Sobig.E Getting Through Intermittently

Rishi Gangoly rishi at THEARGONCOMPANY.COM
Fri Jun 27 15:05:32 IST 2003


On Wed, 25 Jun 2003 22:45:51 -0400, Ron E. <ree at THUNDERSTAR.NET> wrote:
>I have also noticed this - one idea maybe is to check file extensions of
>files within .zip files - perhaps mailscanner should block zip or other
>compressed files that contain only disallowed files.
>
>So, for instance, a .zip that contains only a .pif, which is how Sobig.E
>spreads, would be blocked.
>
>Actually any compressed file with a .pif, .scr, .bat, etc., I would be
>willing to block regardless if it was the only thing in the file or not -
>if it's one of those, 9 out of 10 it's a virus anyway.
>
>What do you think, Julian?
>
>Regards,
>
>Ron


Hi Julian,

I think that Ron has a valid point. It makes more sense to solve the problem at the root
which is the MailScanner engine, since it has proven to be much better than an signature
update from the AV company. That takes 48-72 hours the earliest.

This level of checking will increase the security that much higher.

Knowing you and the type of guy you are, I'm sure as I'm typing this e-mail you are either
writing that module, or testing it or releasing the new version which includes this feature. ;-0

Just thought I'd add my two bits to Ron's e-mail and add it as a feature request in
mailscanner.

Regards

Rishi



More information about the MailScanner mailing list