W32/Sobig.F virus header
Antony Stone
Antony at SOFT-SOLUTIONS.CO.UK
Fri Aug 22 00:53:35 IST 2003
On Friday 22 August 2003 12:39 am, Malcolm Ray wrote:
> How can I be sure that a virus hasn't figured out what form of the header
> I'm using? As I said, it requires little more than looking in the user's
> inbox.
A virus can only see a user's inbox if the user is infected, and it's only
going to fiddle around with the headers of email on anything it sends out.
As a measure for preventing incoming viruses, checking the headers of
incoming emails still seems useful.
> There are two separate issues here: incoming mail, and outgoing mail.
Definitely.
> In the case of incoming mail, one can certainly argue that adding the
> header is useful. If the site's mail topology ensures that all mail
> arriving from 'outside' must pass through MailScanner, and all intra-site
> mail normally does so too, the absence of the header on a message arriving
> in your inbox is a danger sign. However, if your intra-site mail doesn't
> pass through MailScanner, neither the presence nor absence of the header
> carries any information for such mail, as far as I can see.
That's a fair enough comment. I happen to prefer scanning *everything*
before it enters a user's mailbox, whether it originates from another
internal user, or from the outside world, but I can imagine some people might
feel okay about not scanning internal-to-internal mail - I just hope they
never get a virus on one of their machines by some other means, as it will
then still spread like wildfire around their internal systems...
> In the case of outgoing mail (which is what I was talking about), the
> header serves no useful purpose
I agree. However it doesn't do any harm either, so why not have the benefit
of it on inbound mail, and ignore it on outbound mail?
> I have sympathy with the sites who are filtering inbound mail carrying that
> header.
I don't. They should be filtering on malicious content, not ambiguous
headers.
It's sufficiently cheap and simple to check whether a mail contains Sobig or
not that I think checking whether it has a header saying "MailScanner: found
to be clean" is completely the wrong solution to the problem.
They'd be better off filtering by (a) subject line, or (b) attachment
filename - there's only a very limited number of both of those with Sobig.
Antony.
--
The idea that Bill Gates appeared like a knight in shining armour
to lead all customers out of a mire of technological chaos
neatly ignores the fact that it was he who, by peddling
second-rate technology, led them into it in the first place.
- Douglas Adams in The Guardian, August 25, 1995
More information about the MailScanner
mailing list