[sf-lug] junkemailfilter.com claimed that linuxmafia.com is a 'virus' site

Michael Paoli Michael.Paoli at cal.berkeley.edu
Sat Dec 9 05:38:14 PST 2017


Hmmm, I wonder if you could, sufficiently safely, relatively
trivially encode the (old) malware, and then leave it up there ...
just add to the site documentation on how to trivially decode
the data to obtain the original malware.

I don't think zip or tar or pack/compress/gzip/bzip2/xz/... or combination
thereof would suffice, as many malware scanners will
unarchive/uncompress, recursively, when scanning for malware (and
when their software is poorly written and running on Microsoft
Windows, it f*cks up and itself becomes infection vector).

Or maybe even not-so-trivially encode ... actually encrypt it.
E.g. gpg encrypt it, and include the "secret" key (and
instructions) fully accessible on the site too.
The anti-malware bots aren't nearly smart enough to take that
information and unencrypt it, so should avoid it getting flagged.
I might think testing on subdomain could be useful, but alas, if they
flag by IPv4 address.  Of course with IPv6 :-) ...
Hmmmm, I wonder too, with IPv6, if one could create systems
to effectively tar pit such stupid scanners into oblivian or failure
from noting too many IP(v6) addresses ... feed 'em a trivial
page with shortest feasible malware they'll detect,
include link to another IPv6 address with same, repeat until one
runs out of IPv6 addresses.  ;->

But alas, students, etc. - encoding/encrypting it would raise the barrier
of entry - but at least it could still have the
(altered / "protected"(encoded)) content available.
I'd almost think to suggest something like, "need malware sample,
just wait for some spam email from The Internet - it will come in
in short order".  But alas, many students, etc., may have their only
readily accessible email already behind some anti-malware scanning, so
they may never see/receive such emails.  Once upon a time I saved and
collected the spam email I received.  A large percentage contained
malware.  But that was rather to quite unfiltered receipt of email.
Ah, such spam :-/ ... generally of the form: "Hi.  I'm a Trojan.
Please be stupid/ignorant/careless enough to run me.  Thanks." ...
of course my rewording - not what the actual spam would say.

> From: "Rick Moen" <rick at linuxmafia.com>
> Subject: [sf-lug] junkemailfilter.com claimed that linuxmafia.com is  
> a 'virus' site
> Date: Wed, 5 Oct 2016 16:17:31 -0700

> So, Jim's at well.com, that uses outsourced vetting of mail using
> external site junkemailfilter.com .  And recently it decided to
> start refusing all mail from linuxmafia.com's IP address,
> 198.144.195.186.
>
> http://ipadmin.junkemailfilter.com/remove.php yields this detail:
>
>   /ip-log/karma.log.03:virus 198.144.195.186 linuxmafia.com NOTQUIT [S=4 -
>   FakeMX NoQuit] X=tarbaby2 H=linuxmafia.com [198.144.195.186]
>   HELO=[linuxmafia.com] SN=[skeptic-bounces at linuxmafia.com]
>
> ...and I'm pretty sure I know where this noise comes from.  Until
> recently, I hosted on linuxmafia.com a collection for _study_ of
> MS-Windows malware that was current a couple of decades ago, every one
> of which had been rendered safe through measures that included giving
> them all .txt filename extensions.  Recently a couple of automated
> malware-checking sites stumbled on the archive.  I removed the archive
> (sorry, no more security study), and have been chasing down the places
> that blacklisted my IP.
>
> More at:
> http://linuxmafia.com/pipermail/conspire/2016-September/008583.html
> http://linuxmafia.com/pipermail/conspire/2016-September/008584.html
>
> I've just now gotten 198.144.195.186 whitelisted at junkemailfilter.com .




More information about the sf-lug mailing list