Re: MS BS + Sorting out the virii

To: debian-security@lists.debian.org
Subject: Re: MS BS + Sorting out the virii
From: Thomas Ritter <th.ritter@gmx.net>
Date: Wed, 24 Sep 2003 01:54:42 +0200
Message-id: <[🔎] 200309240154.42462.th.ritter@gmx.net>
In-reply-to: <[🔎] 20030923234809.2b56f1df.debian-ml@joel-hatsch.net>
References: <[🔎] 6A8BE808-ED2E-11D7-B5DB-0003931D9B5A@tedroby.com> <[🔎] 1064261417.1059.16.camel@debian> <[🔎] 20030923234809.2b56f1df.debian-ml@joel-hatsch.net>

Am Dienstag, 23. September 2003 23:48 schrieb Joel HATSCH:
> > > of these fake Microsoft Update emails per day.
> > > The single part MIME filter doesn't seem to catch it though. What

Just a note: Open Antivirus programs like clamav are not perfect, because the 
open virus database [1] is still too small... but for _sorting_ mail, clamav 
(it's in sid) is really good. It gives you

X-Virus-Found: yes
X-Virus-Status:
 ------------------------------------------------------------
 Virus Scan Status:
 ------------------------------------------------------------
 /tmp/07ae019a324f44ed/textportionKGUGaX: OK
 /tmp/07ae019a324f44ed/textportionOE5x4J: OK
 /tmp/07ae019a324f44ed/textportion4onCon: Worm.Gibe.F FOUND
 /tmp/07ae019a324f44ed/UPGRADE.exegbm4Ix.exe: Worm.Gibe.F FOUND

in a mail with a virus if you use clamfilter [2], a single-file perl script, 
from procmail. Maybe clamfilter should be put into a package, it comes in 
handy.

And... a mail with a positive virus recognition can be deleted without having 
to fear it's a false positive, against which a mail found to be Spam by 
Spamassassin may be a real mail. Clamav is growing, but doesn't recognize 
enough virii to protect an M$-System, but hey, my "Spam and Virii" folder, 
which I checked every day because of some false positives I got just became 
one Spam folder with low traffic and one Virii folder where mails are being 
marked read automatically and deleted after two months (food for 
spamassassin). Just walking through some Spam mails per day for real mails is 
really much easier than clicking through all those Worm mails.

By the way, can anyone tell me why on a debian system the Spamassassin flag 
"MICROSOFT_EXECUTABLE" scores less than one point? A mail with a M$ EXE 
should really score 4.5 or so, because even if one of my friends sends me an 
EXE file on purpose, I would look for that in my Spam folder first ;)

[1] http://www.openantivirus.org/
[2] http://www.everysoft.com/clamfilter.html

-- 
Thomas Ritter

"Those who would give up essential liberty, to purchase a little temporary 
safety, deserve neither liberty nor safety."  - Benjamin Franklin

Reply to:

Follow-Ups:
- Re: MS BS + Sorting out the virii
  - From: Michel Messerschmidt <lists@michel-messerschmidt.de>
- Re: MS BS + Sorting out the virii
  - From: Bernd Eckenfels <ecki@calista.eckenfels.6bone.ka-ip.net>
- Re: MS BS + Sorting out the virii
  - From: Tomasz Papszun <tomek@lodz.tpsa.pl>
- Re: MS BS + Sorting out the virii
  - From: Michael Sullenszino <mike@sullenszino.com>

References:
- MS BS
  - From: Ted Roby <secalert@tedroby.com>
- Re: MS BS
  - From: "Marc F. Neininger" <marc@champagnierle.de>
- Re: MS BS
  - From: Joel HATSCH <debian-ml@joel-hatsch.net>

Prev by Date: Proftpd
Next by Date: Re: ProFTPD ASCII File Remote Compromise Vulnerability
Previous by thread: Re: MS BS
Next by thread: Re: MS BS + Sorting out the virii
Index(es):
- Date
- Thread