Embarrassed by new client
Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=6725
Printed Date: 27 December 2024 at 9:16am
Topic: Embarrassed by new client
Posted By: yapadu
Subject: Embarrassed by new client
Date Posted: 31 July 2009 at 8:53am
|
I had a new client sign up today. First thing they did was use this free e-mail security check. I will not post the name of the company, since I don't want to promote them. Google it, and you will find it if you want to run the test. Anyway, they send 7 messages to any email address you want. They test several things: - Ability to stop SPAM, based on http://spamassassin.apache.org/gtube.html - GTUBE signature . - Ability to stop VIRUSES, based on http://www.eicar.org/anti_virus_test_file.htm - EICAR signature . - Ability to block a series of 5 different attachments, which is basically a BAT file I think. Unfortunately, Spam Filter does not perform so well out of the box. In order to pass any of the tests you need to: 1) Add a keyword filter on the GTUBE signature (we have done that now) 2) Have antivirus feature enabled (the only test of 7 that worked for us) 3) Add file attachment blacklists (will only help slightly) Now, not everyone needs or wants to block file attachments - so the test just assumes you want to be doing that. Fare enough. What is interesting is they send the batch file as a 'normal' attachment. If you have a filter on *.bat it gets blocked. However they also send the same file in four additional messages containing the attachment disguised in different ways. Even if you have *.bat or *.exe, Spam Filter fails to stop the attachments. They got through to my inbox, and my email client does recognize the attachments as .bat files and throws up a warning message. I certainly got embarrassed when the new client contacted me, with 6 of 7 email security tests failing through our system. |
Replies:
Posted By: LogSat
Date Posted: 31 July 2009 at 5:59pm
|
yapadu, Thank you for the report. The GTUBE signature is very specific to Spamassassin, and as we do not use that software in SpamFilter, the test will of course fail. Users are free to add that string in their keywords if they wish, but SpamFilter does not block it by default. In regards to the emails with attachments that made it thru however, you are perfectly right. They should have been stopped. The filename was obfuscated in such a way that SpamFilter did not recognize it as a valid name and allowed it. This was wrong and we are considering it a serious bug. We are currently beta-testing SpamFilter v4.1.2.813, which addresses all the tricks used in the above obfuscation, with the exception (so far) of one - the one used in "Test mail 4/7". That will take a bit longer to address. If you wish to receive the beta before we pre-release it on our website please contact us via email.
------------- Roberto Franceschetti http://www.logsat.com" rel="nofollow - LogSat Software http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP |
Posted By: yapadu
Date Posted: 11 March 2010 at 8:24pm
| Was the issue of these messages getting past spamfilter ever resolved? I continue to see new clients testing our system and the virus messages still go through from the looks of it. |
Posted By: yapadu
Date Posted: 11 March 2010 at 11:40pm
|
I see GFI now has a tester as well (not sure how long they have had it). They send a bunch of tests, a lot of which are tests against the email client. But they do send 5 copies of eicar test virus. Spamfilter fails on all of them  |
Posted By: jerbo128
Date Posted: 24 March 2010 at 9:36am
|
I recently had a customer bring the same concerns...
Our setup allowed 5 of the 7 emails, including the one with the virus attached. (and we use the virus filtering plugin
 )Of the others, the .bat attachment was blocked, a couple came in without any attachment showing in outlook, and a couple came in with an attachment named to another extension.
So Roberto, can you please provide some input here?
Cheers,
Jeremy
|
Posted By: LogSat
Date Posted: 24 March 2010 at 5:49pm
|
The original post regarded issues with SpamFilter's inability to match filenames/extensions specified in the "Attachment filter" when the filename is obfuscated in the email's mime extensions. We addressed all the obfuscations except one type which is still pending. This however should not have anything to do with the antivirus plugin. Infected files (including of course the eicar test signature) should be stopped regardless of what the filename is. If this is not occurring, can you please (both Jerbo and Yapadu) zip and email us SpamFilter's activity logfile for a day this happened, also including your SpamFilter.ini file, and the to/from email addresses used for the test, so we can locate them in the logs? I'll send you both a PM with our FTP site login for you to upload the files if they are over 8MB in size. ------------- Roberto Franceschetti http://www.logsat.com" rel="nofollow - LogSat Software http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP |
Posted By: yapadu
Date Posted: 26 March 2010 at 3:19am
|
I was the original poster of this last year. I just ran the test again, against a domain protected by spamfilter and to a gmail account. The testing service sends 7 messages, just like they did last year. I tested gmail first. gmail allowed 3/7, 6/7 and 7/7 through. My spamfilter did better than a year ago, but strangely the virus test got through to my outlook client. So spamfilter did not stop 2/7 and 4/7. 2/7 is the test virus, which my system should be stopping as I have the virus module. I will do some more testing, and as Roberto mentioned above 4/7 is still a known issue. |
Posted By: RBarrow
Date Posted: 28 December 2012 at 4:20pm
|
We are running 4.50.31 and these 7 messages are still getting through the system. Are there settings I need to change to get this addressed? Seems the last activity on the thread was > 2 yrs...but still passing same test emails Roy
|
Posted By: LogSat
Date Posted: 28 December 2012 at 11:01pm
|
We were able to duplicate this issue. There appears to have been a regression error with the new SpamFilter v4.5.x that removed the fix that was added in SpamFilter v4.1.2.813. We'll have this re-fixed shortly. Please note that the fix did not handle the specific trick employed in the "Test mail 4/7", and that the fake spam in "Test mail 3/7" will also not be blocked by SpamFilter as it is not a real spam email. We do not use SpamAssassin and thus that specific signature is meaningless to SpamFilter. ------------- Roberto Franceschetti http://www.logsat.com" rel="nofollow - LogSat Software http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP |
Posted By: RBarrow
Date Posted: 28 December 2012 at 11:23pm
|
Thanks for checking! We will look for the next build. Roy
|
Posted By: LogSat
Date Posted: 29 December 2012 at 11:57am
|
RBarrow, As the fix was already prepared and was very straightforward, we've already re-patched the previous SpamFilter v4.5.0.62 with it. The fixed version (v4.5.0.63) is now available in the registered user area. Thanks for re-reporting this!
------------- Roberto Franceschetti http://www.logsat.com" rel="nofollow - LogSat Software http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP |