Add "RAV AntiVirus has deleted this file" to mail filters, to keep swen "cleaned" mail from filling

  • Thread starter David W. Hodgins
  • Start date
D

David W. Hodgins

I'm using Magic Mail Monitor, to delete email generated by the swen worm
from my mail server, avoiding having to download the complete 140+kb
messages.

I was surprised to see a 144kb message get through the filters, since the
from/to addresses made it clear it was swen (I'm filtering based on the
iframe or title, in the start of the body of the message).

When I looked at the message, it had "RAV AntiVirus has deleted this file
because it contained "dangerous code!".

Contrary to the statement, instead of deleting the file, it's contents had
been replaced with a short base64 encoded file called __warn.txt, with
the remaining 142kb (approx) containing nothing but spaces, up to the
boundary termination line.

I consider this to be just as bad as letting the virus flow. It still
clogs up the recipients inbox, and it prevents existing virus filters
or scanners, from deleting the message, before the end user has to
download it.

I larted the originating isp, asking them to fix their av configuration,
and copied support at ravantivirus.com.

I was amazed by the response from Rav, stating that the 142kb of spaces
was there because protocols require that they don't change the message
size. I responded that McAffee has no problem dropping virus generated
messages, and simply notifying the recipient that it has done so. I asked
them to cite the RFC they were getting their info from. Their response
was the "IMAP protocol" requires that they do not change the message size.

I'm tempted to filter out all email referencing RAV Antivirus, but for now,
will limit my filter to notifications of RAV "deleted" files. I suggest
others modify there filters accordingly. The actual lines from the RAV
generated messages are ...
===============================
RAV AntiVirus has deleted this file
because it contained dangerous code!


Tento subor odstraneny, nakolko obsahoval nebezpecny kod.

This file has been remo...
=================================
 
S

Santa Claus

<snip>
I'm using Magic Mail Monitor, to delete email generated by the swen worm
from my mail server, avoiding having to download the complete 140+kb
messages.

I was surprised to see a 144kb message get through the filters, since the
from/to addresses made it clear it was swen (I'm filtering based on the
iframe or title, in the start of the body of the message).
Click to expand...
I'm tempted to filter out all email referencing RAV Antivirus, but for now,
will limit my filter to notifications of RAV "deleted" files. I suggest
others modify there filters accordingly. The actual lines from the RAV
generated messages are ...
===============================
RAV AntiVirus has deleted this file
because it contained dangerous code!


Tento subor odstraneny, nakolko obsahoval nebezpecny kod.

This file has been remo...
=================================
Click to expand...
<snip>

Use Mailwasher.
CHeck file sizes.



No Emails Please
 
D

Doug Jacobs

In news.admin.net-abuse.email David W. Hodgins said:
When I looked at the message, it had "RAV AntiVirus has deleted this file
because it contained "dangerous code!".
Click to expand...
Contrary to the statement, instead of deleting the file, it's contents had
been replaced with a short base64 encoded file called __warn.txt, with
the remaining 142kb (approx) containing nothing but spaces, up to the
boundary termination line.
Click to expand...

Yep, RAV is an extremely buggy piece of crappy software. I tried looking
up who makes it, and it appears to have been discontinued. Still, the
fact that they convinced people to buy and install this thing is just
mindboggling.

Unfortunatly, the ISPs that I've seen using RAV don't seem to actually
have an abuse, postmaster, or any other sort of valid admin contact
address. This makes sense since only clueless morons would get conned
into buying such a borken piece of software.
I consider this to be just as bad as letting the virus flow. It still
clogs up the recipients inbox, and it prevents existing virus filters
or scanners, from deleting the message, before the end user has to
download it.
Click to expand...

The copies I've gotten from RAV "infected" ISPs didn't even rename the
virus file - it let the original message with the payload intact through,
after stamping its "What a good proggie am I!"
 
D

Darwin

[..]
Yep, RAV is an extremely buggy piece of crappy software. I tried looking
up who makes it, and it appears to have been discontinued. Still, the
fact that they convinced people to buy and install this thing is just
mindboggling.

Unfortunatly, the ISPs that I've seen using RAV don't seem to actually
have an abuse, postmaster, or any other sort of valid admin contact
address. This makes sense since only clueless morons would get conned
into buying such a borken piece of software.
Click to expand...
[..]


Spamcop.net is using RAV to filter its mail service.
AFAIK it is working well, I never got a piece of Swen since I started
using their services.

The problem with the dummy notifications is the ISP sending them, not the
software who makes them.
RAV obsiously has an option to turn they down, but they have choosed to
enable it.
Why, is a total mystery to me.
 
W

w33zyrider

Doug said:
Yep, RAV is an extremely buggy piece of crappy software. I tried looking
up who makes it, and it appears to have been discontinued. Still, the
fact that they convinced people to buy and install this thing is just
mindboggling.

Unfortunatly, the ISPs that I've seen using RAV don't seem to actually
have an abuse, postmaster, or any other sort of valid admin contact
address. This makes sense since only clueless morons would get conned
into buying such a borken piece of software.




The copies I've gotten from RAV "infected" ISPs didn't even rename the
virus file - it let the original message with the payload intact through,
after stamping its "What a good proggie am I!"
Click to expand...
MS bought RAV last spring
 
F

Fridrik Skulason

Yep, RAV is an extremely buggy piece of crappy software. I tried looking
Click to expand...
up who makes it, and it appears to have been discontinued. Still, the
Click to expand...
fact that they convinced people to buy and install this thing is just


Unfortunatly, the ISPs that I've seen using RAV don't seem to actually
Click to expand...
have an abuse, postmaster, or any other sort of valid admin contact
Click to expand...
address. This makes sense since only clueless morons would get conned
Click to expand...
into buying such a borken piece of software.
Click to expand...


Well, uhm....did you read
http://www.microsoft.com/presspass/press/2003/jun03/06-10GeCadPR.asp ?

-frisk
 
O

optikl

Doug Jacobs said:
In news.admin.net-abuse.email David W. Hodgins
Click to expand...
Yep, RAV is an extremely buggy piece of crappy software. I tried looking
up who makes it, and it appears to have been discontinued. Still, the
fact that they convinced people to buy and install this thing is just
mindboggling.

The copies I've gotten from RAV "infected" ISPs didn't even rename the
virus file - it let the original message with the payload intact through,
after stamping its "What a good proggie am I!"
Click to expand...

RAV was purchased recently by Microsoft from GeCad. It will be a component
of future M/S OSes.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

[SWEN tiny FAQ] How to filter Swen mails with M$OE 6 20
data file to send and receive mail cannot be found 1
SIEVE Filters QUICK GUIDE 0
This E-Mail has GOT to be a scam! 22
Import e-mail from Outlook to Windows Mail 9
occasionally new mail is 'deleted or moved' before I can read it.. 1
Not able to delete e mail from deleted items folder 9
SIEVE Language for Mail Filtering 0

Top