[Mimedefang] Blocking IP #
Chris Gauch
cgauch at digicon.net
Thu May 5 13:16:28 EDT 2005
> -----Original Message-----
> From: mimedefang-bounces at lists.roaringpenguin.com [mailto:mimedefang-
> bounces at lists.roaringpenguin.com] On Behalf Of Jason Gurtz
> Sent: Thursday, May 05, 2005 1:07 PM
> To: mimedefang at lists.roaringpenguin.com
> Subject: Re: [Mimedefang] Blocking IP #
>
> On 5/5/2005 12:40, David F. Skoll wrote:
>
> > It's probably small companies and home users who are suffering from
> > this one. (Is Sober.P coming in as a Windows executable? I don't have
> > any samples -- I haven't bothered quarantining viruses for months now.
> > I still can't fathom why any organization running Windows would even
> > entertain the notion of permitting executables in via e-mail.)
>
> Unfortunately, it's arriving as a zip file with a malware.txt .pif
> inside. (was it netsky that had a similar trick?)
>
> I'm entertaining the thought of just disallowing all archives now (too)
> and forcing the lusers to use yousendit.com or something. I suppose it's
> only a matter of time before we have rar, ace, 7z, gz, bz2 etc... worms in
> addition to the zip ones.
>
> from the mimefield,
>
> ~Jason
Have you configured ClamAV to scan archives? We don't (I should rephrase
that, as "can't") throw out ZIP archives because too many clients send ZIPs
back and forth via email containing important PDF and image files (using zip
compression is not always a bad thing). ClamAV seems to find viruses 99.9%
of the time in ZIP and RAR archives; I still have yet to see one get through
in a ZIP file. A previous SOBER variant (perhaps it was bagle or netsky)
was sending out empty zip files due to malformed virus code, those got
through ClamAV but posed no threat to anyone.
- Chris
------------------------------------------
Chris Gauch
Systems Administrator
Digicon Communications, Inc.
http://www.digiconcommunications.com
cgauch at digicon.net
More information about the MIMEDefang
mailing list