I'm using Magic Mail Monitor, to delete email generated by the swen worm
from my mail server, avoiding having to download the complete 140+kb
messages.

I was surprised to see a 144kb message get through the filters, since the
from/to addresses made it clear it was swen (I'm filtering based on the
iframe or title, in the start of the body of the message).

When I looked at the message, it had "RAV AntiVirus has deleted this file
because it contained "dangerous code!".

Contrary to the statement, instead of deleting the file, it's contents had
been replaced with a short base64 encoded file called __warn.txt, with
the remaining 142kb (approx) containing nothing but spaces, up to the
boundary termination line.

I consider this to be just as bad as letting the virus flow. It still
clogs up the recipients inbox, and it prevents existing virus filters
or scanners, from deleting the message, before the end user has to
download it.

I larted the originating isp, asking them to fix their av configuration,
and copied support at ravantivirus.com.

I was amazed by the response from Rav, stating that the 142kb of spaces
was there because protocols require that they don't change the message
size. I responded that McAffee has no problem dropping virus generated
messages, and simply notifying the recipient that it has done so. I asked
them to cite the RFC they were getting their info from. Their response
was the "IMAP protocol" requires that they do not change the message size.

I'm tempted to filter out all email referencing RAV Antivirus, but for now,
will limit my filter to notifications of RAV "deleted" files. I suggest
others modify there filters accordingly. The actual lines from the RAV
generated messages are ...
===============================
RAV AntiVirus has deleted this file
because it contained dangerous code!


Tento subor odstraneny, nakolko obsahoval nebezpecny kod.

This file has been remo...
=================================
--
Change .invalid to .com to reply by email.

<snip>
On Sat, 01 Nov 2003 05:26:42 GMT, "David W. Hodgins"
<(E-Mail Removed)> wrote:

>I'm using Magic Mail Monitor, to delete email generated by the swen worm
> from my mail server, avoiding having to download the complete 140+kb
>messages.
>
>I was surprised to see a 144kb message get through the filters, since the
>from/to addresses made it clear it was swen (I'm filtering based on the
>iframe or title, in the start of the body of the message).
>

>I'm tempted to filter out all email referencing RAV Antivirus, but for now,
>will limit my filter to notifications of RAV "deleted" files. I suggest
>others modify there filters accordingly. The actual lines from the RAV
>generated messages are ...
>===============================
>RAV AntiVirus has deleted this file
> because it contained dangerous code!
>
>
>Tento subor odstraneny, nakolko obsahoval nebezpecny kod.
>
>This file has been remo...
>=================================
<snip>

Use Mailwasher.
CHeck file sizes.



No Emails Please

In news.admin.net-abuse.email David W. Hodgins <(E-Mail Removed)> wrote:

> When I looked at the message, it had "RAV AntiVirus has deleted this file
> because it contained "dangerous code!".

> Contrary to the statement, instead of deleting the file, it's contents had
> been replaced with a short base64 encoded file called __warn.txt, with
> the remaining 142kb (approx) containing nothing but spaces, up to the
> boundary termination line.

Yep, RAV is an extremely buggy piece of crappy software. I tried looking
up who makes it, and it appears to have been discontinued. Still, the
fact that they convinced people to buy and install this thing is just
mindboggling.

Unfortunatly, the ISPs that I've seen using RAV don't seem to actually
have an abuse, postmaster, or any other sort of valid admin contact
address. This makes sense since only clueless morons would get conned
into buying such a borken piece of software.

> I consider this to be just as bad as letting the virus flow. It still
> clogs up the recipients inbox, and it prevents existing virus filters
> or scanners, from deleting the message, before the end user has to
> download it.

The copies I've gotten from RAV "infected" ISPs didn't even rename the
virus file - it let the original message with the payload intact through,
after stamping its "What a good proggie am I!"

On Sun, 02 Nov 2003 06:25:05 -0000, Doug Jacobs <(E-Mail Removed)>
wrote:

[..]
> Yep, RAV is an extremely buggy piece of crappy software. I tried looking
> up who makes it, and it appears to have been discontinued. Still, the
> fact that they convinced people to buy and install this thing is just
> mindboggling.
>
> Unfortunatly, the ISPs that I've seen using RAV don't seem to actually
> have an abuse, postmaster, or any other sort of valid admin contact
> address. This makes sense since only clueless morons would get conned
> into buying such a borken piece of software.
[..]


Spamcop.net is using RAV to filter its mail service.
AFAIK it is working well, I never got a piece of Swen since I started
using their services.

The problem with the dummy notifications is the ISP sending them, not the
software who makes them.
RAV obsiously has an option to turn they down, but they have choosed to
enable it.
Why, is a total mystery to me.

--
-darwin-

Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/

Doug Jacobs wrote:
> In news.admin.net-abuse.email David W. Hodgins <(E-Mail Removed)> wrote:
>
>
>>When I looked at the message, it had "RAV AntiVirus has deleted this file
>>because it contained "dangerous code!".
>
>
>>Contrary to the statement, instead of deleting the file, it's contents had
>>been replaced with a short base64 encoded file called __warn.txt, with
>>the remaining 142kb (approx) containing nothing but spaces, up to the
>>boundary termination line.
>
>
> Yep, RAV is an extremely buggy piece of crappy software. I tried looking
> up who makes it, and it appears to have been discontinued. Still, the
> fact that they convinced people to buy and install this thing is just
> mindboggling.
>
> Unfortunatly, the ISPs that I've seen using RAV don't seem to actually
> have an abuse, postmaster, or any other sort of valid admin contact
> address. This makes sense since only clueless morons would get conned
> into buying such a borken piece of software.
>
>
>>I consider this to be just as bad as letting the virus flow. It still
>>clogs up the recipients inbox, and it prevents existing virus filters
>>or scanners, from deleting the message, before the end user has to
>>download it.
>
>
> The copies I've gotten from RAV "infected" ISPs didn't even rename the
> virus file - it let the original message with the payload intact through,
> after stamping its "What a good proggie am I!"
>
>
MS bought RAV last spring

Doug Jacobs <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>...


> Yep, RAV is an extremely buggy piece of crappy software. I tried looking

> up who makes it, and it appears to have been discontinued. Still, the

> fact that they convinced people to buy and install this thing is just

> mindboggling.

>

> Unfortunatly, the ISPs that I've seen using RAV don't seem to actually

> have an abuse, postmaster, or any other sort of valid admin contact

> address. This makes sense since only clueless morons would get conned

> into buying such a borken piece of software.


Well, uhm....did you read
http://www.microsoft.com/presspass/p...-10GeCadPR.asp ?

-frisk

"Doug Jacobs" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> In news.admin.net-abuse.email David W. Hodgins
<(E-Mail Removed)> wrote:
> Yep, RAV is an extremely buggy piece of crappy software. I tried looking
> up who makes it, and it appears to have been discontinued. Still, the
> fact that they convinced people to buy and install this thing is just
> mindboggling.
>
> The copies I've gotten from RAV "infected" ISPs didn't even rename the
> virus file - it let the original message with the payload intact through,
> after stamping its "What a good proggie am I!"
>
>

RAV was purchased recently by Microsoft from GeCad. It will be a component
of future M/S OSes.