Centralized Email Virus Filters? 23
Matt Hamilton asks: "With yet another email trojan/virus going around (Naked Wife) I am looking for some way to simplify filtering of these messages. I currently run Exim on our companies servers and have a filter that filters about 20 virii based upon subject lines and strings contained in the body. Very simple, but works against alot of mass-email virii. I was wondering, is there a centralised database of current email virii/trojans and their subject/body signatures that can be exported to various MTA filtering mechanisms (sendmail, exim, procmail, etc.). Or perhaps a step further, some sort of central DB that can be accessed directly realtime by the MTA (similar to RBL, ORBS, etc.) so that updates are automatic."
wow. yeah (fp?) (Score:1)
-Andrew
May Not be Necessary (Score:3)
It's not that hard to calculate a checksum of each message body that goes through a mail or news server. Once a particular checksum value appears, say, 100 times in a short period (or in 10 newsgroups, etc.), you know you have a problem. At this point you could simply warn the user that the same message has hit X number of other people, from Y number of senders, so Joe Schmoe probably did *not* just send her a picture of his naked wife, or you could simply block that checksum until things die down.
Maybe there's something I'm missing here.
html-trap, for example (Score:2)
Who needs checksums or signatures? That will only catch known viruses, it won't help you with the brand-new ones. To do that, ban active content in email. You'll be happier in the long run.
centralized "virus" info (Score:2)
I send in information about a "virus" and it gets picked up and distributed through this centralized information source, suddenly real mail is discarded.
Whenever people want a centralized point for information, what they're really wanting is something they can automate to eliminate a problem. What they forget is that they're also giving someone else power over their information stream.
I'm sure someone will say, we just don't want to have to hunt for the information, we'll review it before we implement it. But only a short time will pass before someone will put out a script that updates automatically.
Think ORBS. Remember that legitimate people can't send email to their friends. When it started it was just a list so you'd know who wasn't playing the right game. And it's almost impossible to get your server off the list. But very easy for you to get on by some malicious person.
Extrapolate. People submit "viruses" that contain, 'Dear ****,' and all email with that goes away. Sure, you all know enough not to just trust the source of centralized virus information. But 90% of people don't. Why would someone make something up just to hurt people?
The potential for abuse is astronomical.
Re:html-trap, for example (Score:2)
It's main features are:
--
All browsers' default homepage should read: Don't Panic...
Be careful how you bin things (Score:1)
I consult for a large automotive company who have a policy of throwing away certain attachment types (including
Amavis-Perl (Score:2)
For our uses, the perl version [amavis.org] (Halfway down the page) worked out better.
Simple (Score:1)
Re:May Not be Necessary (Score:1)
You're missing mailing lists. Opt-in mailing lists, unfortunately act almost precisely the same way as spam. If there's a 100 users on your system subscribed to a list, then it won't be so crazy for the same message to flip through 100 times. And that's legitamate. The biggest problem with any sort of censoring, even of spam, is false positive blocks.
-Andrew
Anomy mail tools (Score:1)
Also some antivirus have mail checking engines for linux, like avp or antivir, and with a policy of having the databases updated, this can work almost unattended.
An Exchange-based solution (Score:2)
If this is something you might need, give it a try. It works on the main mail gateway (child mail servers can't use it) and is pretty cheap. HTH!
I use Trend Micro's stuff, myself (Score:2)
surprised no one has mentioned inflex (Score:1)
http://www.inflex.co.za
you can set it up to run a virus scanner, scan for file types, scan for text inline, etc.
works nice and fast, too.
Oh. And free!
Realtime Worm Filtering System (Score:2)
-Waldo
You're missing the obvious (Score:1)
However, you could change the software you're using. I've only received a few of these email viruses so far, but I can say with 100% certainty that they've never been forwarded to anyone by my mailreader, nor have they caused any damage to my system or the networks it is connected to.
--
Thanks... (Score:1)
Specifically: A web site with a database that contains traits of particular mail virii (eg. Subject == 'foobar'; attachment == 'hello.vbs'). A visitor to the site can then download a list of these in such a form that they could copy/paste directly into exim/sendmail/procmail/whatever. The system should be easily extensible such that convertors can be contributed to convert to whatever MTAs people want.
Anyone have any suggestions/comments?
-Matt
Get some Anti-Virus Software? (Score:1)
Sophos even have a beta release of a virus checking SMTP relay.
Check out http://www.sophos.com/downloads/products/
Re:May Not be Necessary (Score:1)
Re:Get some Anti-Virus Software? (Score:1)
-Matt
Our filter is crap (Score:2)
Re:Get some Anti-Virus Software? (Score:1)
You may want to check out.. (Score:1)
Here's a link [sourceforge.net]
Regards,
Mark
http://www.phluffynet.com
Actually Matt, something like it does.. (Score:1)
Regards,
Mark