North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Possibly yet another MS mail worm

  • From: Rubens Kuhl Jr.
  • Date: Mon Mar 01 00:32:06 2004

> > I'm not aware of any mail scanner that does this without running an
external
> > anti-virus or something alike, although is not that intensive to follow
the
> > zip headers (as they already do with the MIME headers in order to drop
> > external attachments). Most scanners can accept an anti-virus plugin and
> > them scan inside zip files, but that requires more processing power,
more
> > queue disk space, more RAM, more administration to update virus
patterns,
> > and so on. The cost/benefit usually pays off, but more complexity means
less
> > people will adopt the solution, thus making worm spreading easier.
>
> your description makes it all sound quite complicated, possibly because
> you are passing all the processing down to the end-user's machine.

I was talking about central anti-virus processing... although it's easier on
administration than updating hundreds or thousands of machines, it
establishes a central bottleneck. Doing decompression and extensive pattern
matching on a high volume server is not an easy task.

> we have anti-virus (clamav) and anti-spam (spamassassin) running at the
> server level, and thus save the end-user alot of cycles.

Even on low volume servers, this task is not something one would do without
some thinking; on high volume, this is achievable but would require a good
systems design to cope with the higher latency between mail receive and mail
delivery.

> clamav will look inside zip files, and automatically updates its signature
> database.
>
> spamassassin uses both global rules and per-user rules to rate incoming
email
> and reduce the impact of spam.

Been there at many installations of MailScanner
(http://www.mailscanner.info).

> we even run in-line scans of MIME headers during the SMTP process and
reject
> specific attachments (.exe, .pif, etc) without even bothering the
end-user.

That kind of filtering is much easier to configure, administer and goes low
on resources. Extending this to verify filenames inside zip files would not
be difficult to do, and is simple and not intensive enough to lots of people
to turn such filters on.


Rubens