nanog mailing list archives
Re: Possibly yet another MS mail worm
From: Michael Wiacek <lists () iroot net>
Date: Mon, 1 Mar 2004 01:07:23 -0500 (EST)
so would a milter for sendmail that strips off attachments, queues them for decompression and scanning at a later time be more useful? Say such a milter could strip off attachments, replacing them with a URL in the email that will allow the recipient to download them if they prove clean. It's not an instant gratification, but it'll let you distribute the scanning among several machines. if an attachment gets denied, the url would inform the user why they can't access the file. i had an idea to write this a while ago, but never felt like writing the mime code to handle strange attachments. mike On Mon, 1 Mar 2004, Rubens Kuhl Jr. wrote:
I'm not aware of any mail scanner that does this without running anexternalanti-virus or something alike, although is not that intensive to followthezip headers (as they already do with the MIME headers in order to drop external attachments). Most scanners can accept an anti-virus plugin and them scan inside zip files, but that requires more processing power,morequeue disk space, more RAM, more administration to update viruspatterns,and so on. The cost/benefit usually pays off, but more complexity meanslesspeople will adopt the solution, thus making worm spreading easier.your description makes it all sound quite complicated, possibly because you are passing all the processing down to the end-user's machine.I was talking about central anti-virus processing... although it's easier on administration than updating hundreds or thousands of machines, it establishes a central bottleneck. Doing decompression and extensive pattern matching on a high volume server is not an easy task.we have anti-virus (clamav) and anti-spam (spamassassin) running at the server level, and thus save the end-user alot of cycles.Even on low volume servers, this task is not something one would do without some thinking; on high volume, this is achievable but would require a good systems design to cope with the higher latency between mail receive and mail delivery.clamav will look inside zip files, and automatically updates its signature database. spamassassin uses both global rules and per-user rules to rate incomingand reduce the impact of spam.Been there at many installations of MailScanner (http://www.mailscanner.info).we even run in-line scans of MIME headers during the SMTP process andrejectspecific attachments (.exe, .pif, etc) without even bothering theend-user. That kind of filtering is much easier to configure, administer and goes low on resources. Extending this to verify filenames inside zip files would not be difficult to do, and is simple and not intensive enough to lots of people to turn such filters on. Rubens !DSPAM:4042cb6d168642834354387!
Current thread:
- Re: Possibly yet another MS mail worm Michael Wiacek (Feb 29)
- Re: Possibly yet another MS mail worm Rubens Kuhl Jr. (Feb 29)
- Message not available
- Re: Possibly yet another MS mail worm Rubens Kuhl Jr. (Feb 29)
- Re: Possibly yet another MS mail worm Michael Wiacek (Feb 29)
- RE: Possibly yet another MS mail worm Steve Birnbaum (Mar 01)
- Possibly even yet another MS mail worm Mike Nice (Mar 01)
- Re: Possibly even yet another MS mail worm Stephen J. Wilcox (Mar 01)
- Re: Possibly even yet another MS mail worm Jeff Shultz (Mar 01)
- Re: Possibly even yet another MS mail worm Laurence F. Sheldon, Jr. (Mar 01)
- Message not available
- Re: Possibly yet another MS mail worm Rubens Kuhl Jr. (Feb 29)
- <Possible follow-ups>
- Re: Possibly yet another MS mail worm Curtis Maurand (Mar 01)
- Re: Possibly yet another MS mail worm Todd Vierling (Mar 01)
- Re: Possibly yet another MS mail worm Laurence F. Sheldon, Jr. (Mar 01)
- Re: Possibly yet another MS mail worm Curtis Maurand (Mar 01)
- Re: Possibly yet another MS mail worm Sam Stickland (Mar 01)
- Re: Possibly yet another MS mail worm Todd Vierling (Mar 01)