At 14:10 10/09/02 +1200, Juha Saarinen wrote:

...

Normally I wouldn't reply to this sort of thing on list, but I've already received about 10 replies to this message which I did *not* send.

Suuuuuuuure ;-)

<fwap> :)

...

Which begs an interesting question, why did Xtra's much-touted virus scanner let it through ? :)

Don't think it did.

------------------ Virus Warning Message ------------------

Found virus WORM_KLEZ.H in file 0px The uncleanable file is deleted.

-------------------------------------------------------------

Interesting, I don't see anything like that in the copy I received in Eudora. Just a line that said Content-Type: text/html; Even if I view the full message source there is no warning anything like that. Besides, I recieved warnings from other peoples virus scanners, not Xtra's. Among them were "Marshal Integrated McAfee Antivirus", and "InoculateIT Ver 6.x". For other peoples virus scanners to pick something up, then Xtra's - by definition - must have let something through. Whether what got let through was dangerous or not is another matter.

Or do you mean, why did it let the disinfected message through? Interesting question actually. Xtra probably decided not to stop them, so as not to interfere with Telecom's profitability^W^Wusers' email too much.

Good idea, lets just clean the virus off and pass the rest of the message including virus-attached private documents through. Oh wait, maybe thats not such a good idea afterall.... ;) Regards, Simon - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

At 14:10 10/09/02 +1200, Juha Saarinen wrote:

...

...

Normally I wouldn't reply to this sort of thing on list, but I've already received about 10 replies to this message which I did *not* send.

Suuuuuuuure ;-)

<fwap> :)

...

...

Which begs an interesting question, why did Xtra's much-touted virus scanner let it through ? :)

Don't think it did.

------------------ Virus Warning Message ------------------

Found virus WORM_KLEZ.H in file 0px The uncleanable file is deleted.

-------------------------------------------------------------

Interesting, I don't see anything like that in the copy I received in Eudora. Just a line that said

Content-Type: text/html;

Even if I view the full message source there is no warning anything like

I found this message in the AV logs (note the envelope sender is not the same as the From: header...): 09/10/2002 13:40:16 smtp[27032]: smtp[4040]: mail from xxx(a)xtra.co.nz, to nznog(a)list.waikato.ac.nz 09/10/2002 13:40:16 smtp[27032]: smtp[4040]: scanning file email-body 09/10/2002 13:40:16 smtp[27032]: smtp[4040]: email-body contains no virus 09/10/2002 13:40:16 smtp[27032]: smtp[4040]: scanning file 0px Date: 09/10/2002 13:40:16 Method: SMTP From: xxx(a)xtra.co.nz To: nznog(a)list.waikato.ac.nz File: 0px Action: The uncleanable file is deleted. Virus: WORM_KLEZ.H ---------------------------------- 09/10/2002 13:40:16 smtp[27032]: smtp[4040]: 0px contains a virus WORM_KLEZ.H 09/10/2002 13:40:16 smtp[27032]: smtp[4040]: The uncleanable file is deleted. 09/10/2002 13:40:16 smtp[27032]: smtp[4040]: scanning file ADSAdClient31 09/10/2002 13:40:16 smtp[27032]: smtp[4040]: ADSAdClient31 contains no virus 09/10/2002 13:40:16 smtp[27032]: smtp[4040]: mail delivered from xxx(a)xtra.co.nz to nznog(a)list.waikato.ac.nz Cheers, Des ----- Original Message ----- From: "Simon Byrnand" To: "Juha Saarinen" Sent: Tuesday, September 10, 2002 2:26 PM Subject: Re: So cool a flash,enjoy it that.

Besides, I recieved warnings from other peoples virus scanners, not

Among them were "Marshal Integrated McAfee Antivirus", and "InoculateIT Ver 6.x".

For other peoples virus scanners to pick something up, then Xtra's - by definition - must have let something through. Whether what got let

Xtra's. through

was dangerous or not is another matter.

...

Or do you mean, why did it let the disinfected message through? Interesting question actually. Xtra probably decided not to stop them, so as not to interfere with Telecom's profitability^W^Wusers' email too much.

Good idea, lets just clean the virus off and pass the rest of the message including virus-attached private documents through. Oh wait, maybe thats not such a good idea afterall.... ;)

Regards, Simon

- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

At 14:45 10/09/02 +1200, Brian Gibbons wrote:

Xtra didn't let it through, their servers probably never saw the message.

I gather Klez has its own SMTP Engine and may choose to send direct rather than using the configured SMTP parameters. Thus some infected messages would bypass Xtra's outgoing SMTP server.

To trap all outgoing viruses the ISP needs to run an invisible SMTP proxy, or the onsite firewall should trap/redirect all outgoing port 25 sessions to the ISP's SMTP smarthost.

Except Xtra's mailservers were in the headers, so unless the virus knows how to forge those, I don't think so ;-) Regards, Simon (Besides, Des just pasted the output from their virus scanner log showing it) - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

----- Original Message ----- From: "Russell Fulton" To: "Des Berryman" Cc: Sent: Tuesday, September 10, 2002 2:22 PM Subject: Re: So cool a flash,enjoy it

On Tue, 2002-09-10 at 14:11, Des Berryman wrote:

...

Xtra's virus scanner did not let any virus through - merely stripped the nasty bits then delivered the bones - exactly as it is designed to work!

Hmp! it fooled me too. I assumed that it was *our* AV that stripped out klez! We must be using the same software.

OK, Hats off to Xtra! after I had made a cynical (private) reply to Simon...

BTW Des, is it the Xtra MTA which is adding the X-envelope-{to, from} headers? It's a good idea.

It's a great idea, unfortunately Xtra cannot take credit for this; we don't add things like that. It is most likely Waikato's mail system or list manager!

-- Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand

"It aint necessarily so" - Gershwin

- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

Cheers, Des - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

Maybe it's time to reassess that policy. I get complaints from our users because the XTRA system happily passes on the remains of the Klez virus - forged headers in messages. Surely your virus scanner can drop those completely... ours does :-) Gordon Smith CCNA Network Operations Manager MoreNet Ltd

-----Original Message----- From: owner-nznog(a)list.waikato.ac.nz [mailto:owner-nznog(a)list.waikato.ac.nz] On Behalf Of Des Berryman Sent: Tuesday, 10 September 2002 2:12 PM To: nznog(a)list.waikato.ac.nz Subject: Re: So cool a flash,enjoy it

Xtra's virus scanner did not let any virus through - merely stripped the nasty bits then delivered the bones - exactly as it is designed to work! And yes we will be in touch with the culprit........

Des Xtra Security Team

- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

On Wed, 11 Sep 2002, Des Berryman wrote:

As stated previously, Xtra passes on the remains lest it be accused of preventing legitimate remaining attachments from being delivered. This policy may be reviewed in time but will stand for the meanwhile. I'm well aware that it can be a pain, however the number of viri that are filtered is dropping. One can only assume that there are less infections and this will continue to decrease rapidly.

"Viruses", please, and no top-posting either (it's a capital crime on the Internet). Doesn't your policy carry some severe risks in terms of breaching customer privacy? Many viruses send out documents etc picked at random, which may or may not contain embarassing and/or confidential info. I suppose it's a grey area legally until it's tried. -- Juha Saarinen - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

Yes, I must admit that since XTRA started virus scanning our number of interceptions dropped by approx 7000 per month. The problem with Klez is the return path is valid, but the from address isn't. So it will make it through mail systems that require a valid sender domain, since it is the envelope that is tested, not the content. Perhaps adding an X-Virus tag in the headers could be an option? Then you could deliver it, and we could drop it at our end :-) Cheers, Gordon

-----Original Message----- From: owner-nznog(a)list.waikato.ac.nz [mailto:owner-nznog(a)list.waikato.ac.nz] On Behalf Of Des Berryman Sent: Wednesday, 11 September 2002 8:52 AM To: nznog(a)list.waikato.ac.nz Subject: Re: So cool a flash,enjoy it

As stated previously, Xtra passes on the remains lest it be accused of preventing legitimate remaining attachments from being delivered. This policy may be reviewed in time but will stand for the meanwhile. I'm well aware that it can be a pain, however the number of viri that are filtered is dropping. One can only assume that there are less infections and this will continue to decrease rapidly.

Cheers, Des

- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

On Wed, 2002-09-11 at 09:09, Ted Grenfell wrote:

Is that really what you'd want to do? What about for email that contains two attachment, one infected and one not? Shouldn't the non-infected attachment get through?

Not if the user hasnt meant to send it, which is the case with a number of virii. - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

On Wed, 11 Sep 2002, Gordon Smith wrote:

I get complaints from our users because the XTRA system happily passes on the remains of the Klez virus - forged headers in messages. Surely your virus scanner can drop those completely... ours does :-)

I think part of the problem is that viruses used to be accidentally sent attached to other files. Thus is made much more sense for your anti-virus software to trying and save as much of the email as possible. Thus Trend's software will first try to remove the virus for then attachment, if it can't do that it will delete the whole attachment and if it can't do that it will block the whole email. This makes sense to me since it's doing the minimum needed to keep the receiver safe. This is especially the case with Xtra's setup where ALL email is being filtered and customers can't opt-out of the system If the anti-virus software just dropped all virus emails to the floor like some in this thread seem to suggest then you would get emails with legit attached viruses (I get them) being completely lost instead of just the virus being removed. As for the privacy aspects, the person who is infected is sending out the files not Xtra. -- Simon Lyall. | Newsmaster | Work: simon.lyall(a)ihug.co.nz Senior Network/System Admin | Postmaster | Home: simon(a)darkmere.gen.nz ihug, Auckland, NZ | Asst Doorman | Web: http://www.darkmere.gen.nz - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

-----Original Message----- From: owner-nznog(a)list.waikato.ac.nz [mailto:owner-nznog(a)list.waikato.ac.nz] On Behalf Of Juha Saarinen Sent: Wednesday, 11 September 2002 9:18 a.m. To: Simon Lyall Cc: nznog(a)list.waikato.ac.nz Subject: RE: So cool a flash,enjoy it On Wed, 11 Sep 2002, Simon Lyall wrote:

As for the privacy aspects, the person who is infected is sending out

the files not Xtra.

That's open to contention. I don't think anybody would set up his/her system to send out files on purpose. It would be accidental, or perhaps more accurately, due to malicious activity. You could argue that Xtra is compounding the damage by blindly sending out the files, when it knows that it's the result of virus activity. -- Juha Saarinen No, we don't _know_ that it is the result of virus activity. Anyone who says they do _know_ is lying. You cannot possibly know all the permutations of all the virii (<- just for you) out there, so how do you _know_ that file was not meant to be sent? - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

-----Original Message----- From: Juha Saarinen [mailto:juha(a)saarinen.org] Sent: Wednesday, 11 September 2002 9:26 a.m. To: Jeremy Clyma Cc: 'Simon Lyall'; nznog(a)list.waikato.ac.nz Subject: RE: So cool a flash,enjoy it On Wed, 11 Sep 2002, Jeremy Clyma wrote: <snip full quote>

No, we don't _know_ that it is the result of virus activity. Anyone who says they do _know_ is lying. You cannot possibly know all the permutations of all the virii (<- just for you) out there, so how do you _know_ that file was not meant to be sent?

Des just posted log entries showing that the message from "Simon" was infected with a virus, so yes, you do know. We're talking about messages that are cleaned up with Xtra's mail AV, and then sent out via your MTAs, not every single virus there is of course. -- Juha Saarinen Sorry, posted privately by mistake, reply to Juha as follows: (with English corrected) And I'll put it back again, that we don't know the attachment _is_ the result of virus activity. We can make a very educated assumption, but we don't know for sure. - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

On Wed, 11 Sep 2002, Juha Saarinen wrote:

However, if you see lots of attachments with viruses like Klez in them going out from a single user, then I'd say you'd be justified in dropping them, no matter what BS thinks

Assuming you mail system is setup in such a way that you can track from minute to minute which user sent which messages and then make assumptions from that as to what to block. The fact that Xtra made their anti-spam cover all users rather than per user makes me suspect their's can't. Ihug's can't either BTW. Of course the NEXT big virus to come out will send email directly to the remote mail server so we'll all have to intercept port 25 to stop those. Personally I wish journalists wouldn't publicly state their latest idea of "fixing" the Internet all the time, it saves the rest of us having to tell them and/or people at out own company why it's impossible, illegal, expensive and wouldn't work. -- Simon Lyall. | Newsmaster | Work: simon.lyall(a)ihug.co.nz Senior Network/System Admin | Postmaster | Home: simon(a)darkmere.gen.nz ihug, Auckland, NZ | Asst Doorman | Web: http://www.darkmere.gen.nz - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

On Wed, Sep 11, 2002 at 11:14:45AM +1200, Juha Saarinen wrote:

On Wed, 11 Sep 2002, Simon Lyall wrote:

...

Personally I wish journalists wouldn't publicly state their latest idea of "fixing" the Internet all the time, it saves the rest of us having to tell them and/or people at out own company why it's impossible, illegal, expensive and wouldn't work.

It's nothing to do with "fixing the Internet" of course, only about a working mail AV solution.

The best AV solution I can think of is for all possible holes and exploits in Microsoft mail clients to be exploited as soon as possible, and as violently as possible. Maybe if that happens fewer people will run stupid Microsoft mail clients, and the whole issue will just go away. By making half-hearted attempts at stripping virus-infected bits from e-mail, you're just interfering with the natural order of things and prolonging the life of crap software. Joe - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

On Tuesday, September 10, 2002, at 08:26 PM, Matthew Luckie wrote:

...

The best AV solution I can think of is for all possible holes and exploits in Microsoft mail clients to be exploited as soon as possible, and as violently as possible. Maybe if that happens fewer people will run stupid Microsoft mail clients, and the whole issue will just go away.

Users don't care. They will run a PC infested with viruses until it becomes unusable. When it becomes unusable, they will just put the factory recovery CD back into it and start again with old versions of the software that got them into trouble in the first place.

At least there's a brief period of quiet while they're off the air, reinstalling.

Let's not pretend that pine is any more secure (yes, the very email client I'm using now).

So don't use it then! This is not rocket science. Joe - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

On Wed, 11 Sep 2002, Gordon Smith wrote:

Depending on the virus scanner software you use, it's not hard to write a regex to match on signatures returned from the scanning engine, and drop inappropriate messages e.g. forged headers - match Klez. It was either a Hybris variant or an earlier Klez version, can't remember which, that would grab a document off the users PC, attach itself, and send it.

This has very real security implications for the infected user.

Well I have people forward viruses to me all the time. Lots of "your customer sent me this virus" . They seem to get pissed off when they get a message back saying out anti-virus has stripped the virus out. I would hate to see how grumpy they would be if it dropped the message completely because it contained the KLEZ virus and the anti-virus software assumed it "must" have been sent by the KLEZ virus itself with a forged "From: " address. -- Simon Lyall. | Newsmaster | Work: simon.lyall(a)ihug.co.nz Senior Network/System Admin | Postmaster | Home: simon(a)darkmere.gen.nz ihug, Auckland, NZ | Asst Doorman | Web: http://www.darkmere.gen.nz - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog