DavidT Posted August 14, 2004 Posted August 14, 2004 Something appears to be wrong with SpamCop's virus filters since the outages the other day, because in the last 24 hours, I've received three Netsky.P (aka W32.Netsky.P[at]mm) worms in one of my SC email addresses (it's actually a "cesmail.net" address, same thing). This worm is not very new...it first appeared back in March, and when I tried to POP any of the messages, my NortonAV jumps into action and deletes them. I guess I'll send a message to support, but thought that others might want to know that the virus protection seems not to be fully functional. (and the Subject line on this should have read "...making it into SC...") dt
eric Posted August 15, 2004 Posted August 15, 2004 (and the Subject line on this should have read "...making it into SC...") 15196[/snapback] And here I thought you were describing how they reproduced!
DavidT Posted August 15, 2004 Author Posted August 15, 2004 Glad that my typo provided a laugh or two. dt
efindoutthetruth Posted August 15, 2004 Posted August 15, 2004 Good day to all. Is is just me or is anyone else having the same problem? I used to NEVER get viruses via my SpamCop inbox, as SpamCop would intercept the virus message immediately. As of yesterday, I am receiving around 200 viruses a day. Can someone out there help? Thank you!
dbiel Posted August 15, 2004 Posted August 15, 2004 To repeat what Wazoo has said many times before, the virus filters that are used by SpamCop and by everyone else in the world are reactionary. New viruses are being created every day with the number one purpose of finding ways to get arround virus scanners. SpamCop tries hard to keep the filters as current as possible but they will never be able to filter out the most resent varriants. Something you could do as a test would be to forward one of the virus messages that is a few days old to your self and see if it gets delivered or deleted. You may want to wait before doing this to see if anybody else knows why this may not be safe to do. That would be a way of testing the system. If your virus program has identifed the virus, please post the virus name and creation date and the virus program you are using. It may help to identify something that needs fixing. Also note, if I am correct the virus filtering occurs when the message is first received / rejected by SpamCop so the message may be much "newer" than you think since the date used must be the date recieved by SpamCop, not when you received it. Also double check your whitelist, if the message source is listed there it might be causing a different processing method. The help that we can provide is in direct proportion to the information that you provide. No information - no help; lots of information - you get the point. But to answer your outer question, I cant remember the last time I got a virus infested message, so it seems to still be working for me. Also, please refer to the first post in this thread. The system crash may have created other hidden problems that will have to be worked out. So again, more information please.
twrs Posted August 15, 2004 Posted August 15, 2004 Yes, I'm also experiencing the same problem. Since yesterday, I've been receiving hundreds of virus emails from my SpamCop account. What's the problem? I thought something's wrong with my SpamCop settings but when I checked everything's correct. In my search for help, I found this forum and am glad that I'm not alone. Do you know how to email SpamCop Support? They don't seem to list their email anywhere on the web site? I'd like to forward a sample of these viruses there.
Wazoo Posted August 15, 2004 Posted August 15, 2004 support e-mail addresses are all over the place .. but this isn't one of those items that JT needs ... If you're going to forward your virus anywhere, you'd want to send it to the anti-virus folks ... pick your company scumsucker somewhere pulls together some nasty code scumsucker plants it somewhere, say as an attachment to a post in a porn newsgroup idiot newbie hits that newsgroup, clicking on everything, wanting to get it all idiot newbie's computer is infected, starts kicking out e-mail more idiot newbies receive e-mail, click on the attachment to see what the first idiot sent another infected computer starts sending out e-mail eventually, e-mail received by someone clued, or someone clued also hit the newsgroup, submitted virus to anti-spam folks anti-spam folks analyze it, give it a name, figure out how to recognise it, maybe defang it, maybe erase its effects on infected systems anti-spam folks then add this data into their database of nasty stuff anti-spam folks then make this new database available end users (hopefully) eventually get around to checking for a new database, download and install it end-user now "protected" against that virus in the mean time, some scumsucker has pulled together some code ............ So basically, the premise is that there is a new variant of an alleged "old" virus out there, and you are now waiting for the analysis to be done, database to be updated, that updated database to be made available, which will then be picked up and installed by the anti-virus application running on the SpamCop server
dra007 Posted August 15, 2004 Posted August 15, 2004 ..making it in(to) SC... ...and I thought worms were hermaphrodite..Anyways...I have experienced an increase in viruses/MIME exploits, trojans and worms myself. Thankfully most of them get defanged before forwarding to SC, on the original server. Unfortunately these bozos are determined to find ways to defeat any protection, including spoofing trusted ISPs in the header and the like. All you can do is keep your virus definitions up to date and don't rely on a single virus protection software. I have had a good experience with Bitdefender (check here!), it is free and so far it has detected things Norton AV has missed, including damaged NAV files which make NAV virtually inoperable and I presume are carried by certain viruses... After a thorough check you may have to reinstall NAV, and that's a bummer unless you first download the uninstall patches.. After having my computer hacked into and destroyed early this month I had to reinstall NAV several times...I still can't get rid of some NAV damaged files..
twrs Posted August 15, 2004 Posted August 15, 2004 Wazoo. thanks for the quick reply. Sorry, but I don't see any email address of SpamCop on the web site. Is it support[at]spamcop.net? I've been using SpamCop since last year and never needed to contact support till now. What antivirus application that SpamCop uses? ClamAV or Dr. Web maybe? dra007, I've found my NAV2004 to be a great antivirus, but it also needs a good firewall software along (I use ZoneAlarm Pro). Without a good firewall, your computer is highly vulnerable. That Windows XP built-in firewall is a joke
dra007 Posted August 15, 2004 Posted August 15, 2004 /snip dra007, I've found my NAV2004 to be a great antivirus, but it also needs a good firewall software along (I use ZoneAlarm Pro). Without a good firewall, your computer is highly vulnerable. That Windows XP built-in firewall is a joke 15220[/snapback] Tell me about it, I am still working on configuring mine, the dam thing gives me a trojan warning everytime a program tries to get on the net, still haven't figured that one out...
twrs Posted August 15, 2004 Posted August 15, 2004 What firewall are you using? I highly recommend ZoneAlarm Pro. It's very easy to configure (semi automatic I must say) and it doesn't take too long to configure. I used Kerio before and when I switched to ZoneAlarm Pro, I found it to be much better and easier to use. Just configure the programs which you allow to access the Internet and if you find some warnings about weird IPs trying to access your system, just deny those (ZoneAlarm Pro will usually auto-block them though).
dbiel Posted August 15, 2004 Posted August 15, 2004 Since apparently my question got missed in all my other verbage (I should have colored it red) I am going to repost it by itself Something you could do as a test would be to forward one of the virus messages that is a few days old to your self and see if it gets delivered or deleted. Is there any reason that I do not know about that would make this a bad idea?
DavidT Posted August 16, 2004 Author Posted August 16, 2004 To repeat what Wazoo has said many times before, the virus filters that are used by SpamCop and by everyone else in the world are reactionary. New viruses are being created every day with the number one purpose of finding ways to get arround virus scanners. SpamCop tries hard to keep the filters as current as possible but they will never be able to filter out the most resent varriants. But these messages are all infected with a Netsky worm that made its first appearence in March, as I explained when I started this discussion. I realize that "dbiel" was answering "efindoutthetruth," but this is MY thread, and my original observation/question is getting a bit sidetracked....the SC AV filters appear to have broken during the outages. If your virus program has identifed the virus, please post the virus name and creation date and the virus program you are using. It may help to identify something that needs fixing. Uh...I *did* that, in my original message, so "efindoutthetruth" didn't really need to provide further information...there's clearly a problem! Also double check your whitelist, if the message source is listed there it might be causing a different processing method. No, that's not how things work...the virus protection is applied before any whitelisting...I contend that since the big SC server outages on Friday, that the AV protection is simply broken. I emailed the Support address yesterday but have not heard back, and have received multiple new infected messages today. Ellen, "Admin" -- anyone "official" out there??? dt
dbiel Posted August 16, 2004 Posted August 16, 2004 Also double check your whitelist, if the message source is listed there it might be causing a different processing method.No, that's not how things work...the virus protection is applied before any whitelisting...I contend that since the big SC server outages on Friday, that the AV protection is simply broken. I realize that, but since as you claim there is something broken, how can be be so certain that it is how it is working right now? The more information that is provided, the easier it is to find and fix the problem. If your virus program has identifed the virus, please post the virus name and creation date and the virus program you are using. It may help to identify something that needs fixing.Uh...I *did* that, in my original message, so "efindoutthetruth" didn't really need to provide further information...there's clearly a problem! Not really I've received three Netsky.P (aka W32.Netsky.P[at]mm) Is Netsky.P a new varriant of W32.Netsky.P[at]mm? I could not find any listing of "Netsky.P" see the following quote from Symantec As of March 22, 2004, due to an increase in submission rate, Symantec Security Response has upgraded W32.Netsky.P[at]mm (also known as W32.Netsky.Q[at]mm) to a Category 3 level threat from a Category 2 threat. Cut and paste the exact response from your virus scanner. Finally, you only listed one virus (it is a moot point as to how many copies of it you got). If it were really broken, I would have expected you to be seeing all kinds of different viruses
DavidT Posted August 16, 2004 Author Posted August 16, 2004 Is Netsky.P a new varriant of W32.Netsky.P[at]mm? I could not find any listing of "Netsky.P"Â see the following quote from Symantec They're one and the same. Those of us who use NortonAV get in the habit of referring to viruses only using Symantec's subjective names, but the other competing AV sources use different names. Here are the ones for this worm: W32.Netsky.Q[at]mm [symantec], W32/Netsky.p[at]MM [McAfee], Win32.Netsky.P [Computer Associates], NetSky.P [F-Secure], W32/Netsky.P.worm [Panda], W32/Netsky-P [sophos], WORM_NETSKY.P [Trend] This unanimity of naming on this one is rare, in that they're all designating this variant with the letter "P" -- in most recent worms, they all use different letters..."alphabet soup." So, if you go back and look at the beginning of this thread, you'll see that I used the most generic name for it (the one from F-Secure), but I also gave the proper Symantec name, in that I wrote that I'm using Norton. In any case, this is an old worm that surely shouldn't be getting through SC's AV filters. Cut and paste the exact response from your virus scanner. OK, here you go: "The email attachment document.txt .exe within data.zip is infected with the W32.Netsky.P[at]mm virus." Finally, you only listed one virus (it is a mute point as to how many copies of it you got). (a "mute point" is one that can't speak...a "moot point" is one that's of no consequence) If it were really broken, I would have expected you to be seeing all kinds of different viruses It's hard to say what else would be coming through. The address actually receiving the worms (that then get forwarded to this particular SC email account) isn't very "public" and so before we started using SC to filter it, we didn't receive many worms. But this is the best point you've made, and yes, if the AV function were totally kaput, then all kinds of worms would be getting through to SC email customers, so it might only be partially nonfunctional. dt
twrs Posted August 16, 2004 Posted August 16, 2004 Here are some of the virus messages from SpamCop that got detected by my Norton AntiVirus 2004: Norton AntiVirus removed the attachment: msg.htm.zlq. The W32.Netsky.B[at]mm threat was detected in the attachment. Norton AntiVirus removed the attachment: document_4351.zlo. The W32.Netsky.D[at]mm threat was detected in the attachment. Norton AntiVirus removed the attachment: message_part2.zlo. The W32.Netsky.K[at]mm threat was detected in the attachment. The anti-virus filtering in SpamCop seems broken. Could you please fix this out as soon as possible? Thanks!
Wazoo Posted August 16, 2004 Posted August 16, 2004 While answering some PMs, I added a note to JT, though wouldn't expect much action for a few hours.
dbiel Posted August 16, 2004 Posted August 16, 2004 I guess that I will add one to the list as well ++++++++++++++++++++++++++++++++++++++ VIRUS BLOCKER MESSAGE STATUS ++++++++++++++++++++++++++++++++++++++ + Virus successfully cleaned out of attachment(s): No attachments are in this category. + Attachment(s) deleted due to virus: 1. Security File.exe: Backdoor.Beasty.I +++++++++++++++++++ Powered by Symantec +++++++++++++++++++
Derek T Posted August 16, 2004 Posted August 16, 2004 (a "mute point" is one that can't speak...a "moot point" is one that's of no consequence) Well! that sent this Englishman scurrying to his dictionary. On this side of the pond 'moot' means arguable or debatable. Tolkein used it in its original sense when Treebeard called the Entmoot. US online dictionary says tanspondians have been using it (incorrectly) to mean 'of no importance since the mid C19th. Ah well, back to spam-fighting
DavidT Posted August 16, 2004 Author Posted August 16, 2004 On this side of the pond 'moot' means arguable or debatable. When looked up at http://dictionary.reference.com/search?q=moot your definition is indeed listed as number 1 in the word's adjective form. However, when used as an adjective in US English, it's commonly meant as the "2. b." adjective definition, " Of no practical importance; irrelevant" which seems to have been the usage here. Tolkein used it in its original sense when Treebeard called the Entmoot. Ah, but that's a noun usage (definition #2), " An ancient English meeting, especially a representative meeting of the freemen of a shire." US online dictionary says tanspondians have been using it (incorrectly) to mean 'of no importance since the mid C19th. Yes, our English is certainly a bit different than the Queen's. dt
Derek T Posted August 16, 2004 Posted August 16, 2004 "2. b." adjective definition, " Of no practical importance; irrelevant" which seems to have been the usage here. Yes, I tried bartleby.com which says the (US) experts consider it acceptable by a majority oy of 6:4. I have to say that it came as a complete shock to me, though. Neither Oxford nor Chambers has this usage in the UK editions on my shelf! Ah, but that's a noun usage (definition #2), " An ancient English meeting, especially a representative meeting of the freemen of a shire." I think I'm right in saying that 'meet' came from the same root. The adjective almost derives from the noun. A moot point was an agenda point, something to be discussed at the moot(ing!) Perhaps we'd better get this back on topic?
DavidT Posted August 16, 2004 Author Posted August 16, 2004 Perhaps we'd better get this back on topic? Actually, this topic is stalled, awaiting for official SC support response. The phenomenon I reported (wormy emails making it past SC AV protection) has also been reported over in the old Usenet group for SC email, so it is happening to multiple people, and all since the "Friday the 13th" SC email server crashes. dt
Wazoo Posted August 17, 2004 Posted August 17, 2004 unhappy thoughts and I'm sure many apologies are included .. but this just in from JT; During the email emergency a couple days ago, I re-arranged how the incoming mail was queued up. Unfortunately, the AV inadvertantly got de-activated. It's back up and running now. Jeff
dra007 Posted August 17, 2004 Posted August 17, 2004 Finally, an answer that makes sense...the moot is mute... Reminds me of the time I was visiting across the pond having to explain on more than one occasion the meaning of words, and facing nothing but total disbelieve!! Funny how languages evolve sometimes!
DavidT Posted August 17, 2004 Author Posted August 17, 2004 unhappy thoughts and I'm sure many apologies are included .. but this just in from JT; Well...I wrote to the "support" address on Saturday and I haven't been graced with a response. I'm sure I was one of the first to report this problem, so this rather indirect admission that I was entirely correct in my analysis of the situation is welcome, but... dt
Recommended Posts
Archived
This topic is now archived and is closed to further replies.