W32/Sobig.F virus header

Antony Stone Antony at SOFT-SOLUTIONS.CO.UK
Fri Aug 22 00:53:35 IST 2003


On Friday 22 August 2003 12:39 am, Malcolm Ray wrote:

> How can I be sure that a virus hasn't figured out what form of the header
> I'm using?  As I said, it requires little more than looking in the user's
> inbox.

A virus can only see a user's inbox if the user is infected, and it's only
going to fiddle around with the headers of email on anything it sends out.

As a measure for preventing incoming viruses, checking the headers of
incoming emails still seems useful.

> There are two separate issues here: incoming mail, and outgoing mail.

Definitely.

> In the case of incoming mail, one can certainly argue that adding the
> header is useful.  If the site's mail topology ensures that all mail
> arriving from 'outside' must pass through MailScanner, and all intra-site
> mail normally does so too, the absence of the header on a message arriving
> in your inbox is a danger sign.  However, if your intra-site mail doesn't
> pass through MailScanner, neither the presence nor absence of the header
> carries any information for such mail, as far as I can see.

That's a fair enough comment.   I happen to prefer scanning *everything*
before it enters a user's mailbox, whether it originates from another
internal user, or from the outside world, but I can imagine some people might
feel okay about not scanning internal-to-internal mail - I just hope they
never get a virus on one of their machines by some other means, as it will
then still spread like wildfire around their internal systems...

> In the case of outgoing mail (which is what I was talking about), the
> header serves no useful purpose

I agree.   However it doesn't do any harm either, so why not have the benefit
of it on inbound mail, and ignore it on outbound mail?

> I have sympathy with the sites who are filtering inbound mail carrying that
> header.

I don't.   They should be filtering on malicious content, not ambiguous
headers.

It's sufficiently cheap and simple to check whether a mail contains Sobig or
not that I think checking whether it has a header saying "MailScanner: found
to be clean" is completely the wrong solution to the problem.

They'd be better off filtering by (a) subject line, or (b) attachment
filename - there's only a very limited number of both of those with Sobig.

Antony.

--

The idea that Bill Gates appeared like a knight in shining armour
to lead all customers out of a mire of technological chaos
neatly ignores the fact that it was he who, by peddling
second-rate technology, led them into it in the first place.

 - Douglas Adams in The Guardian, August 25, 1995



More information about the MailScanner mailing list