virus in incoming mails

[user4]

Today (24.03.2004), virus infected email was let through by runbox)

(Gladly, Norton AV program detected it while downloading via POP3)

Norton AntiVirus removed the attachment: your_text.pif.
The W32.Netsky.D@mm threat was detected in the attachment.

[carverrn]

From what I can tell the ClamAV virus database does not yet have a signature to recognize this worm.

You can search the ClamAV database at:

https://clamav-du.securesites.net/cgi-bin/clamgrok

Regards,
Rich

[user4]

Quote:

Originally posted by carverrn
From what I can tell the ClamAV virus database does not yet have a signature to recognize this worm.

You can search the ClamAV database at:

https://clamav-du.securesites.net/cgi-bin/clamgrok

Regards,
Rich

I am tired of seeing this virus W32.Netsky.D@mm again and again in my inbox ( and Runbox / ClamAV have done nothing to stop it after so many days it originated )

[Liz]

I've mailed this to our sysops, as I am very surprised that such an extremely common virus wouldn't be caught by Clam...

Liz

[user4]

Quote:

Originally posted by Liz
I've mailed this to our sysops, as I am very surprised that such an extremely common virus wouldn't be caught by Clam...

Liz

Just for information that, I am still getting lot of viruses (probably same kind)...

[carverrn]

Apparently ClamAV calls the Netsky worm the SomeFool worm and it is suppose to catch the SomeFool.D according to it's database. However, I found some messages indicating that others are having a similar problem with the Netsky/SomeFool.D getting through. The only suggestion I found was to make sure that ClamAV was current.

Regards,
Rich

[user4]

Quote:

Originally posted by carverrn
Apparently ClamAV calls the Netsky worm the SomeFool worm and it is suppose to catch the SomeFool.D according to it's database. However, I found some messages indicating that others are having a similar problem with the Netsky/SomeFool.D getting through. The only suggestion I found was to make sure that ClamAV was current.

Regards,
Rich

Does it mean that ClamAV will not fix this while all other AV programs have fixed it long back.

I have got some bounced messages saying my PC sent Netsky virus ( its my own AV settings problem), but point was to outline what other mail-server think about this particular virus

[user4]

Quote:

Originally posted by carverrn
Apparently ClamAV calls the Netsky worm the SomeFool worm and it is suppose to catch the SomeFool.D according to it's database. However, I found some messages indicating that others are having a similar problem with the Netsky/SomeFool.D getting through. The only suggestion I found was to make sure that ClamAV was current.

Regards,
Rich

Bringing this topic again, isn't there anyway RB can prevent this virus by adding their own module.

There has been so many of it....in my Inbox.

[rob_au]

Quote:

Originally posted by user4
Does it mean that ClamAV will not fix this while all other AV programs have fixed it long back.

ClamAV will undoubtedly incorporate a defence for this virus (if indeed it has not already incorporated such an anti-virus definition), but given that it is an open-source database and development effort, it is very much dependent upon virus samples, heuristics identification and developer effort.

[rob_au]

Quote:

Originally posted by carverrn
You can search the ClamAV database at:

https://clamav-du.securesites.net/cgi-bin/clamgrok

Furthermore, you can upload a virus sample for scanning and detection by Clam AV at http://www.gietl.com/test-clamav/.

[user4]

Quote:

Originally posted by rob_au
ClamAV will undoubtedly incorporate a defence for this virus (if indeed it has not already incorporated such an anti-virus definition), but given that it is an open-source database and development effort, it is very much dependent upon virus samples, heuristics identification and developer effort.

Just wondering, shouldn't Runbox use professional (paid) virus scan services ( Mcafee, Norton, ... )

[rob_au]

Quote:

Originally posted by user4
Just wondering, shouldn't Runbox use professional (paid) virus scan services ( Mcafee, Norton, ... )

The argument as to better support from a paid anti-virus product is questionable in this case as the ClamAV anti-virus package is a very good product. Indeed, in terms of flexibility of interface and employ, there is very little else available which compares with ClamAV.

Whilst I cannot answer as to whether this protection is sufficient in the Runbox environment, I would comment (as I have done so before) that server-side anti-virus protection, whilst having it's merits in providing 'front-line' protection against email-bourne viruses, should not be considered a substitute for user vigilence and client-side anti-virus software.

[tore]

Quote:

Originally posted by user4
Just for information that, I am still getting lot of viruses (probably same kind)...

Which is surprising, as ClamAV has had the signature in question for a long time - even before the thread was started, I think - both signatures which specifically match the known variants, and several anamorphic signatures for detection of future variants.

We've been rejecting heaps of this particular virus. Could it be that the e-mails you're seeing have been downloaded to your Runbox account from an external POP3 source? These messages aren't filtered thru ClamAV at present.

If you are uncertain, you can find out by following the «View source» link in the message display, and find the lower-most Received-header that speaks of a Runbox host, and see if it reads Received: [...] by foo.runbox.com with local. (The word local is the significant one, and would read esmtp or similar for messages received directly).

If it indeed has been delivered via SMTP, see if the virus is actually present. Some brain dead mail servers actually remove the virus, before sending the «disinfected» message on to its destination. Needless to say, we cannot detect any malware in such messages, even though they will look menacing to you in the message listing. If you can't see a large block consisting mainly of upper-case characters, digits, and some other characters near the end of the virus mail, then that is what has happened.

Quote:

Just wondering, shouldn't Runbox use professional (paid) virus scan services ( Mcafee, Norton, ... )

In my experience ClamAV doesn't perform any worse than the commercial offerings. We've got a few customers other than Runbox who've opted for running commercial scanners (eg. Kaspersky AV) - and they also sometimes report on known viruses not getting stopped as early as one would wish. So in my opinion ClamAV does in no way deserve being branded a second-class scanner just because it is built as free software.

Besides, as rob_au points out, working with ClamAV is very comfortable from a sysadm's point of view. Access to the source code of a piece of software is absolutely invaluable when trying to adapt it to complex systems such as Runbox, or to track down bugs. If a binary-only software package misbehaves, you often can't do anything about it at all - it a black box welded shut.

Tore

[AdamStac]

I can't for the life of me understand why I just PAID for a subsciption for a service that cheaps out, and goes for free stuff...open source or not. We pay them...PAY THEM ...to get our mail for us, and give us an email account! And they use free stuff, that is insane! If I would have know that just 5 days ago then I would have passed on this service. Unbelieveable!?

Quote:

From: "xxxxxxxxx" <xxxxxx@runbox.com>
To: <support@runbox.com>
Subject: What Anti-Virus Software?
Date: Thu, 6 May 2004 14:48:08 -0400

Quote:

I was just curious of the Anit-Virus software that Runbox uses to scan
emails. I see that you use spamassasin for sapm, but nothing is mentioned
about the AV software that you use.

Thanks for the info in advance,

-Adam

That was an email that I sent BEFORE subscribing to the service! I'd like some answers. Maybe now I'll get attention!

Oh yea I fofgot...and they don't scan our POP mail?! We pay for this right...wasn't that one of the benifits of having the account, and PAYING you?!

NOT TOMENTION THIS!

Quote:

Geir
Essential Contributor

Registered: Sep 2001
Location: Oslo, Norway
Posts: 315

Representative of:
Runbox.com


The anti-virus software we use, Clam AntiVirus, was chosen because it's an effective Open Source scanner. Runbox prefers Open Source software, although ClamAV doesn't have access to the same virus databases that subscription-based software does.

The reason POP retrieved email isn't scanned for viruses is that the scanning happens SMTP-time, which allows for rejection (not bouncing) of infected messages. This means that retrieved mail enters our system "after" the point at which messages are scanned, and can't be rejected.

We'll try to add scanning of retrieved email later, with the option to delete or save infected messages to a folder.

- Geir

Source
So my question is...what else are we paying for and not getting...They are using all "FREE" open source software...open your eyes people!

Bumfumbled,

-Adam

[JeffK]

Adam, I could well be wrong but we haven't actually determined that Runbox don't pay for their use of the anti-virus product, have we?

Jeff