Re: [Mimedefang] Need help with virus notifications

[Chris Myers]

> > And I don't assume that all other folks have poorly configured firewalls
> > that will let viruses go straight out without passing through some form
> > of SMTP relay.  Remember that the viruses have access to the infected
PC's
> > settings and can pull their SMTP relay from their mail client rather
> > easily ... it's GOING to happen if it isn't already.
>
> Actually, that's old school virus behavior.  A few years ago, they would
> look up the outbound relay from the mail client and use that to send their
> mail.  Recent ones have changed to sending direct.  My guess is malware
> authors found too many of the legit mail relays were running antivirus
> software hindering their efforts so they switched to sending direct.

Which brings up one of those "Help Save The World!" points.  Configure
your firewall to block outbound SMTP except from internal mail servers.
It's simple, it's effective, it's good practice.

Anyway, I think we're pretty far down the path towards a religious war.
Either you bounce every virus, drop mass-mailing viruses, or drop all
viruses.  Personally I'm glad that I use the SpamAssassin rules for flagging
anti-virus replies, because there are a LOT of people out there bouncing
everything, and one of my mail addresses has been out there for 10 years.

Chris Myers
Networks By Design


___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Need help with virus notifications

[Chris Myers]

- Original Message - 
From: "Ian Mitchell" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, December 13, 2004 11:32 AM
Subject: Re: [Mimedefang] Need help with virus notifications


> > I use:
> >
> > return action_discard if ( $VirusName =~ /(^Worm\.|[EMAIL 
> > PROTECTED]|^HTML\.)/i );
> >
> > @MM means "Mass Mailer" in McAfee and Symantec engines.
> > Worm. means the same thing with ClamAV
> > HTML. means a Phishing message with ClamAV
>
> The issue I can see with this approach is that by relying on the naming
> standards of a third party organization is a bit risky. What if they
> decide to name it differently, or if the worm isn't detected properly?

If you detect a mass-mailer, it's only right and proper to drop it quietly.
If the naming convention changes (which it periodically will; the
HTML.Phishing stuff is new to ClamAV) then the worst that happens is that
you bounce something you should have dropped.

My default policy is:

1) drop mass-mailers and other known forged sender viruses
2) bounce all other viruses, just in case someone really is infected and
would like to know about it.

And I don't assume that all other folks have poorly configured firewalls
that will let viruses go straight out without passing through some form of
SMTP relay.  Remember that the viruses have access to the infected PC's
settings and can pull their SMTP relay from their mail client rather easily
... it's GOING to happen if it isn't already.

Chris Myers
Networks By Design


___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Need help with virus notifications

[WBrown]

[EMAIL PROTECTED] wrote on 12/13/2004 02:03:52 
PM:

> And I don't assume that all other folks have poorly configured firewalls
> that will let viruses go straight out without passing through some form 
of
> SMTP relay.  Remember that the viruses have access to the infected PC's
> settings and can pull their SMTP relay from their mail client rather 
easily
> ... it's GOING to happen if it isn't already.

Actually, that's old school virus behavior.  A few years ago, they would 
look up the outbound relay from the mail client and use that to send their 
mail.  Recent ones have changed to sending direct.  My guess is malware 
authors found too many of the legit mail relays were running antivirus 
software hindering their efforts so they switched to sending direct.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Need help with virus notifications

[WBrown]

[EMAIL PROTECTED] wrote on 12/13/2004 09:26:25 
AM:

> Take the time to identify whether the message is a mass-mailer that
> falsifies the sender's address.  This is simple to do, and it avoids
> attacking an innocent (remember, the bounce might include the infected
> attachment ... and the bounce is going to the one person in the world 
who
> DID NOT send the virus in the first place).

Given that nearly all of the current viruses use their own internal SMTP 
engines to send directly, a 550 will just kill the virus.  It will only 
harrass an innocent third party if the infected email is relayed through a 
normal mail server. 

Under that situation, I do not feel guilty about that person because I am 
not generating the mail, all I am doing is refusing to accept delivery of 
it. 

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Need help with virus notifications

[Ian Mitchell]

> Date: Mon, 13 Dec 2004 08:26:25 -0600
> From: "Chris Myers" <[EMAIL PROTECTED]>
> Subject: Re: [Mimedefang] Need help with virus notifications
>
> Take the time to identify whether the message is a mass-mailer that
> falsifies the sender's address.  This is simple to do, and it avoids
> attacking an innocent (remember, the bounce might include the infected
> attachment ... and the bounce is going to the one person in the world who
> DID NOT send the virus in the first place).
>
> The exact strings to look for in the virus name vary somewhat by vendor,
> but
> I use:
>
> return action_discard if ( $VirusName =~ /(^Worm\.|[EMAIL 
> PROTECTED]|^HTML\.)/i );
>
> @MM means "Mass Mailer" in McAfee and Symantec engines.
> Worm. means the same thing with ClamAV
> HTML. means a Phishing message with ClamAV

The issue I can see with this approach is that by relying on the naming
standards of a third party organization is a bit risky. What if they
decide to name it differently, or if the worm isn't detected properly? It
would be more appropriate to rejected it with a action_bounce giving the
550 denied error with an appropriate message that lets the sender know why
it wasn't sent. That way if they send a manual word document that just
happened to have a funky auto_start macro (ek!) that tripped a virus scan,
they would know. If it was a mindless drone on grandma's PC, then no harm
would be done.

And as for phishing messages detected by clamav, who the heck cares if
they get bounced. Less noise in the long run! If you bounce a message,
just make sure the justification reason given to the end user is
sufficient for them to correct the issue and resend.



___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Need help with virus notifications

[Chris Myers]

- Original Message - 
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, December 13, 2004 7:16 AM
Subject: Re: [Mimedefang] Need help with virus notifications


> [EMAIL PROTECTED] wrote on 12/10/2004 09:54:47
> PM:
>
> > As a matter of policy, I reject (550 SMTP reject) any virus infected or
> > bad_filename emails.  if there's a legitimate user at the other end,
> > they'll get notification of the failure.  if there isn't, the noise
> > should be minimal.

Take the time to identify whether the message is a mass-mailer that
falsifies the sender's address.  This is simple to do, and it avoids
attacking an innocent (remember, the bounce might include the infected
attachment ... and the bounce is going to the one person in the world who
DID NOT send the virus in the first place).

The exact strings to look for in the virus name vary somewhat by vendor, but
I use:

return action_discard if ( $VirusName =~ /(^Worm\.|[EMAIL PROTECTED]|^HTML\.)/i 
);

@MM means "Mass Mailer" in McAfee and Symantec engines.
Worm. means the same thing with ClamAV
HTML. means a Phishing message with ClamAV

If the virus doesn't match one of those strings, then you can
action_bounce(...) without being "part of the problem" like many of the
commercial A/V e-mail scanners.

Chris Myers
Networks By Design


___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Need help with virus notifications

[WBrown]

[EMAIL PROTECTED] wrote on 12/10/2004 09:54:47 
PM:

> As a matter of policy, I reject (550 SMTP reject) any virus infected or
> bad_filename emails.  if there's a legitimate user at the other end,
> they'll get notification of the failure.  if there isn't, the noise
> should be minimal.

I'll second Alan's suggeestion on 550'ing any rejected message.  We had a 
situation where someone thought they were sending a MS Word document, but 
they were getting an error that we were rejecting it because of the file 
name.  After reviewing the logs, I found the file had an extension of URL. 
 If I had just dropped it, the sender wouldn't have known it wasn't going 
through and would have been upset at the recipient for not responding.

A virus' internal SMTP engine isn't going to care if it gets 550'ed.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Need help with virus notifications

[Ronald Vazquez NLM]

Ronald Vazquez NLM wrote:
> Hello:
>
> I have been tasked with configuring MIMEDefang to allow a virus to come
in thr
u the first instance, tag it with X-RrestrictedAttachment to allow our
virus sca
nner to process it.  The idea is that once Trend Micro drops the
attachment, we
can scan the body with the second instance of MD and drop the virus
notification
.
>
> Why?  There are some extensions that even though they are stripped, we
do noti
fy our users of the action so they can take appropriate action.  This
means that
 we only want to stop notifications for uncleanable attachments.
>
> Do anybody know a better way to accomplish this?  The goal is to avoid
notifyi
ng our users of every virus-infected email we drop while still notifying
them ab
out a VBA file they were waiting for.
>
> Thanks in advance,
> Ronald Vazquez
Ronald,

Answer from Alan Premselaar:

  It seems to me that because of the nature of most of today's viruses,
you don't want to send any notifications if they tested positive.  Since
often the sender is forged, it's generally a bad idea to notify the
sender.  Since it's a virus, it's not usually something expected by the
recipient anyways, so the notification only adds noise to the end-user's
mailbox.

in the case of a VBA file that gets quarantined or rejected, etc.  that
could be caught with the bad_filename routines (not necessarily a virus)
 and you could choose to make notifications seperate for those than your
virus handling.  ALthough I would still caution that rejected
bad_filenames will also hit potential virus attachments and still cause
noise down the line.

As a matter of policy, I reject (550 SMTP reject) any virus infected or
bad_filename emails.  if there's a legitimate user at the other end,
they'll get notification of the failure.  if there isn't, the noise
should be minimal.

hope this is helpful

alan
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang


New question:

Alan:

Thank you for the answer.  My problem is that I have to follow procedure
and and let the virus come in on port 25, tag it, hopefully Trend Micro
will do it's job by deleting the virus, we will then scan the body,
look for the tag and MD will suppress the tagged email notification at
10025 when.

I am looking for help in writting a filter that would allow this
action.  Now, how could I accomplish what I just described?


Thanks in advance
Ronald Vazquez

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Need help with virus notifications

[alan premselaar]

Ronald Vazquez NLM wrote:
(B> Hello:
(B> 
(B> I have been tasked with configuring MIMEDefang to allow a virus to come in 
(B> thru the first instance, tag it with X-RrestrictedAttachment to allow our 
(B> virus scanner to process it.  The idea is that once Trend Micro drops the 
(B> attachment, we can scan the body with the second instance of MD and drop the 
(B> virus notification.
(B> 
(B> Why?  There are some extensions that even though they are stripped, we do 
(B> notify our users of the action so they can take appropriate action.  This 
(B> means that we only want to stop notifications for uncleanable attachments.
(B> 
(B> Do anybody know a better way to accomplish this?  The goal is to avoid 
(B> notifying our users of every virus-infected email we drop while still 
(B> notifying them about a VBA file they were waiting for.
(B> 
(B> Thanks in advance,
(B> Ronald Vazquez
(BRonald,
(B
(B  It seems to me that because of the nature of most of today's viruses,
(Byou don't want to send any notifications if they tested positive.  Since
(Boften the sender is forged, it's generally a bad idea to notify the
(Bsender.  Since it's a virus, it's not usually something expected by the
(Brecipient anyways, so the notification only adds noise to the end-user's
(Bmailbox.
(B
(Bin the case of a VBA file that gets quarantined or rejected, etc.  that
(Bcould be caught with the bad_filename routines (not necessarily a virus)
(B and you could choose to make notifications seperate for those than your
(Bvirus handling.  ALthough I would still caution that rejected
(Bbad_filenames will also hit potential virus attachments and still cause
(Bnoise down the line.
(B
(BAs a matter of policy, I reject (550 SMTP reject) any virus infected or
(Bbad_filename emails.  if there's a legitimate user at the other end,
(Bthey'll get notification of the failure.  if there isn't, the noise
(Bshould be minimal.
(B
(Bhope this is helpful
(B
(Balan
(B___
(BVisit http://www.mimedefang.org and http://www.canit.ca
(BMIMEDefang mailing list
([EMAIL PROTECTED]
(Bhttp://lists.roaringpenguin.com/mailman/listinfo/mimedefang