[Exim] Re: [Heads up] W32/Yaha.E p

Góra strony
Delete this message
Reply to this message
Autor: Derrick 'dman' Hudson
Data:  
Dla: Exim users list
Temat: [Exim] Re: [Heads up] W32/Yaha.E p
--
On Wed, Jul 03, 2002 at 09:56:01AM -0400, Tabor J. Wells wrote:
| On Wed, Jul 03, 2002 at 11:16:08AM +0100,
| Alan J. Flavell <flavell@???> is thought to have said:
| > On Tue, 2 Jul 2002, Tabor J. Wells wrote:
| >
| > > Although since sending your note with the iframe tag in the
| > > mail, we've received 13 anti-virus warnings to the list admin
| > > address. Since there are apparantly so many crappy email
| > > anti-virus products out there, perhaps next time you could just
| > > post a link to your favorite AV site writeup instead. :)

|
| Hmmm. If you had sent an attachment which fell foul of the filter
| at ftp://ftp.exim.org/pub/filter/ , then the item would be bounced.
| Presumably the bounce would go to the envelope-sender address, which
| is exim-users-admin@???


A partial list of crappy AV software is :

    ScanMail
    NAV for Microsoft Exchange
    MailMonitor for Exchange
    Antigen
    "NetHotel Filter-service" <Filter@???>


*I* consider these products to be crappy because they don't merely
bounce the infected message, but they spam all addresses in the
headers with a "friendly" (hah!) alert that a virus-infected message
was received. I think I got all of those from the debian-user list,
because d-u was in the To: or Cc: header of the bad messages. Never
mind the fact that only the (very vocal) minority of systems are
actually susceptible to such crap.

(also, note the commonality in all those products -- they are for
exchange)

| > Does that mean that the cited filter is "crappy"? I don't think so.
| > Doesn't that rather say something about the software which needs to be
| > protected from harm by the deployment of such filters?

|
| No my definition of crappy has to do with these products bouncing mail not
| because it contained an infected attachment but because it contained an
| iframe tag. If Juha had actually sent the virus along to the list then
| that'd be one thing. But bouncing mail as a virus because it contains
| an HTML tag is silly because there's no actual virus scanning going on there.


It's silly, except that the only time that tag occurs is in klez (and
now this new worm). As a result, that text will/may occur in
discussions on blocking the worm. I guess the best psuedo-filter is
one that first identifies the MIME type as being HTML, then looks for
that tag. I have one of those crappy filters (that merely bounces the
message, it doesn't send out new spam), but it excludes exim-users
from the filtering.

-D

--

The Consultant's Curse:
    When the customer has beaten upon you long enough, give him
what he asks for, instead of what he needs.  This is very strong
medicine, and is normally only required once.


http://dman.ddts.net/~dman/

--
[ Content of type application/pgp-signature deleted ]
--