Security Incidents mailing list archives

Re: Possible Mail server compromise ?

From: "Faas M. Mathiasen" <faas.m.mathiasen () googlemail com>
Date: Thu, 21 Feb 2008 11:31:02 +0100

Dear Valdis,

Interesting, have you compared your results with another scanner ? If
you just scan with ClamAV
you can't obviously really tell what you missed that other scanners found.

On Wed, Feb 20, 2008 at 11:59 PM,  <Valdis.Kletnieks () vt edu> wrote:

On Wed, 20 Feb 2008 17:48:10 +0300, Eygene Ryabinkin said:
 > Tue, Feb 19, 2008 at 07:46:35PM +0100, Faas M. Mathiasen wrote:
 > > ClamAV ? Lowest detection rate in the industry,
 >
 > Possibly...  Where is the statistics?

 Let's inject a little bit of actual reality here, shall we?

 When you look at the crap that *actually arrives*, the vast majority of it is
 so old that almost *everything* should be catching it.  Our main mailscanner
 hub statistics for last week:

 Date: Mon, 18 Feb 2008 01:12:02 -0500

 Weekly Virus Summary

  3581 Total Virus Detections

 Breakdown by Virus Family:
    692 MYDOOM                 (19.32%)
    615 PUSHDO                 (17.17%)
    605 NETSKY                 (16.89%)
    302 MYTOB                  ( 8.43%)
    286 IFRAME                 ( 7.99%)
    149 VIRUT                  ( 4.16%)
    143 BUGBEAR                ( 3.99%)
    135                        ( 3.77%)
    123 NYXEM                  ( 3.43%)
    112 SALITY                 ( 3.13%)
     97 ZAFI                   ( 2.71%)
     77 BAGLE                  ( 2.15%)
     65 LOVGATE                ( 1.82%)
     42 DLOADR                 ( 1.17%)
     25 ENCPK                  (  0.7%)
     17 PUSHU                  ( 0.47%)
     15 DUMARU                 ( 0.42%)

 There we go. The top 17 accounted for 3,500 out of 3,581 of the detects,
 or 97.7% of them.  And before you ask, yes, I'm pretty sure there weren't any
 floods of fail-to-detects caused by some new unknown in the last week, or it
 would have been all over the various security lists.  OK, so maybe 2 dozen
 or so missed detects got through.  However...

 Once you get to 95% or 97% on the e-mail scanning, your user community is
 much more in danger of getting nailed by something they got off a P2P net
 or a drive-by fruiting from some website they visited.

Current thread:

Re: Possible Mail server compromise ?, (continued)
- - Re: Possible Mail server compromise ? Jon Oberheide (Feb 13)
  - Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 19)
    - Re: Possible Mail server compromise ? Bob Toxen (Feb 19)
    - Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 19)
    - Re: Possible Mail server compromise ? Valdis . Kletnieks (Feb 20)
    - Re: Possible Mail server compromise ? Bob Toxen (Feb 20)
    - Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 20)
    - Re: Possible Mail server compromise ? Eygene Ryabinkin (Feb 20)
    - Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 20)
    - Re: Possible Mail server compromise ? Valdis . Kletnieks (Feb 20)
    - Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 21)
    - Re: Possible Mail server compromise ? Paul Schmehl (Feb 21)
    - Re: Possible Mail server compromise ? Jon Oberheide (Feb 20)
    - Re: Possible Mail server compromise ? Valdis . Kletnieks (Feb 20)
    - Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 20)
    - Re: Possible Mail server compromise ? Peter Kosinar (Feb 20)
    - Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 21)
    - RE: Possible Mail server compromise ? Richard C Lewis (Feb 22)
    - Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 26)
    - Re: Possible Mail server compromise ? Eduardo Tongson (Feb 20)
    - Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 20)

(Thread continues...)