On Sun, 25 Sep 2005 at 2:09:37 +0200, Carlos E. R. wrote:
The Saturday 2005-09-24 at 22:59 +0200, Tomasz Papszun wrote:
Weird. You are using Mutt, but your email broke the thread. Something funny going on :-?
Nothing special. I forgot that this list requires not only the "From: " address, but also the "From " one to be subscribed to be able to post, and I forgot to ":set envelope_from=yes" before posting. The message bounced, so I used the copy from =sent folder, but this time forgot to manually paste the "References: " field from your message :-) .
I got some emails that I forwarded to somebody else, and his mail server antivirus said they contained html viruses:
HTML.Phishing.GB-gen HTML.Phishing.DB-1
These are names of signatures by ClamAV.
Ah, Clamav. Interesting :-)
Indeed :-) .
Nowadays it's almost impossible to have detection of all malware/phishing, and surely entirely impossible to have it immediately. There are too many of them.
I know. I just wanted to report them, and I can't.
Abuse-like addresses and addresses for reporting malware should _not_ be protected against spam and malware - for obvious reason.
Now, my question:
To whom do I email a sample of those viruses [...]
They are not real viruses. Just phishing messages. No need to worry to much.
But they are detected as viruses, and bounced:
| VIRUS ALERT | | Our content checker found | virus: HTML.Phishing.GB-gen | in your email to the following recipient: | -> phishing@....org | | Please check your system for viruses, | or ask your system administrator to do so. | | Delivery of the email was stopped!
This error message is most likely from amavis. Not from ClamAV in any case. Infected messages should not be bounced (*) and it was not ClamAV's fault that it was bounced, but of improperly configured script. (*) Because most worms and spams use forged sender addresses. Bouncing them is pointless and harmful as almost always the bounce goes to innocent person.
I know they are phising attempts, but they are also viruses. The one above contains javascript code.
The idea is that an organization here is keen in being sent phising attempts, so they can investigate the emails;
So they should not filter messages addressed to the account for receiving phishing messages. In amavisd-new one can easily "whitelist" such recipients.
they forward the bad ones to the authorities and the banks involved, closing the faked web sites as soon as possible. I know they get results, some of those web pages have been closed already.
The snag is that some of those phisings attempts, those in german, are bounced by the virus scaner of their mail service, and I have to remail inside a zip file with password. If my antivirus detected them, it would save some time. That's why I wanted to report them to H+BEDV, but the email I had bounced (no such user, I think), and I couldn't find an address at their web page, which is confusing, anyhow.
At http://www.antivir.de/en/support/suspicious_files/index.html there is a form to uploading suspicious files. There is also the email address listed there for that purpose: virus@antivir.de . BTW, the ClamAV's form for such purpose is at http://www.clamav.net/sendvirus.html .
On the other hand, if they are really only phising attempts, not viruses (despite the javascript code), then this organization has got to talk to their mail host admin so that some viruses do not get blocked.
Right. -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only tomek at lodz.tpsa.pl http://www.lodz.tpsa.pl/iso/ | ones and zeros. tomek at clamav.net http://www.ClamAV.net/ A GPL virus scanner