Re: Virus Checking - COMPLETELY UNENCUMBERED!

To: Brian May <bam@snoopy.apana.org.au>
Cc: Matthew Grant <grantma@anathoth.gen.nz>, Pixel <pixel@mandrakesoft.com>, debian-devel@lists.debian.org
Subject: Re: Virus Checking - COMPLETELY UNENCUMBERED!
From: Joseph Carter <knghtbrd@bluecherry.net>
Date: Wed, 15 May 2002 01:20:28 -0700
Message-id: <[🔎] 20020515082028.GL21507@bluecherry.net>
In-reply-to: <[🔎] 1021426468.5009.31.camel@scrooge>
References: <[🔎] 1021202211.532.5.camel@zion> <[🔎] 20020512143514.GB3134@laviola.org> <[🔎] lysn4x1kfi.fsf@leia.mandrakesoft.com> <[🔎] 1021233361.531.2.camel@zion> <[🔎] 20020514093111.GT16352@bluecherry.net> <[🔎] 1021426468.5009.31.camel@scrooge>

On Wed, May 15, 2002 at 11:34:28AM +1000, Brian May wrote:
> > Frankly, it would be good if someone would add to the useful procmail
> > recipes a filter to remove any executable attachments from an email
> > outright or mark them as spam or delete them or something.  NOBODY should
> > be emailing an executable.  A zip maybe, an image okay.  An executable,
> > particularly a win32 executable is almost guaranteed to be a virus.
> 
> This is a FAQ for amavis, on why amavis doesn't support this.
> 
> While I don't agree with their reasoning, they say it gives a false
> sense of security because it is too easy to hide a virus inside a virus
> with the wrong MIME type or wrong extension (eg *.doc), and have it
> still execute on a broken Windows machine.

I agree with them.  The check should be on file signature, not file
extension name.  The difference is that one relies on certain bugs in
Microsoft software to not exist - as klez has shown is to not be the case
for many users.  The other scans all attachments for executable content,
regardless of the filename.  While not always desirable to reject such
messages, it is at least worthwhile to tag them as suspect and probably
either spam or a virus (or both..)

If amavis does not provide this functionality, then I shall seek it
elsewhere.  Perhaps that exim filter will do as I need; certainly I can
rewrite the filter in question for use with postfix in perl or python if
it does.

> Personally, I think any file that ends in extensions like *.exe, *.bat,
> *.com, *.scr (and maybe even *.doc; but some people do send/receive
> these files) are very suspicious, and even if you know the sender, the
> chance exists that the files could have been tampered with (unless the
> message is digitally signed with a known signature).

Microsoft Windows has _THIRTY-SEVEN_ different executable extensions which
are known to be run automatically by the OS, regardless of bugs in the
various software.  Relying on the name of the file is as pointless in
Win32 as it is in various flavors of UNIX.  Scan by file signature, not
name.

-- 
Joseph Carter <knghtbrd@bluecherry.net>          If this sig were funny...

* Culus thinks we should go to trade shows and see how many people we
  can kill by throwing debian cds at them

Attachment: pgpNT87AQwFYb.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Virus Checking - COMPLETELY UNENCUMBERED!
  - From: Brian May <bam@snoopy.apana.org.au>

References:
- Virus Checking - COMPLETELY UNENCUMBERED!
  - From: Matthew Grant <grantma@anathoth.gen.nz>
- Re: Virus Checking - COMPLETELY UNENCUMBERED!
  - From: Carlos Laviola <claviola@debian.org>
- Re: Virus Checking - COMPLETELY UNENCUMBERED!
  - From: Pixel <pixel@mandrakesoft.com>
- Re: Virus Checking - COMPLETELY UNENCUMBERED!
  - From: Matthew Grant <grantma@anathoth.gen.nz>
- Re: Virus Checking - COMPLETELY UNENCUMBERED!
  - From: Joseph Carter <knghtbrd@bluecherry.net>
- Re: Virus Checking - COMPLETELY UNENCUMBERED!
  - From: Brian May <bam@snoopy.apana.org.au>

Prev by Date: Re: SPAM mails marking bugs as done?
Next by Date: Re: Virus Checking - COMPLETELY UNENCUMBERED!
Previous by thread: Re: Virus Checking - COMPLETELY UNENCUMBERED!
Next by thread: Re: Virus Checking - COMPLETELY UNENCUMBERED!
Index(es):
- Date
- Thread