Auteur: Alan J. Flavell Date: À: Mark Morley CC: Exim users list Sujet: Re: [Exim] W32/Sircam worm
On Tue, 24 Jul 2001, Mark Morley wrote:
> Personally I don't like using the generic filter for viruses (I see too
> many false positives).
It depends what one means by "false". Any active-type attachment
_could_ conceal an as-yet-unknown virus. In an ideal world, no mail
client would be so stupid as to go opening dangerous attachments
without a signed confirmation in triplicate from the potential victim.
Unfortunately, we find ourselves in a world where we need to protect
users from their mail clients.
Our official campus mail policy tells us (in effect) don't use active
attachments - if you need to exchange executable content, then package
it into some kind of package format e.g zip. I didn't set that
policy, but it seems a good one to me. Surprisingly few users have
complained about the fact that the departmental mailer actually
enforces that policy, with only a couple of special exceptions.
The trouble with relying solely on virus checkers is that they're
always behind the threat - if only by days - and sooner or later
something is sure the get through that gap. We tell our users that
it's important to have up-to-date virus checking AS A BACK-STOP, but
that as a first line of defence they should "practice safe email" i.e
to follow email procedures that by their nature maintain some barrier
against the risk.
Well, I expect the next move will be for a vendor to make their mail
client default to automatically unpacking and pre-opening zip files,
no matter how dangerous they might be - but let's cross that bridge
when we come to it.
OK, confession time: our dept is still running an older version of
exim, that limits the length of the match strings to 256. In order to
be able to add 'lnk' to the list of matches without bursting that
limit, I needed to replace the two old long string matches (I think we
got it from system filter version 0.10) with the four shorter string
matches that are in the current version, 0.13. Hope that comment
helps someone else. (Yes, we do plan to upgrade!)