Sobig getting tagged as spam not virus

Steve Evans sevans at FOUNDATION.SDSU.EDU
Fri Aug 22 15:24:43 IST 2003 

Here's something to chew on.

If you virus scan first, a virus is found, MailScanner changes the
message.

How is that going to affect Bayes? 


Steve Evans
SDSU Foundation

-----Original Message-----
From: Julian Field [mailto:mailscanner at ECS.SOTON.AC.UK] 
Sent: Friday, August 22, 2003 6:58 AM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: Sobig getting tagged as spam not virus

Thanks for all of that.

I have taken a look at the code, and it's not clear cut at all as to
what is the best way of doing it.

By spam scanning first (and then deleting most of it automatically), you
remove messages from the batch before you decode all the MIME data and
virus scan them. Decoding the MIME data is quite expensive an operation.
Virus scanning them probably doesn't cost you too much so long as there
are still plenty of messages in the batch when you scan them (startup on
a virus scanner is expensive compared to running cost for each file).
You then also have to do filetype checking and filename checking on.
Filetype checking certainly isn't free.

The alternative is that you do the MIME decoding on absolutely
everything, including all the spam. You then virus scan absolutely
everything. You then filename and filetype check everything. Then you
get rid of everything that isn't going to be delivered anywhere. Then
you do the spam scanning. So you only do the spam scanning on uninfected
messages (assuming you delete most of your spam).

So the whole argument depends on
1) How your CPU power relates to your network speed
2) What the balance is of infected mail versus spam mail
3) What you do with most of your spam (i.e. delete it or not)
4) and probably some other factors I haven't thought of yet.

So it's a very difficult choice, and one that changes with
         a) your setup, and
         b) the characteristics of your incoming mail at any given point
in time.



At 12:46 22/08/2003, you wrote:
>Julian...
>
>You're right there is a bunch of thinking that will go into this...here

>is some food for thought.
>
>I'm working with a couple of commerical versions of mail scanning 
>solutions...(none of which can touch MailScanner for flexibility), but 
>some of which have interesting design concepts:
>
>1.  Every mail should be scanned for viruses.  These statistics are 
>useful in determining the ebb and flow of viruses as they permeate the
web.
>According to ICSA last year 86% of all viruses used email as an attack 
>vector, so being able to plot this COULD be very valueable.
>
>2.  If notifications were stubbed into the process flow, then overhead 
>could conceivably be reduced greatly.  By sending notifications and 
>closing the flow, then SA would never even be required.  I guess one 
>would have to determine which was truly more process intensive (SA or 
>Virus).  My bet would be SA especially if plugged into Razor and DCC.
>
>3.  Filename/types need to be considered too.  Virus scanning SHOULD 
>conceivably be done before filename/type rules as well, because if you 
>apply disposition to each of these three basic pocesses...when they 
>process completes, then file attachments could be blocked by these 
>rules and never scanned.  If a user requests release from quarantine, 
>then conceivably, a messages which was originally quarantined due to 
>filename rules violations, could be infected and never scanned.
>
>4.  Notifications could be standardized during this change of 
>processing too.  Meaning if standard notification sequence was done and

>it was executed when a rule fired...it might also decrease processing
overhead.
>
>CT
>
>
>
>----- Original Message -----
>From: "Julian Field" <mailscanner at ECS.SOTON.AC.UK>
>To: <MAILSCANNER at JISCMAIL.AC.UK>
>Sent: Friday, August 22, 2003 4:23 AM
>Subject: Re: Sobig getting tagged as spam not virus
>
>
> > Unfortunately, as the spam checking is done first, you can't put a 
> > virus name in the ruleset deciding the spam actions :-(
> >
> > I need to take a look at this area and have a good think about it, 
> > which won't happen right now as I can't even keep up with my 
> > incoming mail, let alone stop and think about anything.
> >
> > Sounds like it would be a good idea to do the virus scanning first, 
> > then the spam scanning. This would mean that everything would be 
> > virus-scanned, even spam that was then deleted. But the cost of 
> > virus scanning extra
>files
> > is a lot lower than the cost of spam scanning extra files, which 
> > wasn't
>the
> > case when I first started writing MailScanner.
> >
> > I'll try to find time this weekend to work on it, once I have sat 
> > and thought about it for a couple of hours it might turn out to be 
> > trivial change, but I need to be *very* careful in this area.
> >
> > At 02:58 22/08/2003, you wrote:
> > >I am very pleased that my site is not one of those spewing forth 
> > >'you computer may be infected with the Sobig.F virus' reports, all 
> > >due to Julian's 'Silent Virus' feature. It works fine...
> > >
> > >But, it would appear from the comments below, and also first hand 
> > >observation, that a number of the Sobig emails are also getting 
> > >caught by MS/SA as spam. These emails are generating 'you sent us 
> > >spam' reports
>back
> > >to the sender, and of course that sender was forged by the virus.
> > >
> > >I am getting complaints from some sites that my MS system is 
> > >hammering them with rejection notices. Not 'virus infected' 
> > >notices, but rather
>'you
> > >sent spam' notices. They are treating me like an idiot "Don't you 
> > >know Sobig fakes the senders address? STOP sending us these notices

> > >NOW!" kind of messages.
> > >
> > >Being the receipient of many of these virus warnings from sites 
> > >without a 'Silent Virus' feature, I can understand the frustration 
> > >of those yelling at me.
> > >
> > >Does anyone have a solution to this problem? Some means to 
> > >recognize a spam as being sent by a silent virus, such as Sobig, 
> > >and not in turn sending a spam rejection notice?
> > >
> > >Thanks!
> > >-Alan
> > >
> > > >> >Mail with the Sobig.F message body is coming in with and 
> > > >> >without an attachment, therefore we get {SPAM?} or  {VIRUS?} 
> > > >> >tagged e-mail. The
> > > score
> > > >> >for the spam messages is the same 5.9.
> > >
> > > >>If a message contains a silent virus but also registers as spam,

> > > >>would
>it
> > > >>be delivered? (ssems so in this case)
> > > >
> > >
> > >
> > >
> > > >The virus-infected messages and the spam messages are separate. 
> > > >They
>are
> > > >all caused by the same thing, but don't expect all this mail to 
> > > >be virus-infected, it's not.
> > > >--
> > > >Julian Field
> > > >www.MailScanner.info
> > > >MailScanner thanks transtec Computers for their support
> >
> > --
> > Julian Field
> > www.MailScanner.info
> > MailScanner thanks transtec Computers for their support

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

More information about the MailScanner mailing list