Sobig getting tagged as spam not virus

Chris Trudeau chris at TRUDEAU.ORG
Fri Aug 22 12:46:31 IST 2003


Julian...

You're right there is a bunch of thinking that will go into this...here is
some food for thought.

I'm working with a couple of commerical versions of mail scanning
solutions...(none of which can touch MailScanner for flexibility), but some
of which have interesting design concepts:

1.  Every mail should be scanned for viruses.  These statistics are useful
in determining the ebb and flow of viruses as they permeate the web.
According to ICSA last year 86% of all viruses used email as an attack
vector, so being able to plot this COULD be very valueable.

2.  If notifications were stubbed into the process flow, then overhead could
conceivably be reduced greatly.  By sending notifications and closing the
flow, then SA would never even be required.  I guess one would have to
determine which was truly more process intensive (SA or Virus).  My bet
would be SA especially if plugged into Razor and DCC.

3.  Filename/types need to be considered too.  Virus scanning SHOULD
conceivably be done before filename/type rules as well, because if you apply
disposition to each of these three basic pocesses...when they process
completes, then file attachments could be blocked by these rules and never
scanned.  If a user requests release from quarantine, then conceivably, a
messages which was originally quarantined due to filename rules violations,
could be infected and never scanned.

4.  Notifications could be standardized during this change of processing
too.  Meaning if standard notification sequence was done and it was executed
when a rule fired...it might also decrease processing overhead.

CT



----- Original Message -----
From: "Julian Field" <mailscanner at ECS.SOTON.AC.UK>
To: <MAILSCANNER at JISCMAIL.AC.UK>
Sent: Friday, August 22, 2003 4:23 AM
Subject: Re: Sobig getting tagged as spam not virus


> Unfortunately, as the spam checking is done first, you can't put a virus
> name in the ruleset deciding the spam actions :-(
>
> I need to take a look at this area and have a good think about it, which
> won't happen right now as I can't even keep up with my incoming mail, let
> alone stop and think about anything.
>
> Sounds like it would be a good idea to do the virus scanning first, then
> the spam scanning. This would mean that everything would be virus-scanned,
> even spam that was then deleted. But the cost of virus scanning extra
files
> is a lot lower than the cost of spam scanning extra files, which wasn't
the
> case when I first started writing MailScanner.
>
> I'll try to find time this weekend to work on it, once I have sat and
> thought about it for a couple of hours it might turn out to be trivial
> change, but I need to be *very* careful in this area.
>
> At 02:58 22/08/2003, you wrote:
> >I am very pleased that my site is not one of those spewing forth 'you
> >computer may be infected with the Sobig.F virus' reports, all due to
> >Julian's 'Silent Virus' feature. It works fine...
> >
> >But, it would appear from the comments below, and also first hand
> >observation, that a number of the Sobig emails are also getting caught by
> >MS/SA as spam. These emails are generating 'you sent us spam' reports
back
> >to the sender, and of course that sender was forged by the virus.
> >
> >I am getting complaints from some sites that my MS system is hammering
> >them with rejection notices. Not 'virus infected' notices, but rather
'you
> >sent spam' notices. They are treating me like an idiot "Don't you know
> >Sobig fakes the senders address? STOP sending us these notices NOW!" kind
> >of messages.
> >
> >Being the receipient of many of these virus warnings from sites without a
> >'Silent Virus' feature, I can understand the frustration of those yelling
> >at me.
> >
> >Does anyone have a solution to this problem? Some means to recognize a
> >spam as being sent by a silent virus, such as Sobig, and not in turn
> >sending a spam rejection notice?
> >
> >Thanks!
> >-Alan
> >
> > >> >Mail with the Sobig.F message body is coming in with and without an
> > >> >attachment, therefore we get {SPAM?} or  {VIRUS?} tagged e-mail. The
> > score
> > >> >for the spam messages is the same 5.9.
> >
> > >>If a message contains a silent virus but also registers as spam, would
it
> > >>be delivered? (ssems so in this case)
> > >
> >
> >
> >
> > >The virus-infected messages and the spam messages are separate. They
are
> > >all caused by the same thing, but don't expect all this mail to be
> > >virus-infected, it's not.
> > >--
> > >Julian Field
> > >www.MailScanner.info
> > >MailScanner thanks transtec Computers for their support
>
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support



More information about the MailScanner mailing list