On Thu, Oct 24, 2019 at 3:22 PM Jaroslaw Rafa via mailop <mailop@mailop.org> wrote:
> Dnia 24.10.2019 o godz. 15:03:25 Jay Hennigan via mailop pisze: > > > > If a message contains malware, it is almost certainly also spam. > > Yes, but it's better to have two separate tools - one specialized in > detecting malware, that does it with high accuracy, and the other a > general-purpose spam filter (which can pass through some spam) - than try > to > fit everything in one tool. > > That's why you usually have both antivirus/anti-malware scanners AND > generic spam filters on a mail host. Even if a spam filter happens to pass > the message containing malware, AV scanner usually catches it, as it is > specialized to do that particular task only. > > If the malware is not attached directly to email, but needs to be > downloaded > from a link included in the message, then we have an UTM on the way which > should block the download attempt. > > And if everything else fails, there is anti-malware software running > directly on end-users computer. > > Antispam filter isn't supposed to do everything... :) > There have been constantly mutating viruses in the wild for years now where almost every copy is unique (ish) involving bad payloads in overly permissive file formats (office, pdf, etc), not to mention various spear phishing payloads for the same. Getting ahead of those involves combining more typical spam features with content features and then doing something ridiculously expensive like opening the document on a virtual windows box. Combining those features allows you to do this and take the processing/delay hit only on the most likely messages. Also, you may have noticed that spear phishing messages helped change the outcome of the last US Presidential election, not to mention wiping every Windows computer/server in various organizations across the world, industrial espionage theft on a massive scale, etc. I mean, sure, we invest more resources in protecting enterprise accounts than consumer ones, but your assumptions of the risk environment or how these modern systems work is woefully naive. Yahoo went p=reject on yahoo.com because phishing messages had caused their customer support operations to handle an increased load to the tune of at least tens of millions of dollars in support costs. Heck, Google started the internal precursor to DMARC due to fraudulent AdWords activity costing our customers at least that much money a quarter. And that's not even counting the money that people have lost mistakenly falling for various "mugged in London" type scams or the current favorite of DoSing a user's inbox so they don't notice the real notification messages of money stolen from their Paypal or whatever account. Brandon
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop