Re: [Mimedefang] Need help with virus notifications
> > And I don't assume that all other folks have poorly configured firewalls > > that will let viruses go straight out without passing through some form > > of SMTP relay. Remember that the viruses have access to the infected PC's > > settings and can pull their SMTP relay from their mail client rather > > easily ... it's GOING to happen if it isn't already. > > Actually, that's old school virus behavior. A few years ago, they would > look up the outbound relay from the mail client and use that to send their > mail. Recent ones have changed to sending direct. My guess is malware > authors found too many of the legit mail relays were running antivirus > software hindering their efforts so they switched to sending direct. Which brings up one of those "Help Save The World!" points. Configure your firewall to block outbound SMTP except from internal mail servers. It's simple, it's effective, it's good practice. Anyway, I think we're pretty far down the path towards a religious war. Either you bounce every virus, drop mass-mailing viruses, or drop all viruses. Personally I'm glad that I use the SpamAssassin rules for flagging anti-virus replies, because there are a LOT of people out there bouncing everything, and one of my mail addresses has been out there for 10 years. Chris Myers Networks By Design ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Need help with virus notifications
- Original Message - From: "Ian Mitchell" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, December 13, 2004 11:32 AM Subject: Re: [Mimedefang] Need help with virus notifications > > I use: > > > > return action_discard if ( $VirusName =~ /(^Worm\.|[EMAIL > > PROTECTED]|^HTML\.)/i ); > > > > @MM means "Mass Mailer" in McAfee and Symantec engines. > > Worm. means the same thing with ClamAV > > HTML. means a Phishing message with ClamAV > > The issue I can see with this approach is that by relying on the naming > standards of a third party organization is a bit risky. What if they > decide to name it differently, or if the worm isn't detected properly? If you detect a mass-mailer, it's only right and proper to drop it quietly. If the naming convention changes (which it periodically will; the HTML.Phishing stuff is new to ClamAV) then the worst that happens is that you bounce something you should have dropped. My default policy is: 1) drop mass-mailers and other known forged sender viruses 2) bounce all other viruses, just in case someone really is infected and would like to know about it. And I don't assume that all other folks have poorly configured firewalls that will let viruses go straight out without passing through some form of SMTP relay. Remember that the viruses have access to the infected PC's settings and can pull their SMTP relay from their mail client rather easily ... it's GOING to happen if it isn't already. Chris Myers Networks By Design ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Need help with virus notifications
[EMAIL PROTECTED] wrote on 12/13/2004 02:03:52 PM: > And I don't assume that all other folks have poorly configured firewalls > that will let viruses go straight out without passing through some form of > SMTP relay. Remember that the viruses have access to the infected PC's > settings and can pull their SMTP relay from their mail client rather easily > ... it's GOING to happen if it isn't already. Actually, that's old school virus behavior. A few years ago, they would look up the outbound relay from the mail client and use that to send their mail. Recent ones have changed to sending direct. My guess is malware authors found too many of the legit mail relays were running antivirus software hindering their efforts so they switched to sending direct. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Need help with virus notifications
[EMAIL PROTECTED] wrote on 12/13/2004 09:26:25 AM: > Take the time to identify whether the message is a mass-mailer that > falsifies the sender's address. This is simple to do, and it avoids > attacking an innocent (remember, the bounce might include the infected > attachment ... and the bounce is going to the one person in the world who > DID NOT send the virus in the first place). Given that nearly all of the current viruses use their own internal SMTP engines to send directly, a 550 will just kill the virus. It will only harrass an innocent third party if the infected email is relayed through a normal mail server. Under that situation, I do not feel guilty about that person because I am not generating the mail, all I am doing is refusing to accept delivery of it. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Need help with virus notifications
> Date: Mon, 13 Dec 2004 08:26:25 -0600 > From: "Chris Myers" <[EMAIL PROTECTED]> > Subject: Re: [Mimedefang] Need help with virus notifications > > Take the time to identify whether the message is a mass-mailer that > falsifies the sender's address. This is simple to do, and it avoids > attacking an innocent (remember, the bounce might include the infected > attachment ... and the bounce is going to the one person in the world who > DID NOT send the virus in the first place). > > The exact strings to look for in the virus name vary somewhat by vendor, > but > I use: > > return action_discard if ( $VirusName =~ /(^Worm\.|[EMAIL > PROTECTED]|^HTML\.)/i ); > > @MM means "Mass Mailer" in McAfee and Symantec engines. > Worm. means the same thing with ClamAV > HTML. means a Phishing message with ClamAV The issue I can see with this approach is that by relying on the naming standards of a third party organization is a bit risky. What if they decide to name it differently, or if the worm isn't detected properly? It would be more appropriate to rejected it with a action_bounce giving the 550 denied error with an appropriate message that lets the sender know why it wasn't sent. That way if they send a manual word document that just happened to have a funky auto_start macro (ek!) that tripped a virus scan, they would know. If it was a mindless drone on grandma's PC, then no harm would be done. And as for phishing messages detected by clamav, who the heck cares if they get bounced. Less noise in the long run! If you bounce a message, just make sure the justification reason given to the end user is sufficient for them to correct the issue and resend. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Need help with virus notifications
- Original Message - From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, December 13, 2004 7:16 AM Subject: Re: [Mimedefang] Need help with virus notifications > [EMAIL PROTECTED] wrote on 12/10/2004 09:54:47 > PM: > > > As a matter of policy, I reject (550 SMTP reject) any virus infected or > > bad_filename emails. if there's a legitimate user at the other end, > > they'll get notification of the failure. if there isn't, the noise > > should be minimal. Take the time to identify whether the message is a mass-mailer that falsifies the sender's address. This is simple to do, and it avoids attacking an innocent (remember, the bounce might include the infected attachment ... and the bounce is going to the one person in the world who DID NOT send the virus in the first place). The exact strings to look for in the virus name vary somewhat by vendor, but I use: return action_discard if ( $VirusName =~ /(^Worm\.|[EMAIL PROTECTED]|^HTML\.)/i ); @MM means "Mass Mailer" in McAfee and Symantec engines. Worm. means the same thing with ClamAV HTML. means a Phishing message with ClamAV If the virus doesn't match one of those strings, then you can action_bounce(...) without being "part of the problem" like many of the commercial A/V e-mail scanners. Chris Myers Networks By Design ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Need help with virus notifications
[EMAIL PROTECTED] wrote on 12/10/2004 09:54:47 PM: > As a matter of policy, I reject (550 SMTP reject) any virus infected or > bad_filename emails. if there's a legitimate user at the other end, > they'll get notification of the failure. if there isn't, the noise > should be minimal. I'll second Alan's suggeestion on 550'ing any rejected message. We had a situation where someone thought they were sending a MS Word document, but they were getting an error that we were rejecting it because of the file name. After reviewing the logs, I found the file had an extension of URL. If I had just dropped it, the sender wouldn't have known it wasn't going through and would have been upset at the recipient for not responding. A virus' internal SMTP engine isn't going to care if it gets 550'ed. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Need help with virus notifications
Ronald Vazquez NLM wrote: > Hello: > > I have been tasked with configuring MIMEDefang to allow a virus to come in thr u the first instance, tag it with X-RrestrictedAttachment to allow our virus sca nner to process it. The idea is that once Trend Micro drops the attachment, we can scan the body with the second instance of MD and drop the virus notification . > > Why? There are some extensions that even though they are stripped, we do noti fy our users of the action so they can take appropriate action. This means that we only want to stop notifications for uncleanable attachments. > > Do anybody know a better way to accomplish this? The goal is to avoid notifyi ng our users of every virus-infected email we drop while still notifying them ab out a VBA file they were waiting for. > > Thanks in advance, > Ronald Vazquez Ronald, Answer from Alan Premselaar: It seems to me that because of the nature of most of today's viruses, you don't want to send any notifications if they tested positive. Since often the sender is forged, it's generally a bad idea to notify the sender. Since it's a virus, it's not usually something expected by the recipient anyways, so the notification only adds noise to the end-user's mailbox. in the case of a VBA file that gets quarantined or rejected, etc. that could be caught with the bad_filename routines (not necessarily a virus) and you could choose to make notifications seperate for those than your virus handling. ALthough I would still caution that rejected bad_filenames will also hit potential virus attachments and still cause noise down the line. As a matter of policy, I reject (550 SMTP reject) any virus infected or bad_filename emails. if there's a legitimate user at the other end, they'll get notification of the failure. if there isn't, the noise should be minimal. hope this is helpful alan ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang New question: Alan: Thank you for the answer. My problem is that I have to follow procedure and and let the virus come in on port 25, tag it, hopefully Trend Micro will do it's job by deleting the virus, we will then scan the body, look for the tag and MD will suppress the tagged email notification at 10025 when. I am looking for help in writting a filter that would allow this action. Now, how could I accomplish what I just described? Thanks in advance Ronald Vazquez ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Need help with virus notifications
Ronald Vazquez NLM wrote: (B> Hello: (B> (B> I have been tasked with configuring MIMEDefang to allow a virus to come in (B> thru the first instance, tag it with X-RrestrictedAttachment to allow our (B> virus scanner to process it. The idea is that once Trend Micro drops the (B> attachment, we can scan the body with the second instance of MD and drop the (B> virus notification. (B> (B> Why? There are some extensions that even though they are stripped, we do (B> notify our users of the action so they can take appropriate action. This (B> means that we only want to stop notifications for uncleanable attachments. (B> (B> Do anybody know a better way to accomplish this? The goal is to avoid (B> notifying our users of every virus-infected email we drop while still (B> notifying them about a VBA file they were waiting for. (B> (B> Thanks in advance, (B> Ronald Vazquez (BRonald, (B (B It seems to me that because of the nature of most of today's viruses, (Byou don't want to send any notifications if they tested positive. Since (Boften the sender is forged, it's generally a bad idea to notify the (Bsender. Since it's a virus, it's not usually something expected by the (Brecipient anyways, so the notification only adds noise to the end-user's (Bmailbox. (B (Bin the case of a VBA file that gets quarantined or rejected, etc. that (Bcould be caught with the bad_filename routines (not necessarily a virus) (B and you could choose to make notifications seperate for those than your (Bvirus handling. ALthough I would still caution that rejected (Bbad_filenames will also hit potential virus attachments and still cause (Bnoise down the line. (B (BAs a matter of policy, I reject (550 SMTP reject) any virus infected or (Bbad_filename emails. if there's a legitimate user at the other end, (Bthey'll get notification of the failure. if there isn't, the noise (Bshould be minimal. (B (Bhope this is helpful (B (Balan (B___ (BVisit http://www.mimedefang.org and http://www.canit.ca (BMIMEDefang mailing list ([EMAIL PROTECTED] (Bhttp://lists.roaringpenguin.com/mailman/listinfo/mimedefang