Re: Using spam tools for viruses
Thomas Cameron wrote: Howdy - I recently responded to a thread on a local LUG mailing list where a guy wanted to report a virus as spam. I have always thought that using a spam tool to fight viruses was wrong, and I said so. He asked why, and basically my response was use the right tool for the job, as in use a virus tool for viruses, and use a spam tool for spam. What is the conventional wisdom on this list? Should viruses be reported as spam? If so, why? If not, why not? Thanks! Thomas Thomas, here's my 2 cents worth. It seems like you have two seperate scenarios you're talking about here. actual virus protection and seperate, reporting. I personally think it's important (also) to use the right tools for the right job, therefor I use both anti-virus software *AND* anti-spam software. It's also important to understand what these products do and what their individual limitations are and how to get them to compliment each other in your installation. with regards to reporting a virus as spam, If the virus is sending an email that is spammy, I think it doesn't hurt to records and report those emails as spam. It will help to train your bayesian database and also help community services (i.e. DCC, Spamcop, Razor, etc) to provide information about the characteristics of that mail. HOWEVER; reporting the virus signature is a different story. I don't think the actual virus signature should be reported as spam. lastly, there's the general logic of do you want one product that does a whole bunch of things but in a mediocre way? or do you want a bunch of products that do one thing really really well? alan
Re: Using spam tools for viruses
On Mon, 24 Oct 2005, [EMAIL PROTECTED] whispered secretively: I'm not sure what the SA folks think about this now a days. A while back, they removed the checks for MS executables as being spam indicators even though the test actually is a very good indicator of spam. That's because it didn't work very well. The new AntiVirus plugin does a much better job, but note that it is *not* an antivirus plugin despite the name: it's a suspect-extension-and-content-type detector, so if your users are in the habit of mailing executables or PowerPoint documents or things of that nature around, the plugin will cause FPs. Instead, SA is detecting email worms via the Bayesian analysis, detecting keywords that match MS executables, even though it doesn't do anywhere near as good a job. That's because there aren't many such keywords. Email worms are one of the most dangerous and destructive forms of UBE. They directly lead to open proxies that are used for regular spam. IMHO, they should be paid *more* attention to than regular spam, not less. The problem is that the properties of worms are totally different to the properties of spam. Spam is wildly variable but intended to contain components that are read by human beings, and the vast majority of SpamAssassin's rules look for things on that basis. Worms are vast lumps of mostly-invariant binary data: the regex rules, the URIBL system, and the Bayesian analyzer are mostly useless on them, and that doesn't really leave very much bar header analysis (and half of those rules are useless on worms too). SA has *no* facilities for spotting patterns in big lumps of binary data, let alone automated partial disassembly and static behavioural analysis routines, unpackers for UPX and OLE unpackers and so on, like many virus scanners have. There is almost no overlap between the jobs they have to do, or between the nature of the emails they trap. Plus, even with the sa-update system, worms change so fast that, with SA's regex matching and URIBL rendered useless by the binary-lump nature of worms, SA would never spot most new worms. (The only reason it spots most spam is because rules that caught old spam often catch new spam too. Rules meant to catch old worms pretty much *never* catch new ones unless, like the MICROSOFT_EXECUTABLE rule, they're so general that they could easily catch lots of stuff that isn't wormy as well.) Plus, worms are often so large that scanning them with SA is astonishingly inefficient. SA is many, many times slower than a dedicated tool like clamav and can never do as good a job as one of them. SA would need *tens of thousands* of individually crafted anti-worm rules to do as good a job as clamav --- and that's *orders of magnitude* more rules than SA has right now. It'd become unimaginably slow and immensely bloated, and would *still* do a bad job. So even though they're UBE, executable lumps aren't something that SA can efficiently spot. (Equally, though, sometimes antivirus tools like clamav start attacking things that perhaps they shouldn't: clamav catches some phishing scams, so those of us with corpuses have had to stop it rejecting such mails lest it bias the corpuses, as SA *is* intended to catch phish.) -- `Gun-wielding recluse gunned down by local police isn't the epitaph I want. I am hoping for Witnesses reported the sound up to two hundred kilometers away or Last body part finally located.' --- James Nicoll
Using spam tools for viruses
Howdy - I recently responded to a thread on a local LUG mailing list where a guy wanted to report a virus as spam. I have always thought that using a spam tool to fight viruses was wrong, and I said so. He asked why, and basically my response was use the right tool for the job, as in use a virus tool for viruses, and use a spam tool for spam. What is the conventional wisdom on this list? Should viruses be reported as spam? If so, why? If not, why not? Thanks! Thomas
Re: Using spam tools for viruses
Thomas Cameron wrote: Howdy - I recently responded to a thread on a local LUG mailing list where a guy wanted to report a virus as spam. I have always thought that using a spam tool to fight viruses was wrong, and I said so. He asked why, and basically my response was use the right tool for the job, as in use a virus tool for viruses, and use a spam tool for spam. What is the conventional wisdom on this list? Should viruses be reported as spam? If so, why? If not, why not? Thanks! Thomas Yes and no. Normally what I do if a host is streaming out many viruses to my server, and its ip address is in a US based range owned by an isp I recognize, i'll usually call their ISP and tell them that one of their customers is infected, and it would be nice to let them know before they are RBL'd (not talking about res dynamic accounts, rbl's handle that.) 9 times out of 10, the stream of viruses stop. I won't report them for spam, because often enough, it's a SOHO that has one computer infected. Things happen (they shouldn't if everyone was a perfect admin, but we're human) and often times, there is no administrator on site to handle the normal biz of systems admin. I don't use SA for virus scanning -- it is not for that, I use clamav mostly for that purpose, and has worked well for me for quite some time. SA isn't as efficient as clamav is at detecting viruses (amount of memory/cpu.) Like you said, right tool, right job. There is the matter of virus notifications -- these are spam. I don't want to hear if someone spoofed my address, and sent you a bazillion emails with a virus attached -- not my problem. Check my SPF records, that sender is not in the allowed list to send mails from. These I do report. -- Thanks, JamesDR smime.p7s Description: S/MIME Cryptographic Signature
Re: Using spam tools for viruses
In [EMAIL PROTECTED] Thomas Cameron [EMAIL PROTECTED] writes: I recently responded to a thread on a local LUG mailing list where a guy wanted to report a virus as spam. [...] What is the conventional wisdom on this list? Should viruses be reported as spam? If so, why? If not, why not? I think it is very important to distinguish between different types of viruses and worms. An anti-spam tool is not going to be very effective or useful in locating and removing viruses and worms that infect things like MS Word documents, spread sheets, and legitimate executables that have been corrupted with a virus. These are worms and viruses that propagate via other means that just happen to be in email. Viruses and worms that propagate via email, such as Klez, Mydoom, etc. are Bulk, Unsolicited and Email (aka UBE), and thus are hard for anti-spam tools to *NOT* detect. For reasons I have never agreed with, many people view email worms to not be spam. Some of these people think that only UCE is spam. Others seem to think that it is unfair to report infected machines as sending spam. This is slowly changing. Spamcop, for example, has changed their policy and now lets you report email worms as spam. Abuse desks (that would act on regular spam) are no longer dismissing complaints about infected machines and are taking actions to get these machines fixed. I'm not sure what the SA folks think about this now a days. A while back, they removed the checks for MS executables as being spam indicators even though the test actually is a very good indicator of spam. Instead, SA is detecting email worms via the Bayesian analysis, detecting keywords that match MS executables, even though it doesn't do anywhere near as good a job. Email worms are one of the most dangerous and destructive forms of UBE. They directly lead to open proxies that are used for regular spam. IMHO, they should be paid *more* attention to than regular spam, not less. -wayne