D
David W. Hodgins
I'm using Magic Mail Monitor, to delete email generated by the swen worm
from my mail server, avoiding having to download the complete 140+kb
messages.
I was surprised to see a 144kb message get through the filters, since the
from/to addresses made it clear it was swen (I'm filtering based on the
iframe or title, in the start of the body of the message).
When I looked at the message, it had "RAV AntiVirus has deleted this file
because it contained "dangerous code!".
Contrary to the statement, instead of deleting the file, it's contents had
been replaced with a short base64 encoded file called __warn.txt, with
the remaining 142kb (approx) containing nothing but spaces, up to the
boundary termination line.
I consider this to be just as bad as letting the virus flow. It still
clogs up the recipients inbox, and it prevents existing virus filters
or scanners, from deleting the message, before the end user has to
download it.
I larted the originating isp, asking them to fix their av configuration,
and copied support at ravantivirus.com.
I was amazed by the response from Rav, stating that the 142kb of spaces
was there because protocols require that they don't change the message
size. I responded that McAffee has no problem dropping virus generated
messages, and simply notifying the recipient that it has done so. I asked
them to cite the RFC they were getting their info from. Their response
was the "IMAP protocol" requires that they do not change the message size.
I'm tempted to filter out all email referencing RAV Antivirus, but for now,
will limit my filter to notifications of RAV "deleted" files. I suggest
others modify there filters accordingly. The actual lines from the RAV
generated messages are ...
===============================
RAV AntiVirus has deleted this file
because it contained dangerous code!
Tento subor odstraneny, nakolko obsahoval nebezpecny kod.
This file has been remo...
=================================
from my mail server, avoiding having to download the complete 140+kb
messages.
I was surprised to see a 144kb message get through the filters, since the
from/to addresses made it clear it was swen (I'm filtering based on the
iframe or title, in the start of the body of the message).
When I looked at the message, it had "RAV AntiVirus has deleted this file
because it contained "dangerous code!".
Contrary to the statement, instead of deleting the file, it's contents had
been replaced with a short base64 encoded file called __warn.txt, with
the remaining 142kb (approx) containing nothing but spaces, up to the
boundary termination line.
I consider this to be just as bad as letting the virus flow. It still
clogs up the recipients inbox, and it prevents existing virus filters
or scanners, from deleting the message, before the end user has to
download it.
I larted the originating isp, asking them to fix their av configuration,
and copied support at ravantivirus.com.
I was amazed by the response from Rav, stating that the 142kb of spaces
was there because protocols require that they don't change the message
size. I responded that McAffee has no problem dropping virus generated
messages, and simply notifying the recipient that it has done so. I asked
them to cite the RFC they were getting their info from. Their response
was the "IMAP protocol" requires that they do not change the message size.
I'm tempted to filter out all email referencing RAV Antivirus, but for now,
will limit my filter to notifications of RAV "deleted" files. I suggest
others modify there filters accordingly. The actual lines from the RAV
generated messages are ...
===============================
RAV AntiVirus has deleted this file
because it contained dangerous code!
Tento subor odstraneny, nakolko obsahoval nebezpecny kod.
This file has been remo...
=================================