You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Chris <cp...@earthlink.net> on 2005/08/19 05:20:17 UTC
Trojan infected FN
Got three of these tonight with the same trojan, SA detected the other two as
spam, this one slipped through just a bit under the wire.
---------- Forwarded Message ----------
Status: U
Return-Path: <po...@earthlink.net>
Received: from pop.earthlink.net [209.86.93.204]
by localhost with POP3 (fetchmail-6.2.5)
for cpollock@localhost (single-drop); Thu, 18 Aug 2005 21:57:34 -0500 (CDT)
Received: from pc075675.sci.gu.edu.au ([132.234.102.3])
by mx-bracke.atl.sa.earthlink.net (EarthLink SMTP Server) with ESMTP id
1e5X397zk3Nl34i0
for <cp...@earthlink.net>; Thu, 18 Aug 2005 22:56:07 -0400 (EDT)
Received: from [194.32.104.162] (port=3279 helo=qpeqz)
by pc075675.sci.gu.edu.au with SMTP
for cpollock@earthlink.net ; Fri, 19 Aug 2005 12:55:39 +1000
Message-ID: <0a...@cavyrq>
From: "Mail Administrator" <po...@earthlink.net>
To: <cp...@earthlink.net>
Subject: status
Date: Fri, 19 Aug 2005 12:42:39 +1000
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0F3B_61A1D085.F8793781"
X-ELNK-AV: 0
X-SenderIP: 132.234.102.3
X-ASN: ASN-7575
X-CIDR: 132.234.0.0/16
X-Spam-Seen: Tokens 39
X-Spam-New: Tokens 63
X-Spam-Remote: Host localhost.localdomain
X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on
cpollock.localdomain
X-Spam-Hammy: Tokens 6
X-Spam-Status: No, score=4.7 required=5.0 tests=BAYES_05,DIGEST_MULTIPLE,
PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK autolearn=disabled
version=3.0.4
X-Spam-Spammy: Tokens 1
X-Spam-Pyzor: Reported 60 times.
X-Spam-Token: Summary Tokens: new, 24; hammy, 6; neutral, 32; spammy, 1.
X-Spam-Trusted: Relays
X-Spam-DCC: dcc.uncw.edu cpollock.localdomain 1201; Body=1 Fuz1=1
X-Spam-Untrusted: Relays [ ip=132.234.102.3 rdns=pc075675.sci.gu.edu.au
helo=pc075675.sci.gu.edu.au by=mx-bracke.atl.sa.earthlink.net ident=
envfrom= intl=0 id=1e5X397zk3Nl34i0 auth= ] [ ip=194.32.104.162 rdns=
helo= by=pc075675.sci.gu.edu.au ident= envfrom= intl=0 id= auth= ]
X-Spam-Level: ****
X-Spam-RBL: Results <dns:earthlink.net> [209.86.93.201, 209.86.93.202,
209.86.93.203, 209.86.93.204, 209.86.93.205, 209.86.93.206, 209.86.93.207,
209.86.93.208, 209.86.93.209, 209.86.93.210, 209.86.93.211]
<dns:earthlink.net?type=MX> [5 mx1.earthlink.net., 5 mx2.earthlink.net., 5
mx4.earthlink.net., 5 mx5.earthlink.net., 5 mx7.earthlink.net., 5
mx8.earthlink.net., 5 mx9.earthlink.net., 5 mxa.earthlink.net., 5
mxb.earthlink.net., 5 mxc.earthlink.net., 5 mxd.earthlink.net., 5
mxe.earthlink.net., 10 mx3.earthlink.net., 10 mx6.earthlink.net.]
<dns:earthlink.net.fulldom.rfc-ignorant.org> [127.0.0.4]
X-UID: 1
X-Length: 111667
Account Information Are Attached!
-------------------------------------------------------
--
Chris
Registered Linux User 283774 http://counter.li.org
22:17:25 up 15 days, 6:53, 2 users, load average: 3.27, 1.06, 0.62
Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk
Re: Trojan infected FN
Posted by Chris <cp...@earthlink.net>.
On Friday 19 August 2005 09:54 am, Matt Kettler wrote:
>
> Setting up clamav is quick and easy, and best of all, free.
>
> If you've got SA 3.x, there's even a clamAV plugin so you can get SA to
> call clamav while it's scanning for spam.
>
> http://wiki.apache.org/spamassassin/ClamAVPlugin
>
> I think that might offer you the least-effort path to getting rid of
> viruses along with your spam.
Thanks Matt, I'll give it a try this weekend.
--
Chris
Registered Linux User 283774 http://counter.li.org
21:46:55 up 16 days, 6:23, 4 users, load average: 4.30, 3.31, 1.80
Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk
Looks like it.geocities now
Posted by qqqq <qq...@usermail.com>.
dino
http://it.geocities.com/gino_artmann/??2422.html
Brian
Re: Trojan infected FN
Posted by Chris <cp...@earthlink.net>.
On Sunday 21 August 2005 01:53 am, jdow wrote:
> > Wow! That was as easy to setup as falling off a log. Thanks for the tip
> > Matt,
> > works great.
>
> I noticed the ClamAV scan almost doubles the time for an SA scan on
> virus free mail. On a virus sample I happen to have around it goes uo
> from 4.5 seconds to 35 seconds to scan the message. Is this "normal?"
>
> {^_^}
Doesn't appear to be consistant:
Aug 20 23:26:21 cpollock named[3444]: unexpected RCODE (SERVFAIL) resolving
'78.171.93.202.list.dsbl.org/TXT/IN': 64.39.29.212#53
SelfCheck: Database status OK.
Aug 20 23:27:41 cpollock clamd[5314]: SelfCheck: Database status OK.
Accepted connection on port 1563, fd 8
Aug 20 23:27:41 cpollock clamd[5314]: Accepted connection on port 1563, fd 8
stream: Worm.Mydoom.AT FOUND
Aug 20 23:27:41 cpollock clamd[5314]: stream: Worm.Mydoom.AT FOUND
Aug 20 23:27:42 cpollock spamd[9060]: identified spam (24.0/5.0) for chris:501
in 82.2 seconds, 109343 bytes.
Aug 21 01:03:49 cpollock spamd[14980]: processing message
<02...@vshppmy> for chris:501.
Accepted connection on port 1473, fd 8
Aug 21 01:03:51 cpollock clamd[5314]: Accepted connection on port 1473, fd 8
stream: Worm.Mydoom.AT FOUND
Aug 21 01:03:52 cpollock clamd[5314]: stream: Worm.Mydoom.AT FOUND
Aug 21 01:03:55 cpollock spamd[14980]: identified spam (33.9/5.0) for
chris:501 in 6.3 seconds, 109333 bytes.
Aug 21 08:19:42 cpollock spamd[24892]: processing message
<0f...@widbex> for chris:501.
Aug 21 08:19:45 cpollock clamd[5314]: Accepted connection on port 1140, fd 8
Aug 21 08:19:46 cpollock clamd[5314]: stream: Worm.Mydoom.AT FOUND
Aug 21 08:19:46 cpollock spamd[24892]: identified spam (14.4/5.0) for
chris:501 in 3.9 seconds, 109372 bytes.
There must be other variables involved to account for the long SA scan time.
--
Chris
Registered Linux User 283774 http://counter.li.org
09:21:01 up 17 days, 17:57, 1 user, load average: 0.23, 0.23, 0.34
Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If you think you're wrong
-- Murphy's Laws for School Administrators n°3
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Re: Trojan infected FN
Posted by jdow <jd...@earthlink.net>.
From: "Chris" <cp...@earthlink.net>
> On Friday 19 August 2005 09:54 am, Matt Kettler wrote:
>
>> >Although this is a standalone box with no windows on it at all, guess I
>> > could set one up anyway.
>>
>> Setting up clamav is quick and easy, and best of all, free.
>>
>> If you've got SA 3.x, there's even a clamAV plugin so you can get SA to
>> call clamav while it's scanning for spam.
>>
>> http://wiki.apache.org/spamassassin/ClamAVPlugin
>>
>> I think that might offer you the least-effort path to getting rid of
>> viruses along with your spam.
>
> Wow! That was as easy to setup as falling off a log. Thanks for the tip
> Matt,
> works great.
I noticed the ClamAV scan almost doubles the time for an SA scan on
virus free mail. On a virus sample I happen to have around it goes uo
from 4.5 seconds to 35 seconds to scan the message. Is this "normal?"
{^_^}
Re: Trojan infected FN
Posted by Chris <cp...@earthlink.net>.
On Friday 19 August 2005 09:54 am, Matt Kettler wrote:
> >Although this is a standalone box with no windows on it at all, guess I
> > could set one up anyway.
>
> Setting up clamav is quick and easy, and best of all, free.
>
> If you've got SA 3.x, there's even a clamAV plugin so you can get SA to
> call clamav while it's scanning for spam.
>
> http://wiki.apache.org/spamassassin/ClamAVPlugin
>
> I think that might offer you the least-effort path to getting rid of
> viruses along with your spam.
Wow! That was as easy to setup as falling off a log. Thanks for the tip Matt,
works great.
--
Chris
Registered Linux User 283774 http://counter.li.org
20:22:12 up 17 days, 4:58, 3 users, load average: 3.41, 1.57, 0.92
Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk
Re: Trojan infected FN
Posted by Matt Kettler <mk...@evi-inc.com>.
Loren Wilton wrote:
>>The main reason is adding rules to catch or not catch viruses would wind
>
> up
>
>>diluting the scores of the spam rules. This would weaken SA's spam
>>detecting abilities, in order to grant it rather lame virus catching
>
> abilities.
>
> Hum. Interesting philosophy, but I don't know that it is actually true, at
> least these days.
It certainly is still valid.
> If you think about it, most virui you are likely to get are from infected
> zombies sending out another copy of themselves.
>
> Most spam that you are likely to get is from infected zombies sending out
> spam. Sounds to me like the source is pretty much the same in both cases.
> So source rules should work fine for either.
Ahh, but see there's a difference here in angle. The source rule should not be
added because of the virus, it should be added because of the spam.
The overlap between patterns in viruses and spam is a real thing, and is fine.
But that does not mean that spam and viruses should be treated the same.
The overlap in my mind should never be taken to mean that a pattern in a virus
automatically qualifies a rule as a spam rule, even if that pattern isn't
present in any spam.
You need a pattern to be present in spam to justify a rule as a good spam rule.
Viruses alone are not enough justification.
>
> Also, virui are designed to have enticing subjects, or innocous subjects, so
> that unsuspecting fools will open them and activate the payload. Most spam
> is designed to have enticing or innocous subjects to get past spam scanners
> and hopefully get fools to open them and trigger the web bugs and payload.
>
> Again, that sounds a lot like the same thing.
No, it's not.
Should one intentionally add rules which specifically detect viruses, for
patterns never seen before in spam? I say no.
The general SA design philosophy dictates writing rules for spam. While many of
those are effective against viruses, that's accidental, and is only due to the
overlap.
I certainly agree no spam rule should ever be disqualified from SA because it
hits viruses. It's even slightly desirable if it does.
But one should NEVER add a rule to SA which isn't designed for spam catching,
and only designed virus catching. That causes dilution when the perceptron is
run and scores are assigned.
Write the rules for the spam. Ignore the viruses completely. If you catch them,
great, if not, oh well.
Re: Trojan infected FN
Posted by Loren Wilton <lw...@earthlink.net>.
> The main reason is adding rules to catch or not catch viruses would wind
up
> diluting the scores of the spam rules. This would weaken SA's spam
> detecting abilities, in order to grant it rather lame virus catching
abilities.
Hum. Interesting philosophy, but I don't know that it is actually true, at
least these days.
If you think about it, most virui you are likely to get are from infected
zombies sending out another copy of themselves.
Most spam that you are likely to get is from infected zombies sending out
spam. Sounds to me like the source is pretty much the same in both cases.
So source rules should work fine for either.
Also, virui are designed to have enticing subjects, or innocous subjects, so
that unsuspecting fools will open them and activate the payload. Most spam
is designed to have enticing or innocous subjects to get past spam scanners
and hopefully get fools to open them and trigger the web bugs and payload.
Again, that sounds a lot like the same thing.
Now, I grant the payload differs. But there isn't a lot different between a
virus payload and body and a gif-spam body and payload. In either case SA
will ignore the real payload, and all you are left with is a few lines of
body text.
About the only real difference is SURBL isn't effective against a virus.
Loren
Re: Trojan infected FN
Posted by Matt Kettler <mk...@comcast.net>.
At 07:16 AM 8/19/2005, Chris wrote:
>On Thursday 18 August 2005 11:46 pm, Matt Kettler wrote:
> > At 11:20 PM 8/18/2005, you wrote:
> > >Got three of these tonight with the same trojan, SA detected the other two
> > > as spam, this one slipped through just a bit under the wire.
> >
> > Spamassassin doesn't try to detect viruses. That's what virus scanners are
> > best at.
>
>Realize that Matt, though usually there is enough of a spam signature for SA
>to tag the actual message as spam, in this one case there just wasn't enough.
Well, you realize virus scanners are better. But the fact that you posted
here means you don't quite get the full meaning behind "spamassassin
doesn't try".
Often SA does wind up tagging viruses as spam. However, that's purely by
accident.
SA has the design policy of intentionally not caring about viruses. No
design effort is made trying to catch them, but no design effort is made
trying to not catch them.
The main reason is adding rules to catch or not catch viruses would wind up
diluting the scores of the spam rules. This would weaken SA's spam
detecting abilities, in order to grant it rather lame virus catching abilities.
Hence, spamassassin very much intentionally does not care at all about viruses.
>Although this is a standalone box with no windows on it at all, guess I could
>set one up anyway.
Setting up clamav is quick and easy, and best of all, free.
If you've got SA 3.x, there's even a clamAV plugin so you can get SA to
call clamav while it's scanning for spam.
http://wiki.apache.org/spamassassin/ClamAVPlugin
I think that might offer you the least-effort path to getting rid of
viruses along with your spam.
RE: Trojan infected FN
Posted by Herb Martin <He...@learnquick.com>.
> -----Original Message-----
> From: Chris [mailto:cpollock@earthlink.net]
>
> On Thursday 18 August 2005 11:46 pm, Matt Kettler wrote:
> > At 11:20 PM 8/18/2005, you wrote:
> > >Got three of these tonight with the same trojan, SA detected the
> > >other two as spam, this one slipped through just a bit
> under the wire.
> >
> > Spamassassin doesn't try to detect viruses. That's what
> virus scanners
> > are best at.
>
> Realize that Matt, though usually there is enough of a spam
> signature for SA to tag the actual message as spam, in this
> one case there just wasn't enough.
> Although this is a standalone box with no windows on it at
> all, guess I could set one up anyway.
Put ClamAV (or another quality anti-virus) ahead of
SpamAssassin or try using the ClamAV plug-in with SA.
Some virus will even be larger than you would want to
check with SA so using ClamAV separately usually makes
the most sense.
If your users are Outlook/Outlook Express users they
will not have access to most exectuable extensions
anyway so it can make sense to just block anything with
those (exe, pif, com etc.) files.
(I have a long list prep'ed for a regex or for Exim if
anyone wants it posted again.)
--
Herb Martin
Re: Trojan infected FN
Posted by Chris <cp...@earthlink.net>.
On Thursday 18 August 2005 11:46 pm, Matt Kettler wrote:
> At 11:20 PM 8/18/2005, you wrote:
> >Got three of these tonight with the same trojan, SA detected the other two
> > as spam, this one slipped through just a bit under the wire.
>
> Spamassassin doesn't try to detect viruses. That's what virus scanners are
> best at.
Realize that Matt, though usually there is enough of a spam signature for SA
to tag the actual message as spam, in this one case there just wasn't enough.
Although this is a standalone box with no windows on it at all, guess I could
set one up anyway.
Thanks
--
Chris
Registered Linux User 283774 http://counter.li.org
06:11:56 up 15 days, 14:48, 2 users, load average: 0.60, 0.45, 0.23
Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk
Re: Trojan infected FN
Posted by JamesDR <ro...@bellsouth.net>.
Matt Kettler wrote:
> At 11:20 PM 8/18/2005, you wrote:
>
>> Got three of these tonight with the same trojan, SA detected the other
>> two as
>> spam, this one slipped through just a bit under the wire.
>
>
>
> Spamassassin doesn't try to detect viruses. That's what virus scanners
> are best at.
>
>
I've been seeing these as well, ClamAV does the catching tho (before SA).
Think about at least installing ClamAV (FREE/OSS.)
--
Thanks,
JamesDR
Re: Trojan infected FN
Posted by Matt Kettler <mk...@comcast.net>.
At 11:20 PM 8/18/2005, you wrote:
>Got three of these tonight with the same trojan, SA detected the other two as
>spam, this one slipped through just a bit under the wire.
Spamassassin doesn't try to detect viruses. That's what virus scanners are
best at.
Re: Trojan infected FN
Posted by Menno van Bennekom <mv...@xs4all.nl>.
I got spam like that (posted that here some time ago), all with the
specific port= helo= characteristic in the header.
Since there was no FP during testing I now discard them all in Postfix with:
/^Received: from \[[0-9\.]*\] \(port\=[0-9][0-9][0-9][0-9]
helo\=\[[a-zA-Z]*\]\)/ DISCARD
Regards
Menno van Bennekom
> Got three of these tonight with the same trojan, SA detected the other two
> as
> spam, this one slipped through just a bit under the wire.
>
> ---------- Forwarded Message ----------
>
> Status: U
> Return-Path: <po...@earthlink.net>
> Received: from pop.earthlink.net [209.86.93.204]
> by localhost with POP3 (fetchmail-6.2.5)
> for cpollock@localhost (single-drop); Thu, 18 Aug 2005 21:57:34 -0500
> (CDT)
> Received: from pc075675.sci.gu.edu.au ([132.234.102.3])
> by mx-bracke.atl.sa.earthlink.net (EarthLink SMTP Server) with ESMTP id
> 1e5X397zk3Nl34i0
> for <cp...@earthlink.net>; Thu, 18 Aug 2005 22:56:07 -0400 (EDT)
> Received: from [194.32.104.162] (port=3279 helo=qpeqz)
> by pc075675.sci.gu.edu.au with SMTP
> for cpollock@earthlink.net ; Fri, 19 Aug 2005 12:55:39 +1000
> Message-ID: <0a...@cavyrq>
> From: "Mail Administrator" <po...@earthlink.net>
> To: <cp...@earthlink.net>
> Subject: status
> Date: Fri, 19 Aug 2005 12:42:39 +1000
> MIME-Version: 1.0
> Content-Type: multipart/mixed;