system administrator to do so.
> |
> | Delivery of the email was stopped!
This error message is most likely from amavis. Not from ClamAV in any
case. Infected messages should not be bounced (*) and it was not ClamAV's
fault that it was bounced, but of improperly configured script.
(*) Because most worms and spams use forged sender addresses. Bouncing
them is pointless and harmful as almost always the bounce goes to
innocent person.
> I know they are phising attempts, but they are also viruses. The one above
> contains javascript code.
>
> The idea is that an organization here is keen in being sent phising
> attempts, so they can investigate the emails;
So they should not filter messages addressed to the account for
receiving phishing messages. In amavisd-new one can easily "whitelist"
such recipients.
> they forward the bad ones to
> the authorities and the banks involved, closing the faked web sites as
> soon as possible. I know they get results, some of those web pages have
> been closed already.
>
> The snag is that some of those phisings attempts, those in german, are
> bounced by the virus scaner of their mail service, and I have to remail
> inside a zip file with password. If my antivirus detected them, it would
> save some time. That's why I wanted to report them to H+BEDV, but the
> email I had bounced (no such user, I think), and I couldn't find an
> address at their web page, which is confusing, anyhow.
At http://www.antivir.de/en/support/suspicious_files/index.html there
is a form to uploading suspicious files. There is also the email address
listed there for that purpose: virus@xxxxxxxxxx .
BTW, the ClamAV's form for such purpose is at
http://www.clamav.net/sendvirus.html .
> On the other hand, if they are really only phising attempts, not viruses
> (despite the javascript code), then this organization has got to talk to
> their mail host admin so that some viruses do not get blocked.
Right.
--
Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only
tomek at lodz.tpsa.pl http://www.lodz.tpsa.pl/iso/ | ones and zeros.
tomek at clamav.net http://www.ClamAV.net/ A GPL virus scanner
| < Previous | Next > |