nanog mailing list archives
Re: Possibly yet another MS mail worm
From: "Rubens Kuhl Jr." <rubens () email com>
Date: Mon, 1 Mar 2004 02:29:14 -0300
I'm not aware of any mail scanner that does this without running an
external
anti-virus or something alike, although is not that intensive to follow
the
zip headers (as they already do with the MIME headers in order to drop external attachments). Most scanners can accept an anti-virus plugin and them scan inside zip files, but that requires more processing power,
more
queue disk space, more RAM, more administration to update virus
patterns,
and so on. The cost/benefit usually pays off, but more complexity means
less
people will adopt the solution, thus making worm spreading easier.your description makes it all sound quite complicated, possibly because you are passing all the processing down to the end-user's machine.
I was talking about central anti-virus processing... although it's easier on administration than updating hundreds or thousands of machines, it establishes a central bottleneck. Doing decompression and extensive pattern matching on a high volume server is not an easy task.
we have anti-virus (clamav) and anti-spam (spamassassin) running at the server level, and thus save the end-user alot of cycles.
Even on low volume servers, this task is not something one would do without some thinking; on high volume, this is achievable but would require a good systems design to cope with the higher latency between mail receive and mail delivery.
clamav will look inside zip files, and automatically updates its signature database. spamassassin uses both global rules and per-user rules to rate incoming
and reduce the impact of spam.
Been there at many installations of MailScanner (http://www.mailscanner.info).
we even run in-line scans of MIME headers during the SMTP process and
reject
specific attachments (.exe, .pif, etc) without even bothering the
end-user. That kind of filtering is much easier to configure, administer and goes low on resources. Extending this to verify filenames inside zip files would not be difficult to do, and is simple and not intensive enough to lots of people to turn such filters on. Rubens
Current thread:
- Re: Possibly yet another MS mail worm Michael Wiacek (Feb 29)
- Re: Possibly yet another MS mail worm Rubens Kuhl Jr. (Feb 29)
- Message not available
- Re: Possibly yet another MS mail worm Rubens Kuhl Jr. (Feb 29)
- Re: Possibly yet another MS mail worm Michael Wiacek (Feb 29)
- RE: Possibly yet another MS mail worm Steve Birnbaum (Mar 01)
- Possibly even yet another MS mail worm Mike Nice (Mar 01)
- Re: Possibly even yet another MS mail worm Stephen J. Wilcox (Mar 01)
- Re: Possibly even yet another MS mail worm Jeff Shultz (Mar 01)
- Re: Possibly even yet another MS mail worm Laurence F. Sheldon, Jr. (Mar 01)
- Message not available
- Re: Possibly yet another MS mail worm Rubens Kuhl Jr. (Feb 29)
- <Possible follow-ups>
- Re: Possibly yet another MS mail worm Curtis Maurand (Mar 01)
- Re: Possibly yet another MS mail worm Todd Vierling (Mar 01)
- Re: Possibly yet another MS mail worm Laurence F. Sheldon, Jr. (Mar 01)
- Re: Possibly yet another MS mail worm Curtis Maurand (Mar 01)
- Re: Possibly yet another MS mail worm Todd Vierling (Mar 01)