[Mimedefang] klez detection

Michael Sims michaels at mail3.crye-leike.com
Mon Mar 31 20:50:01 EST 2003 

Maybe I shouldn't have dismissed it so quickly, but I've read so many
negative things about File::Scan that I never bothered to even try it.  I've
seen warnings about that module on both this list and the amavisd mailing
lists saying that it flags too many false positives to be useful.  Does your
experience indicate otherwise?

___________________________________________
Michael Sims
Project Analyst - Information Technology
Crye-Leike Realtors
Office: (901)758-5648  Pager: (901)769-3722
___________________________________________

-----Original Message-----
From: mimedefang-admin at lists.roaringpenguin.com
[mailto:mimedefang-admin at lists.roaringpenguin.com]On Behalf Of Rich West
Sent: Monday, March 31, 2003 6:49 PM
To: mimedefang at lists.roaringpenguin.com
Subject: Re: [Mimedefang] klez detection


Ouch.. at the very least, you could use the File::Scan perl module for
virus signature detection.  It's VERY simple and rather effective.  It
makes for a great starting point..

-Rich


Michael Sims wrote:

>I saw this method in the archives, and it is definitely not reliable.
There
>are many legitimate attachments that will have that same sequence of
>characters that are not infected.
>
>My current filter is pretty ugly, but it seems effective.  This is what I
do
>inside the filter() sub:
>
>1. Check to see if the message contains an attachment of *.pif or *.scr.
If
>so, log it and discard it.  I can't think of a legitimate reason to send
>those types of attachments in email, and they are VERY prevalent in virus
>infected emails.  By discarding those right off the bat I save my filter
>from having to do a lot of pointless work.  I can't forsee a situation
where
>one of my end users calls me and says "help, I can't send this great *.pif
>file to my friend Bob in Accounting..."
>
>2. If the message contains an attachment of type *.exe, *.bat, or *.com, I
>then scan the Subject line against a list of known Klez-variant subject
>lines.  If the subject matches one of the patterns, I log it and discard
it.
>This is really ugly, I know, but it seems to be effective.  I'm sure the
>subject scan is an expensive operation, but it only occurs if the message
>contains one of the aforementioned attachment types, and not on all
>messages.
>
>I'm certain there is a better approach, but if you're interested in my
>filter I can send it to you off-list...
>


_______________________________________________
MIMEDefang mailing list
MIMEDefang at lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

More information about the MIMEDefang mailing list