A dangerous claim to make - Page 2

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Re: A dangerous claim to make

>Spam gets given a score. Above 15 it gets sent to /dev/null. 10 to 15 it
>gets logged and bounced with an explanation, so if this happened we'd
>hopefully hear by phone. 4.5 to 10 gets delivered, but marked with
>"***SPAM***" in the subject, and I encourage users to tell me if these
>marks are wrong -- and there is about one false positive per month,
>usually with a score of about 4.7, generally "welcome" ads, from existing

I set up spam assassin too. Quite a complex program, but also quite powerful. I
almost never get a spam.

I wrote a plugin for it:


It provides a way to say:

Email addressed to public@example.com is probably spam.

It'll also test the In-Reply-To: against message ID's and
if it turns out that the message is in response to an email
you had sent out, lower it's spam score.  

SpamAssassin is amazingly capable, I almost never get a spam email
that wasn't detected. (I do forward them to a local spool and periodically
scan the subject & from)

So far, the only false positives have been clients responding to my test

If I install it for someone else and send them the spam-trigger GTUBE test
string, they reply with "I got your email Blah blah blah here it is: and they
leave the GTUBE string in.. that gets triggered, I've had to keep my spam for
that one case.


http://www.geniegate.com Custom web programming
guhzo_42@lnubb.pbz (rot13)                User Management Solutions

Re: A dangerous claim to make

On Mon, 21 Mar 2005, Toby Inkster wrote:

> Fat Sam wrote:
> > <quote>
> > We will 100% guarantee that you will NEVER receive another email virus
> > again.
> > </quote>
> That's almost do-able.
> At work I set up a server-side virus and spam scanning system using
> Postfix, Amavisd, Bitdefender, ClamAV, SpamAssassin, Razor, Pyzor, DCC,
> several RBLs and SURBL.
> This was about 9 months ago.
> In the mean time, it hasn't let a single virus through. (It's blocked
> about 20,000 of them.) The only virus problem we've had on the network was
> caused by an infected laptop. It's also blocking about 96% of spam. (With
> only about half a dozen false positives in the last 6 months.)
> Of course, I can't *guarantee* that it will never let a virus though, but
> I can't think of a way that a virus could get through without defanging
> itself in the process. (Amavisd automatically blocks attached files with
> naughty file extensions; and the virus scanners are able to scan inside
> ZIP files and so on.)

My ISP mail scanner currently deletes all attachments for
password-protected *.zip files and all files with executable extensions[1]
as well as all HTML attachments with "<object>" tags in them[2].  I
recently  received a complete copy of W32/Lovgate.X@mm because it had been
bounced to my forged address and the attachment was quoted as plaintext in
the bounce. The mailscanner at my ISP identified the existance of the worm
but it appears when it handed off the message to the module that deletes
suspicious attachments, that module used the bounce's headers instead of
the quoted email's headers and couldn't find the attachment to delete it.
Pine simply displayed the worm as inline base64 but UUDEVIEW was able to
decode the attachment, "data.exe", with no problem.  I'ts now on my hard
drive renamed to "data.xex" to make it unexecutable.

This sort of failure to filter is only one of many that are possible.
New archive file formats may not be immediately supported by anti-virus
scanners (I have received several suspected trojans in *.rar files
before *.rar scanning (or just *.rar deletion) was added to my ISP's
antivirus scanner).

To add some humour to the situation, the system that bounced the worm to
me in completely intact and possibly infectious form (if decoded by a
recipient) is a company in Australia or New Zealand (firetrust.com) that
sells anti-spam and anti-virus filtering software.

[1] An attempt to send me some harmless executable files[3] that I had
    originally created[4] and had previously had hosted by my computer
    club almost failed as the *.com file and *.scr (a DEBUG script, not
    a screensaver[5]) was deleted by the scanner.  Only the fact that the
    files were sent both as is and in a *.tar.gz archive enabled me to
    get the files from the *.tar.gz archive.
[2] I have only seen such deletions in spam.  Poor, poor spammy doesn't
    get his/her/its message through.  One such spammer is an outfit that
    appears to advertise the ability to send multimedia marketing
[3] See http://www.chebucto.ns.ca/~af380/Tips.html#Tip004
[4] My original copies were on a floppy that had become unreadable.
[5] Now renamed to have a DSC (Debug Script) extension.
Mar 21, 2005 -- "Celebration of the International Day for the Elimination
of Racial Discrimination: UNESCO SHS" -- Unwrap the URL:  

Re: A dangerous claim to make

On Mon, 21 Mar 2005 13:32:31 +0000, Fat Sam

>There's a local IT company (http://www.s3t.co.uk ), just up the road from
>where I live, who've made a very dangerous claim on their local radio
>In their advert, they say they'll implement a complete IT security
>solution for your business...
>That sounds reasonable enough...
>But then they make the following claim....
>We will 100% guarantee that you will NEVER receive another email virus
>Now, the only way I can see them acchieving this is by either disabling
>email attachments, which will cripple some businesses. Or else disabling
>all email capability altogether...
>It sounds to me like they're preying on business managers and owners who
>have a very loose grasp of modern technology and how it works...
>It also sounds to me like a claim that could come back and haunt them in
>a very expensive way...

Doesn't sound like an unreasonable claim to me. There are many
technologies available to essentially eliminate email viruses and
spam. Most work remarkably well with a little administration.
Marek Zyskowski

Re: A dangerous claim to make

Marek Zyskowski wrote

> Doesn't sound like an unreasonable claim to me. There are many
> technologies available to essentially eliminate email viruses

There's a world of difference between both your "essentially eliminate" and
Toby's "almost do-able" and a 100% guarantee!

Charles Sweeney

Site Timeline