Can We Effectively Scan For E-Mail Viruses? 11
A couple of questions here, first from DavidBrown: "It occurs to me that with the recent virus/worm/whatever stories, maybe the solution to e-mail viruses isn't to go out and install on every desktop virus software that nobody likes to run - it slows you down, and doesn't feel 'natural'. Maybe we should screen for questionable macros and infected attachments at the ISP mail server level?" but before we screen, we first need effective filters which is the subject of kevin42's question: "I've tried many different filters and strategies for reducing spam that comes into my domain. The problem is I still get a ton of spam, and when I look at what the filtering is catching it's only like 5% of all the spam. A search on freshmeat finds tons of apps and filters, but I've tried a few and none seem to work. Trying them all will take forever, so does anyone have experience with some that will actually work?"
David adds: "Yahoo mail seems to do this. Once a new virus is detected, ISP's can install new updates much faster than most users." ISPs are implementing this, just not fast enough for most people. Which ISPs (especially national ones) have hardened their systems against such viruses and, more importantly, who hasn't?
It works (Score:2)
Now that I look again, there seems to be a way to use it on a relay. If you do that, make sure it's a beefy machine. Getting 20-30 messages/minute gets the load average into the sendmail stops talking to you range.
MA and NH are in luck... (Score:1)
--
Looking in the wrong places (Score:3)
--
Spam filtering via procmail (Score:2)
As far as spam filtering goes, though, it's nearly impossible to do it effectively using a prebuilt package. The spammers seem to have plenty of new tricks up their sleeve all the time. (My favorite is the one saying "This is not spam." If you have to say it isn't spam, then it's spam.) I've written some rather elaborate filtering using procmail, and it's been quite accurate. The best part is that I can make adjustments as I go along. On the flip side, it isn't 100% effective -- occasionally spam gets through, and occasionally it misses something that is spam. And, of course, to program in procmail you have to have a good understanding of how regular expressions work.
You can take a look at my procmail filter here [elkman.net], as well as a score-based algorithm [elkman.net] that only bounces the mail if it matches more than one of the phrases listed there. Go ahead and use those examples if they help. And, check out procmail.org [procmail.org] for all the documentation.
Procmail trap (Score:3)
Here's a link [impsec.org] to the homepage.
It is score based, runs really fast, sanitizes headers, HTML and MIME attachments - since it's based on the procmail ruleset, it can easily be adapted to your needs. It features external "poisoned" files (and extensions) that you can block off.
I've been using it since 1.088 (I think) and I've had no bad things to say about it!
Can't be done (Score:1)
Any filter can be defeated, unless it's strong AI. The best you can do is filter out known offenders, or have a super-strict filter that assumes everything is a virus unless it is known to not be one.
The real solution, barring educated users, is to have clients that do not make it so easy for mail content to be executed. If the mail client will let the user execute a script by clicking on an icon, then that mail client has to go.
---
virus scanning for email (Score:1)
hmm (Score:1)
And on a sidenote, if Carnivore is able to access any emails, would they also be susceptible to the viruses that may be attatched to them?
Re:hmm (Score:1)
Probably not, because Carnivore would probably be programmed to not execute the virus.
===
Brightmail will solve your spam and virus issues (Score:1)
Solution to all your problems (Score:1)