[Mimedefang] Virus statistics (was: One that the default filter missed...)

Michael D. Sofka sofkam at rpi.edu
Fri May 24 16:03:14 EDT 2002


At 03:10 PM 5/24/2002 -0400, David F. Skoll wrote:
>On Fri, 24 May 2002, Michael D. Sofka wrote:
>
>> I have also
>> placed a copy of the report I prepared based on a few weeks of data
>> gathering (viruses.pdf).
>
>And you used pdfLaTeX to make it. :-)  Man after my own heart...
>
>One question:  Why don't you just block all executables as in the
>latest (2.12) sample filter?  I expect then that MD would have caught
>99.9% of everything that was caught by Sophos.  Your point about .doc
>and .xls is well taken; however, I think Word and Excel are not as
>widely deployed as Windows itself (especially for home users), so such
>viruses would propagate more slowly.

But, they would spread rapidly in some sub-populations.  And, that happens
to include the sub-population that pays the bills.

>Is there a legitimate reason for allowing .pif/.exe/.scr/etc files
>to travel by e-mail?

We are a university, with a broad user base.  As such, there are things we
cannot (and maybe should not) do that a corporation or individual can do.
You may have heard this too many times before, but it is true.  Universities
pride themselves on openness, and we hate to give that up, even a little.
Blocking whole categories of messages feels like giving up.

I could probably make a case for blocking .pif,  and .lnk.  But, .exe, .com, .dll,
.scr, etc. are mailed as part of an assignments.    I do block them on
the listproc machine, and that did cause some problems.   I briefly
block .pif and .lnk files, and found that they were being emailed by people.
Until I had good evidence that most contain viruses, it would have been
hard to justify a block.  (And, with virus scanning it isn't necessary to block
all such attachments, just those that contain a virus.)

Long term, we hope to make available ways to easily share documents
without using email.  Of course, in doing so, we will make available a way
to easily share viruses without using email....  But, email is the low
fruit.  Virus writers will exploit other vectors more heavily as email is
shutdown to them.  Viruses are the most succesful example of agents
out there, and it's all just evolution in action.

>> Finally, you will note this is MIMEDefang 2.3.  Since upgrading will
>> require a new compile of sendmail,
>
>Actually, not really; MD 2.12 should still work fine with Sendmail
>8.11, althought it's not recommended.
>
>> I'm still waiting to read how CitiBank handles 1.5 million emails a day...
>
>Me too.  You can bet your bottom dollar they don't exec a virus scanner
>for each message.  I'm guessing they either filter based solely on
>filename, or use a daemonized virus-scanner which stays resident.  And I
>bet they use a cluster of machines.  Please let us know... :-)

We are going the SMTP server farm route, with a redirector.  That will allow
me to take a machine out of the pool, update it and test it without disrupting
service.  The machines have enough memory to use a RAM disk for virus
scanning.  A memory resident scanner would be a very nice addition (I wonder
if sweep can read from STDIN....)

Mike

--
Michael Sofka                          sofkam at rpi.edu
CCT Sr. Systems Programmer  email, webmail, listproc, TeX, epistemology.
Rensselaer Polytechnic Institute, Troy, NY.    http://www.rpi.edu/~sofkam/




More information about the MIMEDefang mailing list