Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
The Internet

Can We Effectively Scan For E-Mail Viruses? 11

Posted by Cliff from the are-filters-really-good-enough dept.
A couple of questions here, first from DavidBrown: "It occurs to me that with the recent virus/worm/whatever stories, maybe the solution to e-mail viruses isn't to go out and install on every desktop virus software that nobody likes to run - it slows you down, and doesn't feel 'natural'. Maybe we should screen for questionable macros and infected attachments at the ISP mail server level?" but before we screen, we first need effective filters which is the subject of kevin42's question: "I've tried many different filters and strategies for reducing spam that comes into my domain. The problem is I still get a ton of spam, and when I look at what the filtering is catching it's only like 5% of all the spam. A search on freshmeat finds tons of apps and filters, but I've tried a few and none seem to work. Trying them all will take forever, so does anyone have experience with some that will actually work?"

David adds: "Yahoo mail seems to do this. Once a new virus is detected, ISP's can install new updates much faster than most users." ISPs are implementing this, just not fast enough for most people. Which ISPs (especially national ones) have hardened their systems against such viruses and, more importantly, who hasn't?
This discussion has been archived. No new comments can be posted.

Why Not Scan for E-Mail Viruses at the ISP Level? More

Why Not Scan for E-Mail Viruses at the ISP Level?

Comments Filter:
  • We are using AMaViS [amavis.org] on machines at my employer. It isn't the most efficient program, it ends up forking about 4-5 times for a plain text message (!) but it does work. Two drawbacks are 1. it replaces the delivery agent (usually procmail or deliver) and c. it only works for accounts local to that machine.


    Now that I look again, there seems to be a way to use it on a relay. If you do that, make sure it's a beefy machine. Getting 20-30 messages/minute gets the load average into the sendmail stops talking to you range.

  • my favorite local ISP, Cape.Com [cape.com] has been doing this for quite some time. the have POPs from cape cod to southern new hampshire, they're friendly to linux, and since their HQ used to be a bank, their server farm/dialup pool is in an underground fault. all in all, better than the other guys in my area. (i'm pointing at you, c4.net and capecod.net :)

    --

  • Looking in the wrong places (Score:3)

    by v4mpyr ( 185039 ) on Monday October 09, 2000 @06:53PM (#719576)
    If you want a security tool check SecurityFocus [securityfocus.com]. They have all kinds of neat toys that actually work.

    --
  • Luckily, I've been able to avoid most E-mail viruses (except for the chain letters, anyway). I usually find out about them at work, and there's usually enough people panicking about them when I get in that I know not to read my mail.

    As far as spam filtering goes, though, it's nearly impossible to do it effectively using a prebuilt package. The spammers seem to have plenty of new tricks up their sleeve all the time. (My favorite is the one saying "This is not spam." If you have to say it isn't spam, then it's spam.) I've written some rather elaborate filtering using procmail, and it's been quite accurate. The best part is that I can make adjustments as I go along. On the flip side, it isn't 100% effective -- occasionally spam gets through, and occasionally it misses something that is spam. And, of course, to program in procmail you have to have a good understanding of how regular expressions work.

    You can take a look at my procmail filter here [elkman.net], as well as a score-based algorithm [elkman.net] that only bounces the mail if it matches more than one of the phrases listed there. Go ahead and use those examples if they help. And, check out procmail.org [procmail.org] for all the documentation.

  • Procmail trap (Score:3)

    by Brazilian Geek ( 25299 ) on Tuesday October 10, 2000 @01:03AM (#719578) Journal
    I really don't know what the filter's name is but I do know that it stops known files, mangles attachment extensions, mangles IMG tags and a whole other truck load of stuff, best of all it doesn't interfere with anything but depends on procmail of course.

    Here's a link [impsec.org] to the homepage.

    It is score based, runs really fast, sanitizes headers, HTML and MIME attachments - since it's based on the procmail ruleset, it can easily be adapted to your needs. It features external "poisoned" files (and extensions) that you can block off.

    I've been using it since 1.088 (I think) and I've had no bad things to say about it!

  • Any filter can be defeated, unless it's strong AI. The best you can do is filter out known offenders, or have a super-strict filter that assumes everything is a virus unless it is known to not be one.

    The real solution, barring educated users, is to have clients that do not make it so easy for mail content to be executed. If the mail client will let the user execute a script by clicking on an icon, then that mail client has to go.


    ---

  • virus scanning for email (Score:1)

    by Anonymous Coward
    We use amavis with qmail. Load is occasionally a tad high, but it settles down immediately and doesn't hang the box (at least not yet -- have been doing this since the end of June). I run about 2000 email accounts on the box, which is an IDE drive 350Mhz pentium with 256Mb RAM, Linux. All the box does is mail. It was dipshit simple to set up, and provides a nice 'goodie' that we can offer our users to differentiate from the other guys.
  • If ISP's can screen for viruses attatched to emails, would they also be able to read the email message themselves?

    And on a sidenote, if Carnivore is able to access any emails, would they also be susceptible to the viruses that may be attatched to them?
  • And on a sidenote, if Carnivore is able to access any emails, would they also be susceptible to the viruses that may be attatched to them?

    Probably not, because Carnivore would probably be programmed to not execute the virus.

    ===
  • Brightmail provides dynamic spam and virus filtering for xSP's. Our probe network (a large collection of Internet email accounts) provides our 24/7/365 operations center with the latest spam and "spamming viruses" (a la ILY and Melissa). The operations center creates anti-spam and anti-virus rules wich are pushed out to Brightmail servers at customer sites. Cought spam is [optionally] sidelined to a message store for viewing through a web interface. Virus-infected messages are cleaned using Symantec AntiVirus Technology and reinserted to the mail stream. The Brightmail solution integrates with the MTA and provides high throughput and minimal latency. For questions, please visit us at http://www.brightmail.com/company/sales/
  • Well, I've said it before, and I'll say it again. Maybe the next email virus (which, if I"m not mistaken, about 90% of email virii are outlook only) will replace outlook with a USEFUL email program, like spruce, or eudora.

Slashdot Top Deals

"If it ain't broke, don't fix it." - Bert Lantz

Close