Re: Getting rid of worms and viruses
On Thu, Sep 25, 2003 at 01:14:04AM -0400, kmark@pipeline.com wrote:
>
>
> On Wed, 24 Sep 2003, Ross Boylan wrote:
>
> > I have been getting over 100 of these stupid MS virus emails a day.
> > Some are the "install this patch from MS" variety, while some are
> > embedded in returns of mail I didn't send.
> >
> > This is driving me nuts, and certainly proves that Windows viruses can
> > be very harmful to Linux users, even if they can't replicate on Linux.
> > What do I need to take care of this (i.e., automatically delete the
> > junk)? In particular, will anti-spam software (e.g., spamassassin)
> > take it out, or do I need anti-virus software (e.g., amavis)?
> >
> > Is there a clear dividing line between anti-spam and anti-virus
> > anymore? And do people have recommendations other than spamassassin
> > and amavis?
> Hi Ross,
> I have earthlink too! And I've tried to email them so far about this
> issue. No reply so far. I am using procmail to delete the MS VIRUS emails
> but am still downloading them.
> So, I have:
> earthlink ->dialup->fetchmail->sendmail->procmail->mboxs
> I am really pissed. they dont have encrypted pop and they have some lame
> spam filtering. And they cant take care of obvious virus email that is
> clogging up my mailbox. How they can claim that me losing emails because
> of this virus is not their problem? When I switch ISP's will it be then?
> -Kevin
To reduce your downloads, it looks as if you can either use
fetchmail's size limit (limit keyword, but it doesn't delete the
message unless you use the somewhat dangerous flush option) or
mailfilter for a somewhat more refined tool (use fetchmail's
preconnect option to invoke it automatically). I'm looking into
installing mailfilter now.
Oh, the other thing I notice is that fetchmail responds to various
spam codes if you enable "antispam" option, and so could delete the
message as soon as your MTA determines it's spam. I think exim4, at
least, has some options for making decisions before accepting the
whole message.
I'm a little worried that whatever test I put in is going to zap
something real, and most likely it will also still let a lot of stuff
through (e.g., bounce messages for which the attachment has been
stripped).
I'm ready to switch ISP's too, but I don't know who's better. I did
finally have an intelligent conversation with someone at earthlink
today. She said their numbers showed Swen had much lower penetration
than Sobig (like 0.2% of all earthlink's mails), and they had made a
policy decision not to filter it out. She wasn't familiar with all
the reasons for the decision, but thought the resources required to
filter (since it requires looking at message content, rather than just
headers, to do it reliably) may have been a factor. I asked her to
relay my dissatisfaction with the situation, and suggested that their
numbers might be missing lots of the mails, since I've seen several
reporrts that Swen is the biggest viral worm yet. It certainly the
biggest one I've been hit with, but maybe I'm just lucky.
That I found this satisfying is a sad commentary on their support,
which previously included mostly people not responding or telling me
that they "couldn't" filter out the virus. I get very annoyed when
people make obviously false statements to justify inaction.
Maybe I should point earthlink at Karsten Self's reasons to avoid
challenge-response systems, since earthlink's "strong" spam protection
feature is basically C-R for anyone not on your whitelist. I have a
feeling other ISPs (e.g. AOL?) are doing the same. I use their medium
setting, which does filter out some stuff.
Reply to: