Saxon

Return-Path: <dudealert86@outlook.com>

Received: from mi005.mc1.hosteurope.de ([80.237.138.250]) by wp245.webpack.hosteurope.de running ExIM with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) id 1dKlvY-0003rM-Bk; Tue, 13 Jun 2017 15:32:12 +0200

Received: from mail-oln040092007036.outbound.protection.outlook.com ([40.92.7.36] helo=NAM03-CO1-obe.outbound.protection.outlook.com) by mx0.webpack.hosteurope.de (mi005.mc1.hosteurope.de) with esmtps (TLSv1.2:AES256-SHA256:256) id 1dKlvV-0008Nq-I7 for inbox+saxonica+f38e+saxon@plan.io; Tue, 13 Jun 2017 15:32:12 +0200

Received: from BY2NAM03FT058.eop-NAM03.prod.protection.outlook.com (10.152.84.59) by BY2NAM03HT056.eop-NAM03.prod.protection.outlook.com (10.152.85.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.1157.12; Tue, 13 Jun 2017 13:32:03 +0000

Received: from BN6PR14MB1106.namprd14.prod.outlook.com (10.152.84.60) by BY2NAM03FT058.mail.protection.outlook.com (10.152.85.184) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1157.12 via Frontend Transport; Tue, 13 Jun 2017 13:32:03 +0000

Received: from BN6PR14MB1106.namprd14.prod.outlook.com ([10.173.161.15]) by BN6PR14MB1106.namprd14.prod.outlook.com ([10.173.161.15]) with mapi id 15.01.1157.017; Tue, 13 Jun 2017 13:32:03 +0000

Date: Tue, 13 Jun 2017 13:32:03 +0000

From: Greg Smith <dudealert86@outlook.com>

To: Saxonica Developer Community <inbox+saxonica+f38e+saxon@plan.io>

Message-ID: <BN6PR14MB1106D3A2CC55CA7FD867852CACC20@BN6PR14MB1106.namprd14.prod.outlook.com>

In-Reply-To: <redmine.journal-9144.20170613113438.037a1fb316a27bde@plan.io>

References: <redmine.issue-3267.20170613092205@plan.io>,<redmine.journal-9144.20170613113438.037a1fb316a27bde@plan.io>

Subject: Re: [Saxon - Bug #3267] Malware in Sourceforge download file

Mime-Version: 1.0

Content-Type: multipart/alternative;

boundary=_000_BN6PR14MB1106D3A2CC55CA7FD867852CACC20BN6PR14MB1106namp_

Content-Transfer-Encoding: 7bit

Delivery-date: Tue, 13 Jun 2017 15:32:12 +0200

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com;

s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;

bh=OEWDgzo7RNEypVrZG7yQBFlXy8kB2qTkGMwrEWmFU98=;

b=f1+C80ISJ3u3ugzAauXRrAz4wITC+ASi9+IPVvg7FFqlHh2++O4/m36p6dD2fSuJp9nUJw/YSXqX0fbQ+HSGe1b0YVdPSIDG5bqqoEoIZly3vaZD68FP/lVWZfDpMYuGbs5Z/REZip9MSCH+ik05mcLrQxNQm+8XWzRjo3c2jPX/2ws5L2/VThcLcjM2XVz4K5if2N5tfaivEx8iiSIfgMMqv8qb085Zdd9n7FaJ2ghxIGu+kkOYqd9k35g1JfICU6P0lUwe5t+/kkAx1sCqnmTtBg9GfO6RtqnYg92/0/mnXq0DetsnSQkInf8JJX2QiVYTCfvx/X+Ym6dOiWFDGA==

Thread-Topic: [Saxon - Bug #3267] Malware in Sourceforge download file

Thread-Index: AQHS5DkNskslNhAHJUiQPaprpHblwaIiyijN

Accept-Language: en-US

Content-Language: en-US

X-MS-Has-Attach:

X-MS-TNEF-Correlator:

authentication-results: plan.io; dkim=none (message not signed)

header.d=none;plan.io; dmarc=none action=none header.from=outlook.com;

x-incomingtopheadermarker: OriginalChecksum:017C0235B25E059D0FD959C14F3301AAABA2792CBA7EE74169A22464295834CF;UpperCasedChecksum:DC9E4CC6D548054FC98246073447FC863007EF6E61EEDD6A064CA68B527F8A60;SizeAsReceived:7261;Count:44

x-tmn: [yU9U5cUzUvClTV4yipCAgwoaEcSsQ3fI]

x-ms-publictraffictype: Email

x-microsoft-exchange-diagnostics: 1;BY2NAM03HT056;7:72trfBMU7lOvcGney1nCqecbpEM8zWVsg1jNTywyLJPmvQ3KobSiQjcuO45Az2J3lxlzjVNRHTnHiIvu5y7BRi4a+jHNFuejMBUp6aScwRHvS6IByY5eDW3zRVSbUBCdsSlTWEDu1ms/C8timkLwxz9DsBxKJH1JrkaInJJjoF5oZi0AsBSFGcru/E9Z6ZZseljmoEdbgGNbnbYHID851qnPY5XWTE4wMXCiEsaJfltt/+NjEbqP7fzQzbJTp2re8psT4pdk2SBwW89EEKQ4I5EMe11E89Mq22/31iY1nwbirtEEZQyo2QAmn23PiphPICKCHFTYoB/TK37x/mYzbvJWe4k+9N2Z0LNqOXKX2ylfhES3dR6Bgasm8Bd9LBAx9F7oHhaUXdXRlgNg0p7Bjb0irtPqTN4s5uKseFPL3R4mtXlNUuFRy3TBtZ6NO043EZFvZY0B9gTO+bKs4eDtkNpWklMH95+PH+0SCKTxAVa5688QCc3L0d9W7h3xhLceHmYyeCmDzG4JSJP+PftRZxsaBav61aXUof1kdnCqs2h+gzgpz1EI2jxIUcpJfpuJocCSOcnqntJq08fTFBpzMKv/JIUzUSwLojlgK1RTvgM8JAIecu2+ZLKdWiq1q450vbHf1HnUta2QpSTOyU+va2bjfledA420gQgJDg/uLNiXRTrcodBOEGIAdWvb7PRnQvl1XYYAT7D+2/q9ffj9qUGCw/nh159WwcsNr1F5HNfCMJuaJhX/jcmZEG5rZVi5yvHeDqcnDw8lK6sY2VgzEw==

x-incomingheadercount: 44

x-eopattributedmessage: 0

x-forefront-antispam-report: EFV:NLI;SFV:NSPM;SFS:(7070007)(98901004);DIR:OUT;SFP:1901;SCL:1;SRVR:BY2NAM03HT056;H:BN6PR14MB1106.namprd14.prod.outlook.com;FPR:;SPF:None;LANG:en;

x-ms-traffictypediagnostic: BY2NAM03HT056:

x-ms-office365-filtering-correlation-id: 4b4ec984-1037-4beb-2ff1-08d4b260940e

x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001)(201702061074)(5061506573)(5061507331)(1603103135)(2017031320274)(2017031324274)(2017031323274)(2017031322274)(1603101448)(1601125374)(1701031045);SRVR:BY2NAM03HT056;

x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(444000031);SRVR:BY2NAM03HT056;BCL:0;PCL:0;RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);SRVR:BY2NAM03HT056;

x-forefront-prvs: 0337AFFE9A

spamdiagnosticoutput: 1:99

spamdiagnosticmetadata: NSPM

X-OriginatorOrg: outlook.com

X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Jun 2017 13:32:03.5238 (UTC)

X-MS-Exchange-CrossTenant-fromentityheader: Internet

X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa

X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2NAM03HT056

X-HE-Virus-Scanned: Yes

X-HE-Spam-Level: /

X-HE-Spam-Score: 0.3

X-HE-Spam-Report: Content analysis details: (0.3 points) pts rule name

description ---- ----------------------

-------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE

RBL: Sender listed at http://www.dnswl.org/, no trust [40.92.7.36 listed in

list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail

provider (dudealert86[at]outlook.com) 0.2 FREEMAIL_ENVFROM_END_DIGIT

Envelope-from freemail username ends in digit (dudealert86[at]outlook.com) 0.1

HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_AU Message has a

valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at

least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK

signature, not necessarily valid

X-HE-SPF: PASSED

Envelope-to: inbox+saxonica+f38e+saxon@plan.io

--_000_BN6PR14MB1106D3A2CC55CA7FD867852CACC20BN6PR14MB1106namp_

Content-Type: text/plain;

charset=us-ascii

Content-Transfer-Encoding: quoted-printable

I'll send screen a screen shot, it is a hidden file that webroot detects.=

________________________________

From: Saxonica Developer Community <notifications@plan.io>

Sent: Tuesday, June 13, 2017 7:34:39 AM

Subject: [Saxon - Bug #3267] Malware in Sourceforge download file

--- In your reply, please do not write below this line ---

Issue #3267<https://saxonica.plan.io/issues/3267?pn=3D1#change-9144> has =

been updated by Michael Kay.

We have checked the file and we do not believe there is anything wrong wi=

th it.

It is true that SourceForge acquired a bad reputation a couple of years a=

go for adding unwanted (but generally harmless) software to open source d=

ownloads. I understand that they have since ceased this practice unless t=

he software owner positively opts into it in order to get revenue - which=

we have not done.

It is also true that the site is cluttered with advertisements for unrela=

ted products that can easily mislead you into downloading the wrong thing=

, and this practice has damaged its reputation.

We have tested the .NET install script that you link to in your message a=

nd we believe it is clean and does not contain malware. If you believe ot=

herwise, please be more precise about exactly what you did and what happe=

ned to make you think there was malware.

The behaviour you describe "The newer version of the HE version of Saxon =

was detected as soon as installation started, but the older version was d=

etected once I attempted to run a Query." doesn't seem related to malware=

, but rather suggests some configuration problem in your installation. Ag=

ain, please try to tell us more precisely what happened.

We are reluctant to move away from SourceForge because it's useful to mai=

ntain continuity; we cannot remove the many software releases that are cu=

rrently on the site, and it would cause confusion if the newest releases =

were not available there. We also now distribute via Maven. For commercia=

l versions of the software, of course, we use www.saxonica.com<http://www=

.saxonica.com>.

________________________________

Bug #3267: Malware in Sourceforge download file<https://saxonica.plan.io/=

issues/3267?pn=3D1#change-9144>

* Author: Herbert Smith

* Status: New

* Priority: High

* Assignee: O'Neil Delpratt

* Category: Build and release

* Sprint/Milestone:

* Legacy ID:

* Applies to branch:

* Fix Committed on Branch:

* Fixed in Maintenance Release:

* Found in version: .NET HE 9.7 and 9.8

* Fixed in version:

https://sourceforge.net/projects/saxon/files/Saxon-HE/9.7/SaxonHE9-7-0-18=

N-setup.exe/download

That file, along with the newer version that I uninstalled to try the one=

that I linked, are infected with malware. The newer version of the HE ve=

rsion of Saxon was detected as soon as installation started, but the olde=

r version was detected once I attempted to run a Querry.

Because of the infected files on sourceforge, I am unable to use the Saxo=

n product that I need for a school assignment. Sourceforge is known more =

for it's malware now than it is for what can be downloaded, so maybe swit=

ch over to another site. I will never be a customer as long as the stuff =

is only available from that site.

________________________________

You have received this notification because you have either subscribed to=

or are involved in a project on Saxonica Developer Community site.

To change your notification preferences, please click here: https://saxon=

ica.plan.io/my/account?tour=3Dmail_preferences

This notification was cheerfully delivered by<https://plan.io/>

[Planio]<https://plan.io/>

--_000_BN6PR14MB1106D3A2CC55CA7FD867852CACC20BN6PR14MB1106namp_

Content-Type: text/html;

charset=us-ascii

Content-Transfer-Encoding: quoted-printable

<!DOCTYPE html>

<html>

<head>

<!--[if !mso]><!-- -->

<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-asci=

i">

<link href=3D"https://assets.plan.io/stylesheets/fonts.css" rel=3D"styles=

heet" type=3D"text/css"><!--<![endif]--><style>a:link{color:#0088b7}

a:visited{color:#0088b7}

a:hover{color:#0088b7}

a:active{color:#0088b7}</style>

</head>

<body style=3D"font-family:&quot;ProximaNova-Regular&quot;, Helvetica, Ar=

ial, sans-serif;font-size:14px;line-height:1.4em;color:#333434">

<style type=3D"text/css" style=3D"display:none;"><!-- P {margin-top:0;mar=

gin-bottom:0;} --></style>

<div id=3D"divtagdefaultwrapper" style=3D"font-size:12pt;color:#000000;fo=

nt-family:Calibri,Arial,Helvetica,sans-serif;" dir=3D"ltr">

<p>I'll send screen a screen&nbsp;shot, it is a hidden file that webroot =

detects.</p>

</div>

<hr style=3D"display:inline-block;width:98%" tabindex=3D"-1">

<div id=3D"divRplyFwdMsg" dir=3D"ltr"><font face=3D"Calibri, sans-serif" =

style=3D"font-size:11pt" color=3D"#000000"><b>From:</b> Saxonica Develope=

r Community &lt;notifications@plan.io&gt;<br>

<b>Sent:</b> Tuesday, June 13, 2017 7:34:39 AM<br>

<b>Subject:</b> [Saxon - Bug #3267] Malware in Sourceforge download file<=

/font>

<div>&nbsp;</div>

</div>

<div>

<table width=3D"100%" cellspacing=3D"0" cellpadding=3D"0" style=3D"border=

-spacing:0;border-collapse:collapse;width:100%">

<tbody>

<tr>

<td class=3D"header" style=3D"text-align:center;width:100%;font-family:Ma=

rketWeb, Helvetica, Arial, sans-serif;font-size:0.8em;color:#D7D7D7">

<p>--- In your reply, please do not write below this line ---</p>

</td>

</tr>

<tr>

<td>Issue <a href=3D"https://saxonica.plan.io/issues/3267?pn=3D1#change-9=

144" style=3D"color:#0088b7">

#3267</a> has been updated by Michael Kay.

<ul>

</ul>

<p>We have checked the file and we do not believe there is anything wrong=

with it.</p>

<p>It is true that SourceForge acquired a bad reputation a couple of year=

s ago for adding unwanted (but generally harmless) software to open sourc=

e downloads. I understand that they have since ceased this practice unles=

s the software owner positively opts into

it in order to get revenue - which we have not done.</p>

<p>It is also true that the site is cluttered with advertisements for unr=

elated products that can easily mislead you into downloading the wrong th=

ing, and this practice has damaged its reputation.</p>

<p>We have tested the .NET install script that you link to in your messag=

e and we believe it is clean and does not contain malware. If you believe=

otherwise, please be more precise about exactly what you did and what ha=

ppened to make you think there was malware.</p>

<p>The behaviour you describe &quot;The newer version of the HE version o=

f Saxon was detected as soon as installation started, but the older versi=

on was detected once I attempted to run a Query.&quot; doesn't seem relat=

ed to malware, but rather suggests some configuration

problem in your installation. Again, please try to tell us more precisel=

y what happened.</p>

<p>We are reluctant to move away from SourceForge because it's useful to =

maintain continuity; we cannot remove the many software releases that are=

currently on the site, and it would cause confusion if the newest releas=

es were not available there. We also now

distribute via Maven. For commercial versions of the software, of course=

, we use

<a class=3D"external" href=3D"http://www.saxonica.com" style=3D"color:#00=

88b7">www.saxonica.com</a>.</p>

<hr style=3D"width:100%;height:1px;background:#ccc;border:0;margin:1.2em =

0">

<h1 style=3D"font-family:&quot;ProximaNova-Bold&quot;, Helvetica, Arial, =

sans-serif;font-weight:normal;margin:0px;font-size:1.3em;line-height:1.4e=

m">

<a href=3D"https://saxonica.plan.io/issues/3267?pn=3D1#change-9144" style=

=3D"color:#0088b7;text-decoration:none">Bug #3267: Malware in Sourceforge=

download file</a></h1>

<ul>

<li>Author: Herbert Smith </li><li>Status: New </li><li>Priority: High </=

li><li>Assignee: O'Neil Delpratt </li><li>Category: Build and release </l=

i><li>Sprint/Milestone: </li><li>Legacy ID: </li><li>Applies to branch: <=

/li><li>Fix Committed on Branch: </li><li>Fixed in Maintenance Release: <=

/li><li>Found in version: .NET HE 9.7 and 9.8 </li><li>Fixed in version: =

</li></ul>

<p><a class=3D"external" href=3D"https://sourceforge.net/projects/saxon/f=

iles/Saxon-HE/9.7/SaxonHE9-7-0-18N-setup.exe/download" style=3D"color:#00=

88b7">https://sourceforge.net/projects/saxon/files/Saxon-HE/9.7/SaxonHE9-=

7-0-18N-setup.exe/download</a></p>

<p>That file, along with the newer version that I uninstalled to try the =

one that I linked, are infected with malware. The newer version of the HE=

version of Saxon was detected as soon as installation started, but the o=

lder version was detected once I attempted

to run a Querry.</p>

<p>Because of the infected files on sourceforge, I am unable to use the S=

axon product that I need for a school assignment. Sourceforge is known mo=

re for it's malware now than it is for what can be downloaded, so maybe s=

witch over to another site. I will never

be a customer as long as the stuff is only available from that site.</p>=

<div itemscope=3D"itemscope" itemtype=3D"http://schema.org/EmailMessage">=

<div itemscope=3D"itemscope" itemprop=3D"action" itemtype=3D"http://schem=

a.org/ViewAction">

<link itemprop=3D"url" href=3D"https://saxonica.plan.io/issues/3267?pn=3D=

1#change-9144">

<meta itemprop=3D"name" content=3D"View Issue">

</div>

<meta itemprop=3D"description" content=3D"View this issue update on Plani=

o">

</div>

</td>

</tr>

<tr>

<td class=3D"footer" style=3D"font-size:0.8em;width:100%">

<hr style=3D"width:100%;height:1px;background:#ccc;border:0;margin:1.2em =

0">

<p>You have received this notification because you have either subscribed=

to or are involved in a project on Saxonica Developer Community site.<br=

>

To change your notification preferences, please click here: <a class=3D"e=

xternal" href=3D"https://saxonica.plan.io/my/account?tour=3Dmail_preferen=

ces" style=3D"color:#0088b7">

https://saxonica.plan.io/my/account?tour=3Dmail_preferences</a></p>

</td>

<td></td>

</tr>

<tr>

<td class=3D"planio_footer" style=3D"text-align:center;width:100%;font-fa=

mily:MarketWeb, Helvetica, Arial, sans-serif;font-size:1.2em;color:#D7D7D=

7">

<br>

<div><a href=3D"https://plan.io/" style=3D"color:#0088b7;color:#D7D7D7;te=

xt-decoration:none">This notification was cheerfully delivered by</a></di=

v>

</td>

<td></td>

</tr>

<tr>

<td class=3D"planio_footer_logo" style=3D"text-align:center;width:100%"><=

a href=3D"https://plan.io/" title=3D"Planio" style=3D"color:#0088b7"><img=

height=3D"25" width=3D"102" border=3D"0" alt=3D"Planio" style=3D"vertica=

l-align:middle;border:none" src=3D"https://assets.plan.io/images/planio_l=

ogo_gray_204x50.png"></a></td>

</tr>

</tbody>

</table>

</div>

</body>

</html>

--_000_BN6PR14MB1106D3A2CC55CA7FD867852CACC20BN6PR14MB1106namp_--