[Mimedefang] Handling different viruses: discard message vs. drop attachment
Kelson Vibber
kelson at speed.net
Wed Jan 28 20:04:28 EST 2004
OK, I think most people here would agree that just about all modern viruses
generate their own messages rather than piggybacking on existing mail, so
for anything like Klez, Sobig, and Mydoom, the obvious choice is to just
discard the entire message (possibly placing it in quarantine). No bounce,
no defanged message, no notification to the (fake) sender, just drop it in
the memory hole.
But once upon a time there were viruses that attached themselves to legit
messages (remember happy99?), and the best choice there is to remove the
infected attachment and pass the rest of the message along.
I know I'm not the only one keeps a list of known mass-mailers in order to
decide whether to discard the attachment or the whole message. But I have
to keep updating that list, and I have to wonder: is it worth making this
distinction anymore?
I found some virus naming conventions add "@mm" or "@MM" to the end to
indicate a mass mailer, or "Worm." to the beginning to indicate, well, a
worm. I've added these strings to the list, so whether Novarg gets caught
by File::Scan as W32/Mydoom at MM or by ClamAV as Worm.SCO.A, it gets
discarded even without me adding Novarg, Mydoom and SCO to the list.
Any thoughts?
Kelson Vibber
SpeedGate Communications <www.speed.net>
More information about the MIMEDefang
mailing list