Sobig getting tagged as spam not virus

Sveinn Gunnarsson sveinn at SVEINNG.COM
Fri Aug 22 16:39:07 IST 2003 

Hi all...


I just wanted to share my 2 pennies, on who I'm blocking most of the Sobig-F
emails
on my doorsteps, without it even getting scanned, and saving valuable CPU time
and
keeping my mailqueues down.

By adding this little macro to sendmail.cf, I reject all emails with the
Sobig-F subjects,
during SMTP. Note, that this only works for sendmail, and that sendmail has to
be compiled
with regex support.




# Sobig subjects regex
Ksobig regex -a_at_MATCH_SOBIG ^(Re: That movie|Re: That movie|Re: Wicked
screensaver|Re: Your application|Re: Approved|Re: Re: My details|Re:
Details|Your details|Thank you!)


# Reject all mail with Sobig subjects.
HSubject:       $>Check_sobig                                    
SCheck_sobig
R$*                             $: $(sobig $&{currHeader} $: $1 $)
R_at_MATCH_SOBIG                $#error $: "550 Possible Sobig-F - Please change subject: "
$&{currHeader}



Hope this helps someone out there...


ps. MailScanner was doing excellent job detecting Sobig on our network, but we
were getting bombarded
big time and the mqueue.in was growing to fast.



Sveinn Guðni Gunnarsson
Unix Specialist

Og fjarskipti hf.
Iceland
www.ogvodafone.is


> -----Original Message-----
> From: Julian Field [mailto:mailscanner at ECS.SOTON.AC.UK]
> Sent: 22. ágúst 2003 13:58
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: Sobig getting tagged as spam not virus
> 
> 
> Thanks for all of that.
> 
> I have taken a look at the code, and it's not clear cut at 
> all as to what
> is the best way of doing it.
> 
> By spam scanning first (and then deleting most of it 
> automatically), you
> remove messages from the batch before you decode all the MIME data and
> virus scan them. Decoding the MIME data is quite expensive an 
> operation.
> Virus scanning them probably doesn't cost you too much so 
> long as there are
> still plenty of messages in the batch when you scan them (startup on a
> virus scanner is expensive compared to running cost for each 
> file). You
> then also have to do filetype checking and filename checking 
> on. Filetype
> checking certainly isn't free.
> 
> The alternative is that you do the MIME decoding on 
> absolutely everything,
> including all the spam. You then virus scan absolutely 
> everything. You then
> filename and filetype check everything. Then you get rid of 
> everything that
> isn't going to be delivered anywhere. Then you do the spam 
> scanning. So you
> only do the spam scanning on uninfected messages (assuming 
> you delete most
> of your spam).
> 
> So the whole argument depends on
> 1) How your CPU power relates to your network speed
> 2) What the balance is of infected mail versus spam mail
> 3) What you do with most of your spam (i.e. delete it or not)
> 4) and probably some other factors I haven't thought of yet.
> 
> So it's a very difficult choice, and one that changes with
>          a) your setup, and
>          b) the characteristics of your incoming mail at any 
> given point in
> time.
> 
> 
> 
> At 12:46 22/08/2003, you wrote:
> >Julian...
> >
> >You're right there is a bunch of thinking that will go into 
> this...here is
> >some food for thought.
> >
> >I'm working with a couple of commerical versions of mail scanning
> >solutions...(none of which can touch MailScanner for 
> flexibility), but some
> >of which have interesting design concepts:
> >
> >1.  Every mail should be scanned for viruses.  These 
> statistics are useful
> >in determining the ebb and flow of viruses as they permeate the web.
> >According to ICSA last year 86% of all viruses used email as 
> an attack
> >vector, so being able to plot this COULD be very valueable.
> >
> >2.  If notifications were stubbed into the process flow, 
> then overhead could
> >conceivably be reduced greatly.  By sending notifications 
> and closing the
> >flow, then SA would never even be required.  I guess one 
> would have to
> >determine which was truly more process intensive (SA or 
> Virus).  My bet
> >would be SA especially if plugged into Razor and DCC.
> >
> >3.  Filename/types need to be considered too.  Virus scanning SHOULD
> >conceivably be done before filename/type rules as well, 
> because if you apply
> >disposition to each of these three basic pocesses...when they process
> >completes, then file attachments could be blocked by these 
> rules and never
> >scanned.  If a user requests release from quarantine, then 
> conceivably, a
> >messages which was originally quarantined due to filename 
> rules violations,
> >could be infected and never scanned.
> >
> >4.  Notifications could be standardized during this change 
> of processing
> >too.  Meaning if standard notification sequence was done and 
> it was executed
> >when a rule fired...it might also decrease processing overhead.
> >
> >CT
> >
> >
> >
> >----- Original Message -----
> >From: "Julian Field" <mailscanner at ECS.SOTON.AC.UK>
> >To: <MAILSCANNER at JISCMAIL.AC.UK>
> >Sent: Friday, August 22, 2003 4:23 AM
> >Subject: Re: Sobig getting tagged as spam not virus
> >
> >
> > > Unfortunately, as the spam checking is done first, you 
> can't put a virus
> > > name in the ruleset deciding the spam actions :-(
> > >
> > > I need to take a look at this area and have a good think 
> about it, which
> > > won't happen right now as I can't even keep up with my 
> incoming mail, let
> > > alone stop and think about anything.
> > >
> > > Sounds like it would be a good idea to do the virus 
> scanning first, then
> > > the spam scanning. This would mean that everything would 
> be virus-scanned,
> > > even spam that was then deleted. But the cost of virus 
> scanning extra
> >files
> > > is a lot lower than the cost of spam scanning extra 
> files, which wasn't
> >the
> > > case when I first started writing MailScanner.
> > >
> > > I'll try to find time this weekend to work on it, once I 
> have sat and
> > > thought about it for a couple of hours it might turn out 
> to be trivial
> > > change, but I need to be *very* careful in this area.
> > >
> > > At 02:58 22/08/2003, you wrote:
> > > >I am very pleased that my site is not one of those 
> spewing forth 'you
> > > >computer may be infected with the Sobig.F virus' 
> reports, all due to
> > > >Julian's 'Silent Virus' feature. It works fine...
> > > >
> > > >But, it would appear from the comments below, and also first hand
> > > >observation, that a number of the Sobig emails are also 
> getting caught by
> > > >MS/SA as spam. These emails are generating 'you sent us 
> spam' reports
> >back
> > > >to the sender, and of course that sender was forged by the virus.
> > > >
> > > >I am getting complaints from some sites that my MS 
> system is hammering
> > > >them with rejection notices. Not 'virus infected' 
> notices, but rather
> >'you
> > > >sent spam' notices. They are treating me like an idiot 
> "Don't you know
> > > >Sobig fakes the senders address? STOP sending us these 
> notices NOW!" kind
> > > >of messages.
> > > >
> > > >Being the receipient of many of these virus warnings 
> from sites without a
> > > >'Silent Virus' feature, I can understand the frustration 
> of those yelling
> > > >at me.
> > > >
> > > >Does anyone have a solution to this problem? Some means 
> to recognize a
> > > >spam as being sent by a silent virus, such as Sobig, and 
> not in turn
> > > >sending a spam rejection notice?
> > > >
> > > >Thanks!
> > > >-Alan
> > > >
> > > > >> >Mail with the Sobig.F message body is coming in 
> with and without an
> > > > >> >attachment, therefore we get {SPAM?} or  {VIRUS?} 
> tagged e-mail. The
> > > > score
> > > > >> >for the spam messages is the same 5.9.
> > > >
> > > > >>If a message contains a silent virus but also 
> registers as spam, would
> >it
> > > > >>be delivered? (ssems so in this case)
> > > > >
> > > >
> > > >
> > > >
> > > > >The virus-infected messages and the spam messages are 
> separate. They
> >are
> > > > >all caused by the same thing, but don't expect all 
> this mail to be
> > > > >virus-infected, it's not.
> > > > >--
> > > > >Julian Field
> > > > >www.MailScanner.info
> > > > >MailScanner thanks transtec Computers for their support
> > >
> > > --
> > > Julian Field
> > > www.MailScanner.info
> > > MailScanner thanks transtec Computers for their support
> 
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>

More information about the MailScanner mailing list