[Mimedefang] klez detection
Rich West
Rich.West at wesmo.com
Mon Mar 31 19:56:01 EST 2003
Ouch.. at the very least, you could use the File::Scan perl module for
virus signature detection. It's VERY simple and rather effective. It
makes for a great starting point..
-Rich
Michael Sims wrote:
>I saw this method in the archives, and it is definitely not reliable. There
>are many legitimate attachments that will have that same sequence of
>characters that are not infected.
>
>My current filter is pretty ugly, but it seems effective. This is what I do
>inside the filter() sub:
>
>1. Check to see if the message contains an attachment of *.pif or *.scr. If
>so, log it and discard it. I can't think of a legitimate reason to send
>those types of attachments in email, and they are VERY prevalent in virus
>infected emails. By discarding those right off the bat I save my filter
>from having to do a lot of pointless work. I can't forsee a situation where
>one of my end users calls me and says "help, I can't send this great *.pif
>file to my friend Bob in Accounting..."
>
>2. If the message contains an attachment of type *.exe, *.bat, or *.com, I
>then scan the Subject line against a list of known Klez-variant subject
>lines. If the subject matches one of the patterns, I log it and discard it.
>This is really ugly, I know, but it seems to be effective. I'm sure the
>subject scan is an expensive operation, but it only occurs if the message
>contains one of the aforementioned attachment types, and not on all
>messages.
>
>I'm certain there is a better approach, but if you're interested in my
>filter I can send it to you off-list...
>
More information about the MIMEDefang
mailing list