[Mimedefang] Best method of dealing with automatic - propagationvirus mails

Edward Wildgoose Edward.Wildgoose at FRMHedge.com
Mon Oct 28 08:07:02 EST 2002


I had quite a long discussion about this on the Postfix list a few weeks back (presumably most people here don't subscribe to that :-)

I really think that the only thing worth doing with Viruses these days is to reject, ie DROP the SMTP connection before accepting the message (if possible).  Otherwise accept the message, then drop it into quarantine and ONLY notify the recipient.

The motivation is that these days the sender is forged and seems unlikely ever to be real from this point onwards.  Also, virus's for quite a while have been unrecoverable.  The days of ethan quietly infecting something real and useful that someone might want to get out of quarantine are past.  Also, by dropping the SMTP level connection you force the problem slowly up the tree and possibly eventually to the sending machine itself (if ISP's start to do this).  This should also hopefully make it easier for the user to spot the virus problem in the first place!

Just my 2p

Ed W

-----Original Message-----
From: jmiller at purifieddata.net [mailto:jmiller at purifieddata.net]
Sent: 27 October 2002 10:07
To: mimedefang at lists.roaringpenguin.com
Subject: Re: [Mimedefang] Best method of dealing with automatic -
propagationvirus mails


On Sun, 27 Oct 2002, Martin Bene wrote:

> Hi,
>
> I'm wondering a) what the best way to treat mail generated by automatic virus
> propagation is and b) how to detect it.
>
> possibilities for a):
> 	- standard behaviour: strip the virus/executable, let the remaining
> message trough with annotations
> 	- bounce at smtp level

This might be ok on viruses known NOT to forge the from address. However,
klez, bugbear, yaha, magistr, and others forge the from address randomly
from the address books they pull off the infected machine.
This means your bounces could be propogating the virus.

> 	- silently drop it, possibly with an admin notification.

Personally, I use action_notify_sender and send them an informative
message telling them what virus was found, etc.
But I don't do this if a virus is found that is known to forge from
addresses (people who know they're not infected who get warnings saying
they're infected tend to get pissed from time to time, and it's useless to
notify some other random entry on the infected users address book)

> Harder is the 2nd problem, namely how to detect these mails; couple of
> possibles here: when using a virus scanner, using $VirusName is the obvious
> aproach. Using a list of currently known viri (klez, sircam, Bugbear/Tanatos,
> Lentin) should work. Also, some scanners use a naming scheme that can be used
> for detection (Kaspersky classes all of these as I-Worm.<something-or-other>,
> so using /^I-Worm/ as a trigger should work fine.

$VirusName works very nicely. Just check your virus dat to see what it'll
call them.

--
Josh I.

_______________________________________________
MIMEDefang mailing list
MIMEDefang at lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang




More information about the MIMEDefang mailing list