Re: [suse-security] Virus detecting
On Sat, 24 Sep 2005 at 21:40:07 +0200, Carlos E. R. wrote:
I got some emails that I forwarded to somebody else, and his mail server antivirus said they contained html viruses:
HTML.Phishing.GB-gen HTML.Phishing.DB-1
These are names of signatures by ClamAV. [...]
Also, it should detect the virus in the files where I saved them, but it doesn't.
Now, I'm not worried about those viruses damaging my system (I use Pine as MUA), but about the amavis+antivir setup not warning me about them when I try to forward them as emails (I have a friend that is interested in those emails).
Nowadays it's almost impossible to have detection of all malware/phishing, and surely entirely impossible to have it immediately. There are too many of them.
Now, my question:
To whom do I email a sample of those viruses [...]
They are not real viruses. Just phishing messages. No need to worry to much. -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only tomek at lodz.tpsa.pl http://www.lodz.tpsa.pl/iso/ | ones and zeros. tomek at clamav.net http://www.ClamAV.net/ A GPL virus scanner
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Saturday 2005-09-24 at 22:59 +0200, Tomasz Papszun wrote: Weird. You are using Mutt, but your email broke the thread. Something funny going on :-?
I got some emails that I forwarded to somebody else, and his mail server antivirus said they contained html viruses:
HTML.Phishing.GB-gen HTML.Phishing.DB-1
These are names of signatures by ClamAV.
Ah, Clamav. Interesting :-)
Nowadays it's almost impossible to have detection of all malware/phishing, and surely entirely impossible to have it immediately. There are too many of them.
I know. I just wanted to report them, and I can't.
Now, my question:
To whom do I email a sample of those viruses [...]
They are not real viruses. Just phishing messages. No need to worry to much.
But they are detected as viruses, and bounced: | VIRUS ALERT | | Our content checker found | virus: HTML.Phishing.GB-gen | in your email to the following recipient: | -> phishing@....org | | Please check your system for viruses, | or ask your system administrator to do so. | | Delivery of the email was stopped! I know they are phising attempts, but they are also viruses. The one above contains javascript code. The idea is that an organization here is keen in being sent phising attempts, so they can investigate the emails; they forward the bad ones to the authorities and the banks involved, closing the faked web sites as soon as possible. I know they get results, some of those web pages have been closed already. The snag is that some of those phisings attempts, those in german, are bounced by the virus scaner of their mail service, and I have to remail inside a zip file with password. If my antivirus detected them, it would save some time. That's why I wanted to report them to H+BEDV, but the email I had bounced (no such user, I think), and I couldn't find an address at their web page, which is confusing, anyhow. On the other hand, if they are really only phising attempts, not viruses (despite the javascript code), then this organization has got to talk to their mail host admin so that some viruses do not get blocked. - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFDNerNtTMYHG2NR9URAubcAKCU6/C8GlMulAG3kfNeBW21ylRAUACgiMcx OfOVkralfUQOXHUJ76BFyNY= =qb/9 -----END PGP SIGNATURE-----
On Sun, 25 Sep 2005 at 2:09:37 +0200, Carlos E. R. wrote:
The Saturday 2005-09-24 at 22:59 +0200, Tomasz Papszun wrote:
Weird. You are using Mutt, but your email broke the thread. Something funny going on :-?
Nothing special. I forgot that this list requires not only the "From: " address, but also the "From " one to be subscribed to be able to post, and I forgot to ":set envelope_from=yes" before posting. The message bounced, so I used the copy from =sent folder, but this time forgot to manually paste the "References: " field from your message :-) .
I got some emails that I forwarded to somebody else, and his mail server antivirus said they contained html viruses:
HTML.Phishing.GB-gen HTML.Phishing.DB-1
These are names of signatures by ClamAV.
Ah, Clamav. Interesting :-)
Indeed :-) .
Nowadays it's almost impossible to have detection of all malware/phishing, and surely entirely impossible to have it immediately. There are too many of them.
I know. I just wanted to report them, and I can't.
Abuse-like addresses and addresses for reporting malware should _not_ be protected against spam and malware - for obvious reason.
Now, my question:
To whom do I email a sample of those viruses [...]
They are not real viruses. Just phishing messages. No need to worry to much.
But they are detected as viruses, and bounced:
| VIRUS ALERT | | Our content checker found | virus: HTML.Phishing.GB-gen | in your email to the following recipient: | -> phishing@....org | | Please check your system for viruses, | or ask your system administrator to do so. | | Delivery of the email was stopped!
This error message is most likely from amavis. Not from ClamAV in any case. Infected messages should not be bounced (*) and it was not ClamAV's fault that it was bounced, but of improperly configured script. (*) Because most worms and spams use forged sender addresses. Bouncing them is pointless and harmful as almost always the bounce goes to innocent person.
I know they are phising attempts, but they are also viruses. The one above contains javascript code.
The idea is that an organization here is keen in being sent phising attempts, so they can investigate the emails;
So they should not filter messages addressed to the account for receiving phishing messages. In amavisd-new one can easily "whitelist" such recipients.
they forward the bad ones to the authorities and the banks involved, closing the faked web sites as soon as possible. I know they get results, some of those web pages have been closed already.
The snag is that some of those phisings attempts, those in german, are bounced by the virus scaner of their mail service, and I have to remail inside a zip file with password. If my antivirus detected them, it would save some time. That's why I wanted to report them to H+BEDV, but the email I had bounced (no such user, I think), and I couldn't find an address at their web page, which is confusing, anyhow.
At http://www.antivir.de/en/support/suspicious_files/index.html there is a form to uploading suspicious files. There is also the email address listed there for that purpose: virus@antivir.de . BTW, the ClamAV's form for such purpose is at http://www.clamav.net/sendvirus.html .
On the other hand, if they are really only phising attempts, not viruses (despite the javascript code), then this organization has got to talk to their mail host admin so that some viruses do not get blocked.
Right. -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only tomek at lodz.tpsa.pl http://www.lodz.tpsa.pl/iso/ | ones and zeros. tomek at clamav.net http://www.ClamAV.net/ A GPL virus scanner
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Sunday 2005-09-25 at 03:25 +0200, Tomasz Papszun wrote:
On Sun, 25 Sep 2005 at 2:09:37 +0200, Carlos E. R. wrote:
The Saturday 2005-09-24 at 22:59 +0200, Tomasz Papszun wrote:
Weird. You are using Mutt, but your email broke the thread. Something funny going on :-?
Nothing special. I forgot that this list requires not only the "From: " address, but also the "From " one to be subscribed to be able to post, and I forgot to ":set envelope_from=yes" before posting. The message bounced, so I used the copy from =sent folder, but this time forgot to manually paste the "References: " field from your message :-) .
X'-) I see. What I do in those cases is reply, again, to the poster, but inserting the text from the sent email I copied to a file first.
These are names of signatures by ClamAV.
Ah, Clamav. Interesting :-)
Indeed :-) .
Yes, because I could not guess what antivirus they were using. It also means that they probably may be using Linux at the mail server, and that is way more interesting for this organization in particular, that I thought to be windows users ;-) It also means that clamav is better than what I thought, and I must look at it more carefully.
This error message is most likely from amavis. Not from ClamAV in any case. Infected messages should not be bounced (*) and it was not ClamAV's fault that it was bounced, but of improperly configured script.
(*) Because most worms and spams use forged sender addresses. Bouncing them is pointless and harmful as almost always the bounce goes to innocent person.
Amavis has a list of viruses known for forging the sender address, and doesn't bounce in that case. In any case, the bounce doesn't contain the full message with the virus load, but only the headers. I have mine configured to never bounce. Took some convincing. In this case, the bounce served the purpose of making me notice the problem, and resend attaching the problem email inside a zip archive with password.
I know they are phising attempts, but they are also viruses. The one above contains javascript code.
The idea is that an organization here is keen in being sent phising attempts, so they can investigate the emails;
So they should not filter messages addressed to the account for receiving phishing messages. In amavisd-new one can easily "whitelist" such recipients.
Yes, they call it "virus_lovers" in amavis.conf
At http://www.antivir.de/en/support/suspicious_files/index.html there is a form to uploading suspicious files. There is also the email address listed there for that purpose: virus@antivir.de .
AH, thanks, I didn't see it.
BTW, the ClamAV's form for such purpose is at http://www.clamav.net/sendvirus.html .
Good :-) - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFDNo7ftTMYHG2NR9URAipvAJ40mCwQRZh0z3MibbL2lyQ3fckcuQCgipHf at181Ng4u48ZhFq3cKeRQnA= =QnpL -----END PGP SIGNATURE-----
participants (2)
-
Carlos E. R. -
Tomasz Papszun