You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Hendrik Helmvoigt <he...@helmvoigt.com> on 2007/07/23 03:35:41 UTC
Now its zip attachments ^^
This night it seems like we're beeing spammed again by xml documents,
but this time neatly packed into a zipfile:
I'm really excited whats going to happen next. Maybe psd files embedded
in pdf and then rar'ed.
And i'd still like to meet the person that goes through all that trouble
to read that spam, and then performs the action that the spammer wants
from him.
arni
Re: Now its zip attachments ^^
Posted by "archive@netcore.co.in" <ar...@netcore.co.in>.
On Mon, 2007-07-23 at 03:35 +0200, Hendrik Helmvoigt wrote:
> This night it seems like we're beeing spammed again by xml documents,
> but this time neatly packed into a zipfile:
>
> I'm really excited whats going to happen next. Maybe psd files embedded
> in pdf and then rar'ed.
>
> And i'd still like to meet the person that goes through all that trouble
> to read that spam, and then performs the action that the spammer wants
> from him.
>
You are right in that. I dont think spammers are getting any positive
hits. Probably the spammer of today no longer wishes to reach the end
user with such mails
IMHO it is either that
1) Spammers just want to exasperate the smaller spam filter providers by
sending worthless spam. I have heard so many times the stupid
declaration that spamassassin is "useless".
2) The Anti-spam giants ( with so many takeovers very few players left
now ) are funding these spammers for obvious reasons
> arni
RE: Now its zip attachments ^^
Posted by Skip Brott <sb...@dmp.com>.
Not sure I agree about banning all attachments, but I would like to ban all
email with fonts as BIG as people can find and those which use any kind of
background stationary.
Re: Now its zip attachments ^^
Posted by Jerry Durand <jd...@interstellar.com>.
On Sun, July 22, 2007 6:47 pm, John Rudd wrote:
> For multi-lingual reasons, just allow pain ascii or unicode, and throw
> away any messages with any body types other than that.
I'd like to ban all those people who write in the tiniest font they can
find. Then there's my one brother who always has the dancing bears, etc.
in his messages. I tend to reply with bright green on yellow. :)
--
Jerry Durand, Durand Interstellar, Inc.
Los Gatos, California USA
tel: +1 408 356-3886, USA toll free: 1 866 356-3886
web: www.interstellar.com, skype: jerrydurand
Re: Now its zip attachments ^^
Posted by Robert Schetterer <ro...@schetterer.org>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Robert Schetterer schrieb:
> Matus UHLAR - fantomas schrieb:
>>> Hendrik Helmvoigt wrote:
>>>> This night it seems like we're beeing spammed again by xml documents,
>>>> but this time neatly packed into a zipfile:
>>>>
>>>> I'm really excited whats going to happen next. Maybe psd files embedded
>>>> in pdf and then rar'ed.
>>>>
>>>> And i'd still like to meet the person that goes through all that trouble
>>>> to read that spam, and then performs the action that the spammer wants
>>> >from him.
>> On 22.07.07 18:47, John Rudd wrote:
>>> As I've said for years: we should just ban attachments. They're not
>>> really useful for anything that can't be done a better way. Which only
>>> leaves them being useful for attacks of one form or another.
>> some people just want, some just need attachments. I think that if a filter
>> (word plugin is used with different meaning in SA) would preprocess/convert
>> those attachments to text, SA could just run standard rules over it and
>> catch unwelcome words, do BAYES check over it, etc etc.
>
>> So the words "dear winner" would match no matter if stored in text, HTML,
>> .doc (tnef), gif or pdf ...
>
>> Is there any such plan for SA?
> Hi all,
> meanwhile
> http://sanesecurity.co.uk/clamav/
> catches also these zip spam
i forgot
read the story here
http://sanesecurity.blogspot.com/2007/07/from-pdf-to-xls-to-zipped-xls-stock.html
and thx to steve for its work
- --
Mit freundlichen Gruessen
Best Regards
Robert Schetterer
https://www.schetterer.org
Germany
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
iD8DBQFGpHGXfGH2AvR16oERAtV7AJ4+brYiSRH6Vw2lPVhJyKQ5tmUhlgCfWk77
QiSPZGpUdTKEWesgbfVh7So=
=W6Xw
-----END PGP SIGNATURE-----
Re: Now its zip attachments ^^
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 24.07.07 08:57, Kelson wrote:
> Over here we use MIMEDefang as the glue to tie SpamAssassin, Clamd, etc.
> together. MD filters are very customizable (if you can write it in
> Perl, you can put it in a MD filter). After our filter calls clamd, we
> check the name of the matching signature against a regexp. We only
> actually drop messages that trip on known mass-mailer signatures (most
> of them have "worm" or "@mm" in the name, depending on who first named
> it), and the rest are rejected.
This it sick. Why not reject all viruses, independently on whtat they do?
Why not let the sender deal with the rejection? Either the sending server
will generate bounces (and the admin learns to install antivirus) or the
sending bot will not have its mail accepted.
I know that there were recommendations in the past "not to send notification
to the sender, when the virus name contained '@mm'" but they were invalid
because of more reasons. And they were about _notifications_ to "senders".
Do never notify sender or receiver about the virus. Senders are in most
cases fake and the receivers do not want to know that whole spambot army
started sending them viruses.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Quantum mechanics: The dreams stuff is made of.
Re: Now its zip attachments ^^
Posted by Kelson <ke...@speed.net>.
John Rudd wrote:
> Chr. v. Stuckrad wrote:
>> I have a 'political problem' with that. We 'drop' knowv viruses into
>> a quarantine directory without further notice, and only once in years
>> somebody complained and wanted his virus back :-)
>
> You could even do it as 5 different instances (1 for base clamav sigs, 1
> for each of the signature files from sanesecurity, 1 for each of the
> signature files from msrbl), and mark them accordingly.
Over here we use MIMEDefang as the glue to tie SpamAssassin, Clamd, etc.
together. MD filters are very customizable (if you can write it in
Perl, you can put it in a MD filter). After our filter calls clamd, we
check the name of the matching signature against a regexp. We only
actually drop messages that trip on known mass-mailer signatures (most
of them have "worm" or "@mm" in the name, depending on who first named
it), and the rest are rejected.
For those who only want to run one instance of clamd, it's easy enough
to do the same thing to separate "real" viruses from spam signatures by
looking for "sanesecurity" or "msrbl".
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
Re: Now its zip attachments ^^
Posted by John Rudd <jr...@ucsc.edu>.
Chr. v. Stuckrad wrote:
> On Mon, 23 Jul 2007, John Scully wrote:
>
>> ... After adding the sanesecurity sigs to clamd last
>> week not one PDF has made it through. And since clamd unpacks and examines
>> every attachment anyway it is no additional load. In fact, due to the
>> messages not hitting SA it probably reduced load slightly.
>
> I have a 'political problem' with that. We 'drop' knowv viruses into
> a quarantine directory without further notice, and only once in years
> somebody complained and wanted his virus back :-)
>
> We *only* TAG spam with headers, then users decide to drop, move, or read it.
>
> So if I 'simply insert' those clamav sigs, spam would be handled as a virus,
> not as 'our spam', which I'm not allowed to destroy.
>
> Did somebody of you create an extra 'instance' of clamad-filter to fight
> spam with spam-sigs only, without scaning for virus-sigs? Does that
> sound feasible?
The clamav helper I'm working on for CommuniGate Pro can do exactly
that. You could have:
a) clamav #1 running with regular signatures, detecting viruses and
phishing, rejecting them or adding a set of headers that say "this is a
virus".
b) clamav #2 running against 3rd party scanners, and generating
different headers that say "this is something else".
You could even do it as 5 different instances (1 for base clamav sigs, 1
for each of the signature files from sanesecurity, 1 for each of the
signature files from msrbl), and mark them accordingly.
I have no idea if anyone is doing something similar for other clamav
mechanisms.
Re: Now its zip attachments ^^
Posted by Sven Schuster <sc...@gmx.de>.
hi,
On Mon, Jul 23, 2007 at 10:13:22PM +0200, Matthias Keller told us:
> Using amavisd-new...
actually, with amavisd-new, you can treat virus names in a special
way via regexes, so that it doesn't get recognized as a virus, but
instead you can add extra points to the spamassassin score.
This feature is available from version 2.5.0 (IIRC), look at
@virus_name_to_spam_score_maps, e.g.
@virus_name_to_spam_score_maps =
(new_RE( [ qr'^(Email|HTML)\.(Phishing|Spam|Scam[a-z0-9]?)\.'i => 0.1 ],
[ qr'^(Email|Html)\.Malware\.Sanesecurity\.' => undef ],
[ qr'^(Email|Html)(\.[^., ]*)*\.Sanesecurity\.' => 0.1 ],
# [ qr'^(Email|Html)\.(Hdr|Img|ImgO|Bou|Stk|Loan|Cred|Job|Dipl|Doc)
# (\.[^., ]*)* \.Sanesecurity\.'x => 0.1 ],
[ qr'^(MSRBL-Images/|MSRBL-SPAM\.)' => 0.1 ],
));
Sven
--
Linux zion.homelinux.com 2.6.20-1.2962.fc6xen #1 SMP Tue Jun 19 19:47:34 EDT 2007 i686 athlon i386 GNU/Linux
23:10:18 up 13 days, 9:53, 1 user, load average: 0.09, 0.42, 0.55
Re: Now its zip attachments ^^
Posted by Matthias Keller <li...@matthias-keller.ch>.
Chr. v. Stuckrad wrote:
> On Mon, 23 Jul 2007, John Scully wrote:
>
>
>> ... After adding the sanesecurity sigs to clamd last
>> week not one PDF has made it through. And since clamd unpacks and examines
>> every attachment anyway it is no additional load. In fact, due to the
>> messages not hitting SA it probably reduced load slightly.
>>
>
> I have a 'political problem' with that. We 'drop' knowv viruses into
> a quarantine directory without further notice, and only once in years
> somebody complained and wanted his virus back :-)
>
> We *only* TAG spam with headers, then users decide to drop, move, or read it.
>
> So if I 'simply insert' those clamav sigs, spam would be handled as a virus,
> not as 'our spam', which I'm not allowed to destroy.
>
> Did somebody of you create an extra 'instance' of clamad-filter to fight
> spam with spam-sigs only, without scaning for virus-sigs? Does that
> sound feasible?
What I did for nearly the same reason is:
Using amavisd-new which scans ONLY the attachments - which is OK for me,
when these PDF get treated as virus.
But I didn't want the other (especially scam, spam and stuff) rules to
treat the mail as virus...
So I added the clamplugin to SA which receives the WHOLE mail and sorts
out the rest then...
This is configurable in amavisd-new if you want to hand the full mail to
clamav or only the attachments - this solved the problem for me.
If you want it to be more separate, you'll have to run two clamav
instances which isn't that hard either but uses a bit more resources...
You basically just need a separate startup script and a second directory
with the signatures and a config file pointing to them - I vaguely
remember having seen instructions for such a setup somewhere on msrbl or
sanesecurity if I'm not mistaken.
Matt
Re: Now its zip attachments ^^
Posted by David B Funk <db...@engineering.uiowa.edu>.
On Mon, 23 Jul 2007, Chr. v. Stuckrad wrote:
> On Mon, 23 Jul 2007, John Scully wrote:
>
> > ... After adding the sanesecurity sigs to clamd last
> > week not one PDF has made it through. And since clamd unpacks and examines
> > every attachment anyway it is no additional load. In fact, due to the
> > messages not hitting SA it probably reduced load slightly.
>
> I have a 'political problem' with that. We 'drop' knowv viruses into
> a quarantine directory without further notice, and only once in years
> somebody complained and wanted his virus back :-)
>
> We *only* TAG spam with headers, then users decide to drop, move, or read it.
>
> So if I 'simply insert' those clamav sigs, spam would be handled as a virus,
> not as 'our spam', which I'm not allowed to destroy.
>
> Did somebody of you create an extra 'instance' of clamad-filter to fight
> spam with spam-sigs only, without scaning for virus-sigs? Does that
> sound feasible?
>
> Stucki
Doing exactly that here, easily done.
Create two instances of "clamd" (same binary, different config files
with different "DatabaseDirectory"s). First instance has only standard
AV sigs, second "DatabaseDirectory" has all supplemental sigs.
One trick, in the second "DatabaseDirectory" make 'daily.inc' and
'main.inc' be soft-links pointing to the real subdirectories in the
first "DatabaseDirectory". That way you only need to run one instance
of freshclam to keep everything up-2-date for the standard ClamAV sigs.
Install the ClamAVPlugin in your SA, config it to 'talk' to the second
clamd instance, score appropriately.
You can then also try out the experimental anti-phishing features
in the second clamd instance with less risk of loosing messages.
More details upon request.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: Now its zip attachments ^^
Posted by Jonas Eckerman <jo...@frukt.org>.
Chr. v. Stuckrad wrote:
> Did somebody of you create an extra 'instance' of clamad-filter to fight
> spam with spam-sigs only, without scaning for virus-sigs?
I'm running two instances of clamd in our mail gateway.
One instance has the stock signatures (minus phishing sigs) and
is used before SpamAssassin. If this hits, the mail is silently
quarantined.
The other instance has the SaneSecurity and Malware sigs loaded
as well as the stock phishing sigs and triggeres on some stuff
the normal instance doesn't. This is used by SpamAssassin using
the ClamAV plugin so it just contributes to the SA score.
Regards
/Jonas
--
Jonas Eckerman, FSDB & Fruktträdet
http://whatever.frukt.org/
http://www.fsdb.org/
http://www.frukt.org/
Re: Now its zip attachments ^^
Posted by "Chr. v. Stuckrad" <st...@mi.fu-berlin.de>.
On Mon, 23 Jul 2007, John Scully wrote:
> ... After adding the sanesecurity sigs to clamd last
> week not one PDF has made it through. And since clamd unpacks and examines
> every attachment anyway it is no additional load. In fact, due to the
> messages not hitting SA it probably reduced load slightly.
I have a 'political problem' with that. We 'drop' knowv viruses into
a quarantine directory without further notice, and only once in years
somebody complained and wanted his virus back :-)
We *only* TAG spam with headers, then users decide to drop, move, or read it.
So if I 'simply insert' those clamav sigs, spam would be handled as a virus,
not as 'our spam', which I'm not allowed to destroy.
Did somebody of you create an extra 'instance' of clamad-filter to fight
spam with spam-sigs only, without scaning for virus-sigs? Does that
sound feasible?
Stucki
Re: Now its zip attachments ^^
Posted by John Scully <js...@isipi.com>.
I have to mention how pleased we are with the sanesecurity clamav tool. We
have always used spamassassin with many custom rule sets, dcc and rbls, with
clamd for virus scanning.
We have been getting a large number (~4,500 per day) of these PDF and other
attachment spams making it through SA, even with PDFinfo and everything else
we could throw at them. After adding the sanesecurity sigs to clamd last
week not one PDF has made it through. And since clamd unpacks and examines
every attachment anyway it is no additional load. In fact, due to the
messages not hitting SA it probably reduced load slightly.
John P. Scully
President/CTO
iSupportISP LLC
33 North high st
Suite 1000
Columbus, OH 43215
614-586-4040
614-226-6110 Mobile
614-586-4044 Fax
jscully@isupportisp.com
Your Private Label Internet and Digital Phone Provider
----- Original Message -----
From: "Robert Schetterer" <ro...@schetterer.org>
To: <us...@spamassassin.apache.org>
Sent: Monday, July 23, 2007 5:15 AM
Subject: Re: Now its zip attachments ^^
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Robert Schetterer schrieb:
> > Matus UHLAR - fantomas schrieb:
> >>> Hendrik Helmvoigt wrote:
> >>>> This night it seems like we're beeing spammed again by xml documents,
> >>>> but this time neatly packed into a zipfile:
> >>>>
> >>>> I'm really excited whats going to happen next. Maybe psd files
embedded
> >>>> in pdf and then rar'ed.
> >>>>
> >>>> And i'd still like to meet the person that goes through all that
trouble
> >>>> to read that spam, and then performs the action that the spammer
wants
> >>> >from him.
> >> On 22.07.07 18:47, John Rudd wrote:
> >>> As I've said for years: we should just ban attachments. They're not
> >>> really useful for anything that can't be done a better way. Which
only
> >>> leaves them being useful for attacks of one form or another.
> >> some people just want, some just need attachments. I think that if a
filter
> >> (word plugin is used with different meaning in SA) would
preprocess/convert
> >> those attachments to text, SA could just run standard rules over it and
> >> catch unwelcome words, do BAYES check over it, etc etc.
> >
> >> So the words "dear winner" would match no matter if stored in text,
HTML,
> >> .doc (tnef), gif or pdf ...
> >
> >> Is there any such plan for SA?
> > Hi all,
> > meanwhile
> > http://sanesecurity.co.uk/clamav/
> > catches also these zip spam
>
> i forgot
> read the story here
>
>
http://sanesecurity.blogspot.com/2007/07/from-pdf-to-xls-to-zipped-xls-stock.html
>
> and thx to steve for its work
>
> - --
> Mit freundlichen Gruessen
> Best Regards
>
> Robert Schetterer
>
> https://www.schetterer.org
> Germany
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (GNU/Linux)
> Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
>
> iD8DBQFGpHGXfGH2AvR16oERAtV7AJ4+brYiSRH6Vw2lPVhJyKQ5tmUhlgCfWk77
> QiSPZGpUdTKEWesgbfVh7So=
> =W6Xw
> -----END PGP SIGNATURE-----
>
>
Re: Now its zip attachments ^^
Posted by Robert Schetterer <ro...@schetterer.org>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Matus UHLAR - fantomas schrieb:
>> Hendrik Helmvoigt wrote:
>>> This night it seems like we're beeing spammed again by xml documents,
>>> but this time neatly packed into a zipfile:
>>>
>>> I'm really excited whats going to happen next. Maybe psd files embedded
>>> in pdf and then rar'ed.
>>>
>>> And i'd still like to meet the person that goes through all that trouble
>>> to read that spam, and then performs the action that the spammer wants
>> >from him.
>
> On 22.07.07 18:47, John Rudd wrote:
>> As I've said for years: we should just ban attachments. They're not
>> really useful for anything that can't be done a better way. Which only
>> leaves them being useful for attacks of one form or another.
>
> some people just want, some just need attachments. I think that if a filter
> (word plugin is used with different meaning in SA) would preprocess/convert
> those attachments to text, SA could just run standard rules over it and
> catch unwelcome words, do BAYES check over it, etc etc.
>
> So the words "dear winner" would match no matter if stored in text, HTML,
> .doc (tnef), gif or pdf ...
>
> Is there any such plan for SA?
Hi all,
meanwhile
http://sanesecurity.co.uk/clamav/
catches also these zip spam
- --
Mit freundlichen Gruessen
Best Regards
Robert Schetterer
https://www.schetterer.org
Germany
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
iD8DBQFGpHENfGH2AvR16oERAiqDAJ4uK6HD1Zvnz/dLb5+NeO5dtYSLJACeJwqN
Y899WBOLLZz8G0UoSQw3KrQ=
=cDw5
-----END PGP SIGNATURE-----
Re: Now its zip attachments ^^
Posted by Gene Heskett <ge...@verizon.net>.
On Monday 23 July 2007, Jerry Glomph Black wrote:
>I would start by banning Outlook along with attachments.
>Why stop there, ban -all- Microsoft products from the internet.
>
>Next, I would ban smoking, unhealthy foods, and moronic neo-cons.
>
>Come on, this is Earth we are talking about.
>
>The whole point of SpamAssassin is to attempt to make ordinary people's use
> of email tolerable again, under the onslaught of crap. SA, along with the
> various external services it employs, does a fantastic job, thanks to a
> great bunch of guys who appear here every day.
I'll probably have to stand in line longer than my kidneys will hold out, but
I have to say a hearty Amen! to those that do help here. It is much
appreciated.
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Blessed is he who expects no gratitude, for he shall not be disappointed.
-- W.C. Bennett
Re: Now its zip attachments ^^
Posted by John Rudd <jr...@ucsc.edu>.
Per Jessen wrote:
> John Rudd wrote:
>
>> "some just need" -- no, I can't agree there. I have yet to come
>> across
>> ANY situation where a person _NEEDED_ attachments. As I said above,
>> there's nothing that can be done with attachments that you can't do
>> another way.
>
> That is very similar to saying that a person does not NEED a car - he
> could just walk. Or take the bus or a train. Or all three combined.
Or ride a bike.
However, the difference from the car analogy is that there's actually
quite a bit that does require a car in modern life. There isn't
anything that needs an attachment.
Re: Now its zip attachments ^^
Posted by Per Jessen <pe...@computer.org>.
John Rudd wrote:
> "some just need" -- no, I can't agree there. I have yet to come
> across
> ANY situation where a person _NEEDED_ attachments. As I said above,
> there's nothing that can be done with attachments that you can't do
> another way.
That is very similar to saying that a person does not NEED a car - he
could just walk. Or take the bus or a train. Or all three combined.
/Per Jessen, Zürich
Re: Now its zip attachments ^^
Posted by Jim Maul <jm...@elih.org>.
John Rudd wrote:
> Matus UHLAR - fantomas wrote:
>
>> On 22.07.07 18:47, John Rudd wrote:
>>> As I've said for years: we should just ban attachments. They're not
>>> really useful for anything that can't be done a better way. Which
>>> only leaves them being useful for attacks of one form or another.
>>
>> some people just want, some just need attachments.
>
> "some people just want" -- yup, no disagreement there. No matter how
> many alternatives you give them, some people just want the ease and
> convenience of attachments.
>
>
> "some just need" -- no, I can't agree there. I have yet to come across
> ANY situation where a person _NEEDED_ attachments. As I said above,
> there's nothing that can be done with attachments that you can't do
> another way.
>
>
Of course these things COULD be done another way. But not always as
easily or as quickly as with attachments. Can you recommend a quick and
easy replacement to attachments when my boss wants me to send him an
excel file he needs for a meeting with an auditor?
1. FTP? Easy for me to setup and upload the file to the server. But
now my boss has to open an ftp client (yes you can use a browser but
does he know this?) He doesnt even know what ftp is..and now he needs to
use a username and password just to get this file I could have easily
emailed him? Too much work on his part.
2. Put it up on our company intranet? This is somewhat less work than
ftp but since it is publicly accessible (inside our organization), there
would need to be some authentication. This ALMOST worked for us here
except for that time when the ceo needed a report sent to him but he was
not in the building. He wanted it on his blackberry..hmm..how to get a
report to a blackberry remotely without email and attachments?
3. ??
Re: Now its zip attachments ^^
Posted by jdow <jd...@earthlink.net>.
From: "John Rudd" <jr...@ucsc.edu>
> Matus UHLAR - fantomas wrote:
>
>> On 22.07.07 18:47, John Rudd wrote:
>>> As I've said for years: we should just ban attachments. They're not
>>> really useful for anything that can't be done a better way. Which only
>>> leaves them being useful for attacks of one form or another.
>>
>> some people just want, some just need attachments.
>
> "some people just want" -- yup, no disagreement there. No matter how many
> alternatives you give them, some people just want the ease and convenience
> of attachments.
>
>
> "some just need" -- no, I can't agree there. I have yet to come across
> ANY situation where a person _NEEDED_ attachments. As I said above,
> there's nothing that can be done with attachments that you can't do
> another way.
I could send files to my customer other ways. But ANY alternative way
involves opening a security hole in his mind, on my machines, or both.
If he gets used to retrieving files via ftp when I send him email with
a link, he's in trouble. If I open an ftp port that is one more firewall
security hole for me. If I throw the files onto my ISP's web facilities
that's one more hole for the whole project if somebody guesses the name
used.
The same applies for http and a host of other alternatives.
His son and I have almost trained him not to click on links in email
unless he scrutinizes the link and knows exactly where it goes, which
is not possible with many email programs. (He uses <gag><choke><sputter>
AOL, which is a security hole in itself judging from how badly his
computer was infected the last time we all checked.) We also have
almost trained him to check attachments CAREFULLY before opening them.
Is he sure he knows what they are, that they are from a trustworthy
source, and that he was expecting the attachment.
(He is a good salesman who knows his business. He's not very technically
minded, which leaves him vulnerable.)
If I have to get new telecommuting files to him I have to settle on
which vulnerability to allow. (I am NOT going to VPN into his network,
both for his security and mine. Setting it up on his network is pretty
much out of the question, anyway.)
You just can't win, John. All you can do is try to stay ahead of the
game.
{^_^}
Re: Now its zip attachments ^^
Posted by Jerry Glomph Black <sp...@glomph.com>.
I would start by banning Outlook along with attachments.
Why stop there, ban -all- Microsoft products from the internet.
Next, I would ban smoking, unhealthy foods, and moronic neo-cons.
Come on, this is Earth we are talking about.
The whole point of SpamAssassin is to attempt to make ordinary people's use of
email tolerable again, under the onslaught of crap. SA, along with the various
external services it employs, does a fantastic job, thanks to a great bunch of
guys who appear here every day.
_________________________________________
On Mon, 23 Jul 2007, John Rudd wrote:
> Matus UHLAR - fantomas wrote:
>
>> On 22.07.07 18:47, John Rudd wrote:
>>> As I've said for years: we should just ban attachments. They're not
>>> really useful for anything that can't be done a better way. Which only
>>> leaves them being useful for attacks of one form or another.
>>
>> some people just want, some just need attachments.
>
> "some people just want" -- yup, no disagreement there. No matter how many
> alternatives you give them, some people just want the ease and convenience of
> attachments.
>
>
> "some just need" -- no, I can't agree there. I have yet to come across ANY
> situation where a person _NEEDED_ attachments. As I said above, there's
> nothing that can be done with attachments that you can't do another way.
>
Re: Now its zip attachments ^^
Posted by jdow <jd...@earthlink.net>.
From: "Dave Pooser" <da...@pooserville.com>
>> "some just need" -- no, I can't agree there. I have yet to come across
>> ANY situation where a person _NEEDED_ attachments. As I said above,
>> there's nothing that can be done with attachments that you can't do
>> another way.
>
> <rant>
> In fact, nobody _NEEDS_ email, because we could just FTP text files around
> and then IM each other to say "I dropped a message in your FTP inbox." But
> in real twenty-first-century life, our users expect email to be a
> combination of near-real-time communications and file transfer, and since
> they're the people who are responsible for our getting paid it seems
> worthwhile to deliver what they expect instead of getting hung up on the
> purpose of email as defined in 1970-whatever.
> </rant>
<snicker>
> --
> Dave Pooser
> Cat-Herder-in-Chief, Pooserville.com
And I often feel like I am trying to train cats to herd mice.
{^_-}
Re: Now its zip attachments ^^
Posted by Dave Pooser <da...@pooserville.com>.
> "some just need" -- no, I can't agree there. I have yet to come across
> ANY situation where a person _NEEDED_ attachments. As I said above,
> there's nothing that can be done with attachments that you can't do
> another way.
<rant>
In fact, nobody _NEEDS_ email, because we could just FTP text files around
and then IM each other to say "I dropped a message in your FTP inbox." But
in real twenty-first-century life, our users expect email to be a
combination of near-real-time communications and file transfer, and since
they're the people who are responsible for our getting paid it seems
worthwhile to deliver what they expect instead of getting hung up on the
purpose of email as defined in 1970-whatever.
</rant>
--
Dave Pooser
Cat-Herder-in-Chief, Pooserville.com
"...Life is not a journey to the grave with the intention of arriving
safely in one pretty and well-preserved piece, but to slide across the
finish line broadside, thoroughly used up, worn out, leaking oil, and
shouting GERONIMO!!!" -- Bill McKenna
Re: Now its zip attachments ^^
Posted by John Rudd <jr...@ucsc.edu>.
Matus UHLAR - fantomas wrote:
> On 22.07.07 18:47, John Rudd wrote:
>> As I've said for years: we should just ban attachments. They're not
>> really useful for anything that can't be done a better way. Which only
>> leaves them being useful for attacks of one form or another.
>
> some people just want, some just need attachments.
"some people just want" -- yup, no disagreement there. No matter how
many alternatives you give them, some people just want the ease and
convenience of attachments.
"some just need" -- no, I can't agree there. I have yet to come across
ANY situation where a person _NEEDED_ attachments. As I said above,
there's nothing that can be done with attachments that you can't do
another way.
Re: Now its zip attachments ^^
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
> Hendrik Helmvoigt wrote:
> >This night it seems like we're beeing spammed again by xml documents,
> >but this time neatly packed into a zipfile:
> >
> >I'm really excited whats going to happen next. Maybe psd files embedded
> >in pdf and then rar'ed.
> >
> >And i'd still like to meet the person that goes through all that trouble
> >to read that spam, and then performs the action that the spammer wants
> >from him.
On 22.07.07 18:47, John Rudd wrote:
> As I've said for years: we should just ban attachments. They're not
> really useful for anything that can't be done a better way. Which only
> leaves them being useful for attacks of one form or another.
some people just want, some just need attachments. I think that if a filter
(word plugin is used with different meaning in SA) would preprocess/convert
those attachments to text, SA could just run standard rules over it and
catch unwelcome words, do BAYES check over it, etc etc.
So the words "dear winner" would match no matter if stored in text, HTML,
.doc (tnef), gif or pdf ...
Is there any such plan for SA?
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Save the whales. Collect the whole set.
Re: Now its zip attachments ^^
Posted by John Rudd <jr...@ucsc.edu>.
Hendrik Helmvoigt wrote:
> This night it seems like we're beeing spammed again by xml documents,
> but this time neatly packed into a zipfile:
>
> I'm really excited whats going to happen next. Maybe psd files embedded
> in pdf and then rar'ed.
>
> And i'd still like to meet the person that goes through all that trouble
> to read that spam, and then performs the action that the spammer wants
> from him.
As I've said for years: we should just ban attachments. They're not
really useful for anything that can't be done a better way. Which only
leaves them being useful for attacks of one form or another.
Just junk'em and be done with it.
For multi-lingual reasons, just allow pain ascii or unicode, and throw
away any messages with any body types other than that.