W32/Sobig.F virus header

Malcolm Ray M.Ray at ULCC.AC.UK
Thu Aug 21 23:37:56 IST 2003


> At 21:53 21/08/2003, you wrote:
> >On Thu, 2003-08-21 at 21:23, PC wrote:
> >
> > >I think a more appropriate solution would be the implementation of a
> > >requirement making admins change such settings prior to the Mailscanner
> > >process running.  When a sysadmin refuses to change such values,
> > >MailScanner will die upon startup.
> >
> >I don't think this is such a serious issue to require such measures.
> >Can I suggest a compromise...
> >
> >Add the following lines to MailScanner.conf...
> >
> ># Enter a short identifying name for your organisation below, this is
> ># used to make the X-MailScanner headers unique for your organisation.
> ># Multiple servers within one site should use an identical value here
> ># to avoid adding multiple redundant headers where mail has passed
> ># through several servers within your organisation.
> >%org-name% =
> >
> >Then change the following lines as shown...
> >
> >Mail Header = X-%org-name%-MailScanner:
> >
> >Spam Header = X-%org-name%-MailScanner-SpamCheck:
> >
> >Spam Score Header = X-%org-name%-MailScanner-SpamScore:
> >
> >Information Header = X-%org-name%-MailScanner-Information:
>
> Very good idea. Done. And I set "%org-name% = yoursite" to encourage them
> to change it too.

So a future virus just needs to check your inbox to find what variant of
the header you use.

I still don't see the point of adding any such header to outgoing mail, other
than publicity (and the past few days have shown that "there's no such thing
as bad publicity" isn't true).  Why should I trust any message from a remote
site which claims to have been scanned?  Even if it's not lying, I have
no way of knowing that the sending site keeps its AV signatures up to date.

If and when I deploy MailScanner for my users, I intend to drop that header.



More information about the MailScanner mailing list