W32/Sobig.F virus header

Fri Aug 22 11:29:01 IST 2003

> On Friday 22 August 2003 12:39 am, Malcolm Ray wrote:
>
> > How can I be sure that a virus hasn't figured out what form of the header
> > I'm using?  As I said, it requires little more than looking in the user's
> > inbox.
>
> A virus can only see a user's inbox if the user is infected, and it's only
> going to fiddle around with the headers of email on anything it sends out.
>
> As a measure for preventing incoming viruses, checking the headers of
> incoming emails still seems useful.

I think we're talking at cross purposes.  I'm not particularly concerned
about local mail, it's the impact on outbound mail I'm dealing with.

[snip]

> > In the case of outgoing mail (which is what I was talking about), the
> > header serves no useful purpose
>
> I agree.   However it doesn't do any harm either, so why not have the benefit
> of it on inbound mail, and ignore it on outbound mail?

You'll need to take that up with the sites who are filtering based on the
header, not me.

> > I have sympathy with the sites who are filtering inbound mail carrying that
> > header.
>
> I don't.   They should be filtering on malicious content, not ambiguous
> headers.
>
> It's sufficiently cheap and simple to check whether a mail contains Sobig or
> not that I think checking whether it has a header saying "MailScanner: found
> to be clean" is completely the wrong solution to the problem.
>
> They'd be better off filtering by (a) subject line, or (b) attachment
> filename - there's only a very limited number of both of those with Sobig.

That's a decision each site needs to take for themselves.  If someone's in
the middle of a bombardment, they may go for a quick and dirty solution.
You or I may disagree with the decision made by some remote sites to filter
based on the header alone, but the fact remains that there are sites doing so,
and there may well be more in future.  I can't control what remote sites do,
but I can control what our systems do.  If users come to me and say "none
of our mail is getting through to sites x, y and z", I can (a) say "sorry,
those sites are administered by morons, I suggest you use the phone instead",
or (b) I can configure our end to avoid the problem.  Since (a) is likely to send
the users away thinking that our choice of software (or the way we've
configured it) is responsible for their communication troubles, and (b) is
easy, I know which I prefer.

I'm trying to think of the future here.  If I configure MailScanner to add
'X-%org-name%-MailScanner: Found to be clean', that avoids the immediate
problem.  But if many sites use this format, it's not unlikely that a future
virus will use 'X-$random_string-MailScanner: Found to be clean', some
sites will then filter on the invariant part, and we're back to square one.
There are two obvious choices: either change the header more radically so
that there's less in common between the headers used by MailScanner users,
or arrange to drop the header from mail leaving the organisation.  I think
both of these options are equally valid.  The former is easier (each site
just invents an X- header and its contents), while the latter directly
addresses the fact that the header has no value on outbound mail.