Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Spam

Centralized Email Virus Filters? 23

Matt Hamilton asks: "With yet another email trojan/virus going around (Naked Wife) I am looking for some way to simplify filtering of these messages. I currently run Exim on our companies servers and have a filter that filters about 20 virii based upon subject lines and strings contained in the body. Very simple, but works against alot of mass-email virii. I was wondering, is there a centralised database of current email virii/trojans and their subject/body signatures that can be exported to various MTA filtering mechanisms (sendmail, exim, procmail, etc.). Or perhaps a step further, some sort of central DB that can be accessed directly realtime by the MTA (similar to RBL, ORBS, etc.) so that updates are automatic."
This discussion has been archived. No new comments can be posted.

Centralised Email Virus Filters?

Comments Filter:
  • I've been wanting something like that awhile for myself. And not just for email virus's, but just some common plaace for virus info. I never found anything, though.

    -Andrew
  • by K-Man ( 4117 ) on Thursday March 08, 2001 @11:13AM (#376079)
    One thing about Spam and email viruses has always perplexed me: why are they so hard to stop? Humans have no problem recognizing the problem: thousands of identical emails to everyone, whether from a single source, for spam, or to and from random users, for worms.

    It's not that hard to calculate a checksum of each message body that goes through a mail or news server. Once a particular checksum value appears, say, 100 times in a short period (or in 10 newsgroups, etc.), you know you have a problem. At this point you could simply warn the user that the same message has hit X number of other people, from Y number of senders, so Joe Schmoe probably did *not* just send her a picture of his naked wife, or you could simply block that checksum until things die down.

    Maybe there's something I'm missing here.
  • I wrote a simple procmail script in the wake of ILOVEYOU that nails any attachment with active content and drops it on the floor. So far, it has trapped a few hundred copies of various .vbs or .exe viruses, and a dozen stupid flash animations, and two legitimately useful .exe files (which the users found another way to obtain) It's not hard to do, but since then, somebody else has put together something much more full-featured called html-trap.procmail. It's on freshmeat, and it does all that and more. Personally, I haven't quite got around to putting it into place because I want to customize it a bit.

    Who needs checksums or signatures? That will only catch known viruses, it won't help you with the brand-new ones. To do that, ban active content in email. You'll be happier in the long run.
  • Doesn't this seem like a bad idea?

    I send in information about a "virus" and it gets picked up and distributed through this centralized information source, suddenly real mail is discarded.

    Whenever people want a centralized point for information, what they're really wanting is something they can automate to eliminate a problem. What they forget is that they're also giving someone else power over their information stream.

    I'm sure someone will say, we just don't want to have to hunt for the information, we'll review it before we implement it. But only a short time will pass before someone will put out a script that updates automatically.

    Think ORBS. Remember that legitimate people can't send email to their friends. When it started it was just a list so you'd know who wasn't playing the right game. And it's almost impossible to get your server off the list. But very easy for you to get on by some malicious person.

    Extrapolate. People submit "viruses" that contain, 'Dear ****,' and all email with that goes away. Sure, you all know enough not to just trust the source of centralized virus information. But 90% of people don't. Why would someone make something up just to hurt people?

    The potential for abuse is astronomical.

  • I second that - but I use html-trap.procmail. It's fast enough for my uses (300 to 400 emails a day) and is easy enough for me to understand and customize.

    It's main features are:
    • Trapping (dumping) emails based on attachment type (great to get rid of those pesky vbs worms).
    • Mangleing (sp?) of filenames so that no files are run automagicly by Outlook/Scripting Engine. Users are forced to save the file and rename the file (gives the antivirus software a fighting chance to kill the menace, if any).
    • Dumping files based on the amount of Macros in a DOC or XLS (if you don't dump or mangle them).
    • Kills webbugs and mangles HTML messages.
    • Great reporting mechanism - at least I think it's great.
    I know it doesn't do what the author suggested but even without subject recongnition it killed the 3 NakedWife worms that tried to get into my network,

    --
    All browsers' default homepage should read: Don't Panic...
  • Whatever mechanism you use to centrally stop delivery of file types you don't like/trust please make sure you either bounce the mail with the attachment, or notify the recipient that you won't deliver the particular attachment.

    I consult for a large automotive company who have a policy of throwing away certain attachment types (including .tar.gz) and I have been repeatedly caught out by external suppliers sending me information which just gets thrown into the bit bucket by the corporate mail server. Neither the sender of recipient is notified that the mail has been binned which is massively irritating!
  • I know this is nothing like the author asked for, however where I used to work [rowan.edu], I set up a copy of Amavis [amavis.org] to scan all incoming mails on the mailserver. It takes a little tweaking to get syntax and setup right, as when I did it documentation wasn't perfect, but it works like a champ now. One of the other admins also set up a perl script that checks McAfee's FTP site for a newer version of the virus database, pull it down, unpack and test it to make sure it works, and then install it; this way when new virus databases come out, it's automatically updated on the mailserver.

    For our uses, the perl version [amavis.org] (Halfway down the page) worked out better.
  • by awx ( 169546 )
    one easy way I use is to simply block movement of ANY email with "vba" in it. Gets rid of all .jpg.vba attachments that fool the secretaries, and stops discussion of vba-spreading by some of the junior consultants that we had last year. If they wanna spread viri, they can talk about it off company time...
  • It's not that hard to calculate a checksum of each message body that goes through a mail or news server. Once a particular checksum value appears, say, 100 times in a short period (or in 10 newsgroups, etc.), you know you have a problem. At this point you could simply warn the user that the same message has hit X number of other people, from Y number of senders, so Joe Schmoe probably did *not* just send her a picture of his naked wife, or you could simply block that checksum until things die down. Maybe there's something I'm missing here.

    You're missing mailing lists. Opt-in mailing lists, unfortunately act almost precisely the same way as spam. If there's a 100 users on your system subscribed to a list, then it won't be so crazy for the same message to flip through 100 times. And that's legitamate. The biggest problem with any sort of censoring, even of spam, is false positive blocks.

    -Andrew
  • Check the anomy mail tools [anomy.net]. It can disable the active content of emails (like renaming .exe to .exe.disabled or modifying the included javascript in html attachs to make them not executables). Also you can check and/or clean the attachments with antivirus and tools like that.

    Also some antivirus have mail checking engines for linux, like avp or antivir, and with a policy of having the databases updated, this can work almost unattended.

  • It's not the most popular solution because it's based on MS Exchange, but Mail Essentials (http://www.gficomms.com) is an excellent solution that we used on a 3000-user network to immunize againt Love Letter, etc, etc. Its rules are extremely versatile, and support mailbacks to senders or notices of attachment deletions to receivers (a good point mentioned elsewhere in this discussion), deletion of emails based on filename, extension, size, quarantining messages in an administrator mailbox for review and later release and distribution, and pretty much any other field is usable as a rule. (Almost procmail-esque, IIRC.)
    If this is something you might need, give it a try. It works on the main mail gateway (child mail servers can't use it) and is pretty cheap. HTH!
  • But Exchange 2000's Anti Virus API is incomplete, and doesn't check incoming SMTP email, amoung other things. Really sucks. But that having been said, unilaterally blocking .vbs will win you half the battle these days. Also, make sure your client Win machines either a) don't have WSH installed, or b) the default action for VBS is to edit in notepad or something innocuous.
  • I like what Paul Daniels is doing with inflex

    http://www.inflex.co.za

    you can set it up to run a virus scanner, scan for file types, scan for text inline, etc.

    works nice and fast, too.

    Oh. And free!
  • I tried to address this in a recent article [advogato.org] on Advogato [advogato.org]. I've gotten some great feedback on the system, but I'm yet to hear of an implementation of this system. If I had the know-how, I'm implement it myself, but that's not my bag.

    -Waldo
  • The infrastructure on you computer that allows these "viruses" to exist would be the easiest place to put defences against them. But try to persuade the vendors of this crapware to remove these "features" is like pissing against the wind. I won't mention names, but you know who I mean.

    However, you could change the software you're using. I've only received a few of these email viruses so far, but I can say with 100% certainty that they've never been forwarded to anyone by my mailreader, nor have they caused any damage to my system or the networks it is connected to.


    --

  • Thanks for all the suggestions. It seems that from the replies so far that what I am asking for does not yet exist. Therefore I would like to try and create it is some way.

    Specifically: A web site with a database that contains traits of particular mail virii (eg. Subject == 'foobar'; attachment == 'hello.vbs'). A visitor to the site can then download a list of these in such a form that they could copy/paste directly into exim/sendmail/procmail/whatever. The system should be easily extensible such that convertors can be contributed to convert to whatever MTAs people want.

    Anyone have any suggestions/comments?

    -Matt
  • Why not buy an anti-virus product?

    Sophos even have a beta release of a virus checking SMTP relay.

    Check out http://www.sophos.com/downloads/products/
  • there is a sight that does exactly this. it is at http://www.brightmail.com/ I use it on my primary account and it works very well. It does have a slight learning curve (i.e. it catches "spam" that is acutaly mailing lists.) but onece you train it to ignore those items it works like a charm.
  • Where is this on the site? I have heard rumours of this coming, and I've looked on the site, but can't see it anywhere.

    -Matt
  • I keep getting virus warnings about plain text emails with no attachments containing viruses. They're coming from a C++ language discussion mailing list that automatically strips attachments and MIME. Duh.
  • You have to look under their research section, on the left hand side of the link there's an option for it. It only says the notes beta but if you register there's more.
  • ..something on sourceforge which it's creator calls "Vipul's Razor" and which I think should be shortened to "Vizor".

    Here's a link [sourceforge.net]

    Regards,
    Mark
    http://www.phluffynet.com
  • ...check out Vipul's Razor [sourceforge.net]

    Regards,
    Mark

Heisengberg might have been here.

Working...