Project

Profile

Help

Bug #3267 ยป Bug #9147 - 2017-06-13T13_32_19Z.eml

Anonymous, 2017-06-13 15:32

 
Return-Path: <dudealert86@outlook.com>
Received: from mi005.mc1.hosteurope.de ([80.237.138.250]) by wp245.webpack.hosteurope.de running ExIM with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) id 1dKlvY-0003rM-Bk; Tue, 13 Jun 2017 15:32:12 +0200
Received: from mail-oln040092007036.outbound.protection.outlook.com ([40.92.7.36] helo=NAM03-CO1-obe.outbound.protection.outlook.com) by mx0.webpack.hosteurope.de (mi005.mc1.hosteurope.de) with esmtps (TLSv1.2:AES256-SHA256:256) id 1dKlvV-0008Nq-I7 for inbox+saxonica+f38e+saxon@plan.io; Tue, 13 Jun 2017 15:32:12 +0200
Received: from BY2NAM03FT058.eop-NAM03.prod.protection.outlook.com (10.152.84.59) by BY2NAM03HT056.eop-NAM03.prod.protection.outlook.com (10.152.85.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.1157.12; Tue, 13 Jun 2017 13:32:03 +0000
Received: from BN6PR14MB1106.namprd14.prod.outlook.com (10.152.84.60) by BY2NAM03FT058.mail.protection.outlook.com (10.152.85.184) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1157.12 via Frontend Transport; Tue, 13 Jun 2017 13:32:03 +0000
Received: from BN6PR14MB1106.namprd14.prod.outlook.com ([10.173.161.15]) by BN6PR14MB1106.namprd14.prod.outlook.com ([10.173.161.15]) with mapi id 15.01.1157.017; Tue, 13 Jun 2017 13:32:03 +0000
Date: Tue, 13 Jun 2017 13:32:03 +0000
From: Greg Smith <dudealert86@outlook.com>
To: Saxonica Developer Community <inbox+saxonica+f38e+saxon@plan.io>
Message-ID: <BN6PR14MB1106D3A2CC55CA7FD867852CACC20@BN6PR14MB1106.namprd14.prod.outlook.com>
In-Reply-To: <redmine.journal-9144.20170613113438.037a1fb316a27bde@plan.io>
References: <redmine.issue-3267.20170613092205@plan.io>,<redmine.journal-9144.20170613113438.037a1fb316a27bde@plan.io>
Subject: Re: [Saxon - Bug #3267] Malware in Sourceforge download file
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary=_000_BN6PR14MB1106D3A2CC55CA7FD867852CACC20BN6PR14MB1106namp_
Content-Transfer-Encoding: 7bit
Delivery-date: Tue, 13 Jun 2017 15:32:12 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com;
s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
bh=OEWDgzo7RNEypVrZG7yQBFlXy8kB2qTkGMwrEWmFU98=;
b=f1+C80ISJ3u3ugzAauXRrAz4wITC+ASi9+IPVvg7FFqlHh2++O4/m36p6dD2fSuJp9nUJw/YSXqX0fbQ+HSGe1b0YVdPSIDG5bqqoEoIZly3vaZD68FP/lVWZfDpMYuGbs5Z/REZip9MSCH+ik05mcLrQxNQm+8XWzRjo3c2jPX/2ws5L2/VThcLcjM2XVz4K5if2N5tfaivEx8iiSIfgMMqv8qb085Zdd9n7FaJ2ghxIGu+kkOYqd9k35g1JfICU6P0lUwe5t+/kkAx1sCqnmTtBg9GfO6RtqnYg92/0/mnXq0DetsnSQkInf8JJX2QiVYTCfvx/X+Ym6dOiWFDGA==
Thread-Topic: [Saxon - Bug #3267] Malware in Sourceforge download file
Thread-Index: AQHS5DkNskslNhAHJUiQPaprpHblwaIiyijN
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: plan.io; dkim=none (message not signed)
header.d=none;plan.io; dmarc=none action=none header.from=outlook.com;
x-incomingtopheadermarker: OriginalChecksum:017C0235B25E059D0FD959C14F3301AAABA2792CBA7EE74169A22464295834CF;UpperCasedChecksum:DC9E4CC6D548054FC98246073447FC863007EF6E61EEDD6A064CA68B527F8A60;SizeAsReceived:7261;Count:44
x-tmn: [yU9U5cUzUvClTV4yipCAgwoaEcSsQ3fI]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1;BY2NAM03HT056;7:72trfBMU7lOvcGney1nCqecbpEM8zWVsg1jNTywyLJPmvQ3KobSiQjcuO45Az2J3lxlzjVNRHTnHiIvu5y7BRi4a+jHNFuejMBUp6aScwRHvS6IByY5eDW3zRVSbUBCdsSlTWEDu1ms/C8timkLwxz9DsBxKJH1JrkaInJJjoF5oZi0AsBSFGcru/E9Z6ZZseljmoEdbgGNbnbYHID851qnPY5XWTE4wMXCiEsaJfltt/+NjEbqP7fzQzbJTp2re8psT4pdk2SBwW89EEKQ4I5EMe11E89Mq22/31iY1nwbirtEEZQyo2QAmn23PiphPICKCHFTYoB/TK37x/mYzbvJWe4k+9N2Z0LNqOXKX2ylfhES3dR6Bgasm8Bd9LBAx9F7oHhaUXdXRlgNg0p7Bjb0irtPqTN4s5uKseFPL3R4mtXlNUuFRy3TBtZ6NO043EZFvZY0B9gTO+bKs4eDtkNpWklMH95+PH+0SCKTxAVa5688QCc3L0d9W7h3xhLceHmYyeCmDzG4JSJP+PftRZxsaBav61aXUof1kdnCqs2h+gzgpz1EI2jxIUcpJfpuJocCSOcnqntJq08fTFBpzMKv/JIUzUSwLojlgK1RTvgM8JAIecu2+ZLKdWiq1q450vbHf1HnUta2QpSTOyU+va2bjfledA420gQgJDg/uLNiXRTrcodBOEGIAdWvb7PRnQvl1XYYAT7D+2/q9ffj9qUGCw/nh159WwcsNr1F5HNfCMJuaJhX/jcmZEG5rZVi5yvHeDqcnDw8lK6sY2VgzEw==
x-incomingheadercount: 44
x-eopattributedmessage: 0
x-forefront-antispam-report: EFV:NLI;SFV:NSPM;SFS:(7070007)(98901004);DIR:OUT;SFP:1901;SCL:1;SRVR:BY2NAM03HT056;H:BN6PR14MB1106.namprd14.prod.outlook.com;FPR:;SPF:None;LANG:en;
x-ms-traffictypediagnostic: BY2NAM03HT056:
x-ms-office365-filtering-correlation-id: 4b4ec984-1037-4beb-2ff1-08d4b260940e
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001)(201702061074)(5061506573)(5061507331)(1603103135)(2017031320274)(2017031324274)(2017031323274)(2017031322274)(1603101448)(1601125374)(1701031045);SRVR:BY2NAM03HT056;
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(444000031);SRVR:BY2NAM03HT056;BCL:0;PCL:0;RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);SRVR:BY2NAM03HT056;
x-forefront-prvs: 0337AFFE9A
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Jun 2017 13:32:03.5238 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2NAM03HT056
X-HE-Virus-Scanned: Yes
X-HE-Spam-Level: /
X-HE-Spam-Score: 0.3
X-HE-Spam-Report: Content analysis details: (0.3 points) pts rule name
description ---- ----------------------
-------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE
RBL: Sender listed at http://www.dnswl.org/, no trust [40.92.7.36 listed in
list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail
provider (dudealert86[at]outlook.com) 0.2 FREEMAIL_ENVFROM_END_DIGIT
Envelope-from freemail username ends in digit (dudealert86[at]outlook.com) 0.1
HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_AU Message has a
valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at
least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK
signature, not necessarily valid
X-HE-SPF: PASSED
Envelope-to: inbox+saxonica+f38e+saxon@plan.io


--_000_BN6PR14MB1106D3A2CC55CA7FD867852CACC20BN6PR14MB1106namp_
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: quoted-printable

I'll send screen a screen shot, it is a hidden file that webroot detects.=


________________________________
From: Saxonica Developer Community <notifications@plan.io>
Sent: Tuesday, June 13, 2017 7:34:39 AM
Subject: [Saxon - Bug #3267] Malware in Sourceforge download file


--- In your reply, please do not write below this line ---


Issue #3267<https://saxonica.plan.io/issues/3267?pn=3D1#change-9144> has =
been updated by Michael Kay.

We have checked the file and we do not believe there is anything wrong wi=
th it.

It is true that SourceForge acquired a bad reputation a couple of years a=
go for adding unwanted (but generally harmless) software to open source d=
ownloads. I understand that they have since ceased this practice unless t=
he software owner positively opts into it in order to get revenue - which=
we have not done.

It is also true that the site is cluttered with advertisements for unrela=
ted products that can easily mislead you into downloading the wrong thing=
, and this practice has damaged its reputation.

We have tested the .NET install script that you link to in your message a=
nd we believe it is clean and does not contain malware. If you believe ot=
herwise, please be more precise about exactly what you did and what happe=
ned to make you think there was malware.

The behaviour you describe "The newer version of the HE version of Saxon =
was detected as soon as installation started, but the older version was d=
etected once I attempted to run a Query." doesn't seem related to malware=
, but rather suggests some configuration problem in your installation. Ag=
ain, please try to tell us more precisely what happened.

We are reluctant to move away from SourceForge because it's useful to mai=
ntain continuity; we cannot remove the many software releases that are cu=
rrently on the site, and it would cause confusion if the newest releases =
were not available there. We also now distribute via Maven. For commercia=
l versions of the software, of course, we use www.saxonica.com<http://www=
.saxonica.com>.

________________________________
Bug #3267: Malware in Sourceforge download file<https://saxonica.plan.io/=
issues/3267?pn=3D1#change-9144>

* Author: Herbert Smith
* Status: New
* Priority: High
* Assignee: O'Neil Delpratt
* Category: Build and release
* Sprint/Milestone:
* Legacy ID:
* Applies to branch:
* Fix Committed on Branch:
* Fixed in Maintenance Release:
* Found in version: .NET HE 9.7 and 9.8
* Fixed in version:

https://sourceforge.net/projects/saxon/files/Saxon-HE/9.7/SaxonHE9-7-0-18=
N-setup.exe/download

That file, along with the newer version that I uninstalled to try the one=
that I linked, are infected with malware. The newer version of the HE ve=
rsion of Saxon was detected as soon as installation started, but the olde=
r version was detected once I attempted to run a Querry.

Because of the infected files on sourceforge, I am unable to use the Saxo=
n product that I need for a school assignment. Sourceforge is known more =
for it's malware now than it is for what can be downloaded, so maybe swit=
ch over to another site. I will never be a customer as long as the stuff =
is only available from that site.


________________________________

You have received this notification because you have either subscribed to=
or are involved in a project on Saxonica Developer Community site.
To change your notification preferences, please click here: https://saxon=
ica.plan.io/my/account?tour=3Dmail_preferences


This notification was cheerfully delivered by<https://plan.io/>

[Planio]<https://plan.io/>

--_000_BN6PR14MB1106D3A2CC55CA7FD867852CACC20BN6PR14MB1106namp_
Content-Type: text/html;
charset=us-ascii
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE html>
<html>
<head>
<!--[if !mso]><!-- -->
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-asci=
i">
<link href=3D"https://assets.plan.io/stylesheets/fonts.css" rel=3D"styles=
heet" type=3D"text/css"><!--<![endif]--><style>a:link{color:#0088b7}
a:visited{color:#0088b7}
a:hover{color:#0088b7}
a:active{color:#0088b7}</style>
</head>
<body style=3D"font-family:&quot;ProximaNova-Regular&quot;, Helvetica, Ar=
ial, sans-serif;font-size:14px;line-height:1.4em;color:#333434">
<style type=3D"text/css" style=3D"display:none;"><!-- P {margin-top:0;mar=
gin-bottom:0;} --></style>
<div id=3D"divtagdefaultwrapper" style=3D"font-size:12pt;color:#000000;fo=
nt-family:Calibri,Arial,Helvetica,sans-serif;" dir=3D"ltr">
<p>I'll send screen a screen&nbsp;shot, it is a hidden file that webroot =
detects.</p>
</div>
<hr style=3D"display:inline-block;width:98%" tabindex=3D"-1">
<div id=3D"divRplyFwdMsg" dir=3D"ltr"><font face=3D"Calibri, sans-serif" =
style=3D"font-size:11pt" color=3D"#000000"><b>From:</b> Saxonica Develope=
r Community &lt;notifications@plan.io&gt;<br>
<b>Sent:</b> Tuesday, June 13, 2017 7:34:39 AM<br>
<b>Subject:</b> [Saxon - Bug #3267] Malware in Sourceforge download file<=
/font>
<div>&nbsp;</div>
</div>
<div>
<table width=3D"100%" cellspacing=3D"0" cellpadding=3D"0" style=3D"border=
-spacing:0;border-collapse:collapse;width:100%">
<tbody>
<tr>
<td class=3D"header" style=3D"text-align:center;width:100%;font-family:Ma=
rketWeb, Helvetica, Arial, sans-serif;font-size:0.8em;color:#D7D7D7">
<p>--- In your reply, please do not write below this line ---</p>
</td>
</tr>
<tr>
<td>Issue <a href=3D"https://saxonica.plan.io/issues/3267?pn=3D1#change-9=
144" style=3D"color:#0088b7">
#3267</a> has been updated by Michael Kay.
<ul>
</ul>
<p>We have checked the file and we do not believe there is anything wrong=
with it.</p>
<p>It is true that SourceForge acquired a bad reputation a couple of year=
s ago for adding unwanted (but generally harmless) software to open sourc=
e downloads. I understand that they have since ceased this practice unles=
s the software owner positively opts into
it in order to get revenue - which we have not done.</p>
<p>It is also true that the site is cluttered with advertisements for unr=
elated products that can easily mislead you into downloading the wrong th=
ing, and this practice has damaged its reputation.</p>
<p>We have tested the .NET install script that you link to in your messag=
e and we believe it is clean and does not contain malware. If you believe=
otherwise, please be more precise about exactly what you did and what ha=
ppened to make you think there was malware.</p>
<p>The behaviour you describe &quot;The newer version of the HE version o=
f Saxon was detected as soon as installation started, but the older versi=
on was detected once I attempted to run a Query.&quot; doesn't seem relat=
ed to malware, but rather suggests some configuration
problem in your installation. Again, please try to tell us more precisel=
y what happened.</p>
<p>We are reluctant to move away from SourceForge because it's useful to =
maintain continuity; we cannot remove the many software releases that are=
currently on the site, and it would cause confusion if the newest releas=
es were not available there. We also now
distribute via Maven. For commercial versions of the software, of course=
, we use
<a class=3D"external" href=3D"http://www.saxonica.com" style=3D"color:#00=
88b7">www.saxonica.com</a>.</p>
<hr style=3D"width:100%;height:1px;background:#ccc;border:0;margin:1.2em =
0">
<h1 style=3D"font-family:&quot;ProximaNova-Bold&quot;, Helvetica, Arial, =
sans-serif;font-weight:normal;margin:0px;font-size:1.3em;line-height:1.4e=
m">
<a href=3D"https://saxonica.plan.io/issues/3267?pn=3D1#change-9144" style=
=3D"color:#0088b7;text-decoration:none">Bug #3267: Malware in Sourceforge=
download file</a></h1>
<ul>
<li>Author: Herbert Smith </li><li>Status: New </li><li>Priority: High </=
li><li>Assignee: O'Neil Delpratt </li><li>Category: Build and release </l=
i><li>Sprint/Milestone: </li><li>Legacy ID: </li><li>Applies to branch: <=
/li><li>Fix Committed on Branch: </li><li>Fixed in Maintenance Release: <=
/li><li>Found in version: .NET HE 9.7 and 9.8 </li><li>Fixed in version: =
</li></ul>
<p><a class=3D"external" href=3D"https://sourceforge.net/projects/saxon/f=
iles/Saxon-HE/9.7/SaxonHE9-7-0-18N-setup.exe/download" style=3D"color:#00=
88b7">https://sourceforge.net/projects/saxon/files/Saxon-HE/9.7/SaxonHE9-=
7-0-18N-setup.exe/download</a></p>
<p>That file, along with the newer version that I uninstalled to try the =
one that I linked, are infected with malware. The newer version of the HE=
version of Saxon was detected as soon as installation started, but the o=
lder version was detected once I attempted
to run a Querry.</p>
<p>Because of the infected files on sourceforge, I am unable to use the S=
axon product that I need for a school assignment. Sourceforge is known mo=
re for it's malware now than it is for what can be downloaded, so maybe s=
witch over to another site. I will never
be a customer as long as the stuff is only available from that site.</p>=

<div itemscope=3D"itemscope" itemtype=3D"http://schema.org/EmailMessage">=

<div itemscope=3D"itemscope" itemprop=3D"action" itemtype=3D"http://schem=
a.org/ViewAction">
<link itemprop=3D"url" href=3D"https://saxonica.plan.io/issues/3267?pn=3D=
1#change-9144">
<meta itemprop=3D"name" content=3D"View Issue">
</div>
<meta itemprop=3D"description" content=3D"View this issue update on Plani=
o">
</div>
</td>
</tr>
<tr>
<td class=3D"footer" style=3D"font-size:0.8em;width:100%">
<hr style=3D"width:100%;height:1px;background:#ccc;border:0;margin:1.2em =
0">
<p>You have received this notification because you have either subscribed=
to or are involved in a project on Saxonica Developer Community site.<br=
>
To change your notification preferences, please click here: <a class=3D"e=
xternal" href=3D"https://saxonica.plan.io/my/account?tour=3Dmail_preferen=
ces" style=3D"color:#0088b7">
https://saxonica.plan.io/my/account?tour=3Dmail_preferences</a></p>
</td>
<td></td>
</tr>
<tr>
<td class=3D"planio_footer" style=3D"text-align:center;width:100%;font-fa=
mily:MarketWeb, Helvetica, Arial, sans-serif;font-size:1.2em;color:#D7D7D=
7">
<br>
<div><a href=3D"https://plan.io/" style=3D"color:#0088b7;color:#D7D7D7;te=
xt-decoration:none">This notification was cheerfully delivered by</a></di=
v>
</td>
<td></td>
</tr>
<tr>
<td class=3D"planio_footer_logo" style=3D"text-align:center;width:100%"><=
a href=3D"https://plan.io/" title=3D"Planio" style=3D"color:#0088b7"><img=
height=3D"25" width=3D"102" border=3D"0" alt=3D"Planio" style=3D"vertica=
l-align:middle;border:none" src=3D"https://assets.plan.io/images/planio_l=
ogo_gray_204x50.png"></a></td>
</tr>
</tbody>
</table>
</div>
</body>
</html>

--_000_BN6PR14MB1106D3A2CC55CA7FD867852CACC20BN6PR14MB1106namp_--
    (1-1/1)