Sobig getting tagged as spam not virus

Julian Field mailscanner at ecs.soton.ac.uk
Fri Aug 22 14:58:18 IST 2003 

Thanks for all of that.

I have taken a look at the code, and it's not clear cut at all as to what
is the best way of doing it.

By spam scanning first (and then deleting most of it automatically), you
remove messages from the batch before you decode all the MIME data and
virus scan them. Decoding the MIME data is quite expensive an operation.
Virus scanning them probably doesn't cost you too much so long as there are
still plenty of messages in the batch when you scan them (startup on a
virus scanner is expensive compared to running cost for each file). You
then also have to do filetype checking and filename checking on. Filetype
checking certainly isn't free.

The alternative is that you do the MIME decoding on absolutely everything,
including all the spam. You then virus scan absolutely everything. You then
filename and filetype check everything. Then you get rid of everything that
isn't going to be delivered anywhere. Then you do the spam scanning. So you
only do the spam scanning on uninfected messages (assuming you delete most
of your spam).

So the whole argument depends on
1) How your CPU power relates to your network speed
2) What the balance is of infected mail versus spam mail
3) What you do with most of your spam (i.e. delete it or not)
4) and probably some other factors I haven't thought of yet.

So it's a very difficult choice, and one that changes with
         a) your setup, and
         b) the characteristics of your incoming mail at any given point in
time.



At 12:46 22/08/2003, you wrote:
>Julian...
>
>You're right there is a bunch of thinking that will go into this...here is
>some food for thought.
>
>I'm working with a couple of commerical versions of mail scanning
>solutions...(none of which can touch MailScanner for flexibility), but some
>of which have interesting design concepts:
>
>1.  Every mail should be scanned for viruses.  These statistics are useful
>in determining the ebb and flow of viruses as they permeate the web.
>According to ICSA last year 86% of all viruses used email as an attack
>vector, so being able to plot this COULD be very valueable.
>
>2.  If notifications were stubbed into the process flow, then overhead could
>conceivably be reduced greatly.  By sending notifications and closing the
>flow, then SA would never even be required.  I guess one would have to
>determine which was truly more process intensive (SA or Virus).  My bet
>would be SA especially if plugged into Razor and DCC.
>
>3.  Filename/types need to be considered too.  Virus scanning SHOULD
>conceivably be done before filename/type rules as well, because if you apply
>disposition to each of these three basic pocesses...when they process
>completes, then file attachments could be blocked by these rules and never
>scanned.  If a user requests release from quarantine, then conceivably, a
>messages which was originally quarantined due to filename rules violations,
>could be infected and never scanned.
>
>4.  Notifications could be standardized during this change of processing
>too.  Meaning if standard notification sequence was done and it was executed
>when a rule fired...it might also decrease processing overhead.
>
>CT
>
>
>
>----- Original Message -----
>From: "Julian Field" <mailscanner at ECS.SOTON.AC.UK>
>To: <MAILSCANNER at JISCMAIL.AC.UK>
>Sent: Friday, August 22, 2003 4:23 AM
>Subject: Re: Sobig getting tagged as spam not virus
>
>
> > Unfortunately, as the spam checking is done first, you can't put a virus
> > name in the ruleset deciding the spam actions :-(
> >
> > I need to take a look at this area and have a good think about it, which
> > won't happen right now as I can't even keep up with my incoming mail, let
> > alone stop and think about anything.
> >
> > Sounds like it would be a good idea to do the virus scanning first, then
> > the spam scanning. This would mean that everything would be virus-scanned,
> > even spam that was then deleted. But the cost of virus scanning extra
>files
> > is a lot lower than the cost of spam scanning extra files, which wasn't
>the
> > case when I first started writing MailScanner.
> >
> > I'll try to find time this weekend to work on it, once I have sat and
> > thought about it for a couple of hours it might turn out to be trivial
> > change, but I need to be *very* careful in this area.
> >
> > At 02:58 22/08/2003, you wrote:
> > >I am very pleased that my site is not one of those spewing forth 'you
> > >computer may be infected with the Sobig.F virus' reports, all due to
> > >Julian's 'Silent Virus' feature. It works fine...
> > >
> > >But, it would appear from the comments below, and also first hand
> > >observation, that a number of the Sobig emails are also getting caught by
> > >MS/SA as spam. These emails are generating 'you sent us spam' reports
>back
> > >to the sender, and of course that sender was forged by the virus.
> > >
> > >I am getting complaints from some sites that my MS system is hammering
> > >them with rejection notices. Not 'virus infected' notices, but rather
>'you
> > >sent spam' notices. They are treating me like an idiot "Don't you know
> > >Sobig fakes the senders address? STOP sending us these notices NOW!" kind
> > >of messages.
> > >
> > >Being the receipient of many of these virus warnings from sites without a
> > >'Silent Virus' feature, I can understand the frustration of those yelling
> > >at me.
> > >
> > >Does anyone have a solution to this problem? Some means to recognize a
> > >spam as being sent by a silent virus, such as Sobig, and not in turn
> > >sending a spam rejection notice?
> > >
> > >Thanks!
> > >-Alan
> > >
> > > >> >Mail with the Sobig.F message body is coming in with and without an
> > > >> >attachment, therefore we get {SPAM?} or  {VIRUS?} tagged e-mail. The
> > > score
> > > >> >for the spam messages is the same 5.9.
> > >
> > > >>If a message contains a silent virus but also registers as spam, would
>it
> > > >>be delivered? (ssems so in this case)
> > > >
> > >
> > >
> > >
> > > >The virus-infected messages and the spam messages are separate. They
>are
> > > >all caused by the same thing, but don't expect all this mail to be
> > > >virus-infected, it's not.
> > > >--
> > > >Julian Field
> > > >www.MailScanner.info
> > > >MailScanner thanks transtec Computers for their support
> >
> > --
> > Julian Field
> > www.MailScanner.info
> > MailScanner thanks transtec Computers for their support

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

More information about the MailScanner mailing list