North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Possibly yet another MS mail worm
- From: Michael Wiacek
- Date: Mon Mar 01 01:09:54 2004
so would a milter for sendmail that strips off attachments, queues
them for decompression and scanning at a later time be more useful?
Say such a milter could strip off attachments, replacing them with
a URL in the email that will allow the recipient to download them
if they prove clean. It's not an instant gratification, but it'll
let you distribute the scanning among several machines. if an
attachment gets denied, the url would inform the user why they can't
access the file. i had an idea to write this a while ago, but never
felt like writing the mime code to handle strange attachments.
On Mon, 1 Mar 2004, Rubens Kuhl Jr. wrote:
> > > I'm not aware of any mail scanner that does this without running an
> > > anti-virus or something alike, although is not that intensive to follow
> > > zip headers (as they already do with the MIME headers in order to drop
> > > external attachments). Most scanners can accept an anti-virus plugin and
> > > them scan inside zip files, but that requires more processing power,
> > > queue disk space, more RAM, more administration to update virus
> > > and so on. The cost/benefit usually pays off, but more complexity means
> > > people will adopt the solution, thus making worm spreading easier.
> > your description makes it all sound quite complicated, possibly because
> > you are passing all the processing down to the end-user's machine.
> I was talking about central anti-virus processing... although it's easier on
> administration than updating hundreds or thousands of machines, it
> establishes a central bottleneck. Doing decompression and extensive pattern
> matching on a high volume server is not an easy task.
> > we have anti-virus (clamav) and anti-spam (spamassassin) running at the
> > server level, and thus save the end-user alot of cycles.
> Even on low volume servers, this task is not something one would do without
> some thinking; on high volume, this is achievable but would require a good
> systems design to cope with the higher latency between mail receive and mail
> > clamav will look inside zip files, and automatically updates its signature
> > database.
> > spamassassin uses both global rules and per-user rules to rate incoming
> > and reduce the impact of spam.
> Been there at many installations of MailScanner
> > we even run in-line scans of MIME headers during the SMTP process and
> > specific attachments (.exe, .pif, etc) without even bothering the
> That kind of filtering is much easier to configure, administer and goes low
> on resources. Extending this to verify filenames inside zip files would not
> be difficult to do, and is simple and not intensive enough to lots of people
> to turn such filters on.