Autor: Patrick Starrenburg Datum: To: exim-users Betreff: [Exim] Re: Bugbear/B filtration
On Thu, 05 Jun 2003 11:38:22 GMT Alan J. Flavell wrote:
> On Thu, 5 Jun 2003, Asbjorn Hoiland Aarrestad wrote:
>
>> Use exiscan and a virus scanner. This will stop more than just common
>> viruses.
>
> Just to clarify this point: Having a virus scanner is certainly a
> valuable backstop, but if that's the only precaution, then it more or
> less guarantees infection, sooner or later, when a virus arrives
> before its anti-virus update. It's best to have a policy of blocking
> potentially-dangerous formats. And by all means a virus scanner too.
>
> Most recently, we (or rather, exiscan) blocked several instances of
> what turned out to be Sobig-C, on the grounds of it being a
> potentially dangerous attachment, in the relatively short time until
> the update for it arrived from the anti-virus vendor. The two
> different kinds of report are evident in the log:
One thing you need to be aware of - and Tom is aware of this issue - is
that Exiscan will **_NOT_** find all occurances of attachments correctly
and block them therefore you *may* still be at risk.
1. If the sending MTA is Lotus Domino which uses some (yuk) MIME encoding
Exiscan does not identify the restricted attachment type. This issue has
still be definitely tested but we are still receiving multiple instances
of this getting through Exiscan.
2. If the attachment is more than one level of MIME deep, i.e. the
attachment is inside an email which is sent inside another email. Case in
point - we were getting dozens of *legitmate* bounces from AOL to one of
our users. Inside the original message were attachments which were the
FIZZA virus. What was happening was that - person had got infected, virus
on their machine was spoofing virus infected emails out using our staff
persons email address which it got from original person's address book.
Bounces came back from AOL to *our* user (with whole original message +
virus (thanks AOL) attached.
If the attachment had not been caught by our inside virus scanner which
*did* fully unpack the MIME and remove the attachment then we would have
been infected.
