Silent virus list, was: Palyh-A virus

Julian Field mailscanner at
Mon May 19 19:27:56 IST 2003

At 19:07 19/05/2003, you wrote:
>Steve Evans wrote:
>>I agree with moving the silent virus list to a file.  I also think that
>>file should be updated like the virus scanners IDE's are updated.
>I would second that.
>Don't we have several problems to overcome?
>1/ The silent virus list changes.
>Solution: do automatic updating.

Who gets to host it? I guess I could.

>1a/ Someone has to maintain the list.
>Solution: ?

Depends how up to date people want the list to be. If it becomes large then
we will just ditch sender warnings altogether (which I see as the only
feasible long-term solution).

>2/ Different virus scanners use different names for viruses.
>Solution: provide one file per virus scanner?

Eek. Nightmare. Doesn't matter too much if a few sender warnings don't
happen, I would just have 1 global list that included the most common names
of each virus.

>3/ Some viruses disguise the name of the sender.
>Solution: group viruses by the algorithm used to recover the email
>address of the infected computer's owner.  "Silent" just means there is
>no such algorithm.  For really old viruses, the algorithm is to use the
>sender's e-mail address.  For other viruses, it's remove the leading
>underscore.  (We blocked W32/Magistr.32768 at mm last week; it looked like
>the virus changed the first letter of the sender's name from an 's' to a

Don't think this is worth the bother.

Overall, I think we all need to move to a setup where we do sender warnings
for people on our site/domain and don't bother informing the rest of the
world at all. It seems slightly stupid to write a virus that does *not*
fake the sender address, I'm just slightly surprised that it took so long
before the virus writers started doing this. It's not exactly hard...
Julian Field
Professional Support Services at
MailScanner thanks transtec Computers for their support

More information about the MailScanner mailing list