Selectively quarantining on virus name

[mikea]

On Thu, Aug 21, 2003 at 02:29:41PM +0100, Julian Field wrote:

> Not easy to do, as actually working out the exact name of the virus is not
> easy. Yes, I know it appears that the "Silent Viruses" list appears to be
> able to do it, but actually it cheats a bit. I could use the same cheat, I
> guess.

Considering the evolutionary path we see worms/viruses following,
would it make sense to retain the current "Silent Viruses" list
for the time being, but add a "Notify About Viruses" list which
listed the ones for which infection notices should be sent, with
an eye to eventually removing "Silent Viruses" processing?

I've noticed that the past several generations of viruses have forged
"From:", HELO, and "Received:", and other data, so that the sender and
true source were obfuscated. I don't expect future viruses to be any
less well-engineered, and so it won't make sense to autocomplain about
them. This, however, leads to an ever-lengthening "Silent Viruses"
list and the possibility of forgetting to add a virus name to the list
when one is in a hurry.

Does it make more sense, under the present circumstances, to default
to *not* sending an infection notice?

> Let me have a think about it. At the moment I don't have time to think, I'm
> trying to keep up with the incoming mail load. I had a sandwich, a cup of
> tea and a bottle of water for lunch. In the time it took me to eat those, I
> received 88 new emails :-( Anyone want to swap email addresses with me for
> the day?

ThanksVeryMuchButNoThanks! I expect that I'll be lucky to get a
sandwich. So far today (not quite 10 hours), 320 copies of Sobig.F,
a few Worm.BugBear.B, a couple of Trojan.Dropper.C, and it's still
just *pouring* in. All this in an org with only 3K Email boxes.

--
Mike Andrews
mikea at mikea.ath.cx
Tired old sysadmin since 1964