Silent virus list, was: Palyh-A virus

Craig Pratt craig at STRONG-BOX.NET
Mon May 19 20:48:35 IST 2003

Agree that it's probably better that, by default, senders are not
notified - considering the current nature of e-mail viri. And sender
notification qualifies as a courtesy anyway.

Some other ideas:

  o Reverse the logic and create a "Virus sender notify by type" list.
Allow for a ruleset with actions based on the type.

  o Create an even more generalized "Virus reaction" that lets you do
different things based on the virus type. Actions can be "quarantine",
"receiver_notify" "sender_notify", "delete", "deliver",
"deliver_disinfected", "postmaster_notify", etc.  The ruleset could let
you do it based on type. The default could just be "delete
postmaster_notify deliver_disinfected". Maybe include an example

  o Something else ruleset based - because rulesets are cool, Julian. ;^)

Just some thoughts...


Craig Pratt
Strongbox Network Services Inc.
mailto:craig at

On Monday, May 19, 2003, at 11:27  AM, Julian Field wrote:
> At 19:07 19/05/2003, you wrote:
>> Steve Evans wrote:
>>> I agree with moving the silent virus list to a file.  I also think
>>> that
>>> file should be updated like the virus scanners IDE's are updated.
>> I would second that.
>> Don't we have several problems to overcome?
>> 1/ The silent virus list changes.
>> Solution: do automatic updating.
> Who gets to host it? I guess I could.
>> 1a/ Someone has to maintain the list.
>> Solution: ?
> Depends how up to date people want the list to be. If it becomes large
> then
> we will just ditch sender warnings altogether (which I see as the only
> feasible long-term solution).
>> 2/ Different virus scanners use different names for viruses.
>> Solution: provide one file per virus scanner?
> Eek. Nightmare. Doesn't matter too much if a few sender warnings don't
> happen, I would just have 1 global list that included the most common
> names
> of each virus.
>> 3/ Some viruses disguise the name of the sender.
>> Solution: group viruses by the algorithm used to recover the email
>> address of the infected computer's owner.  "Silent" just means there
>> is
>> no such algorithm.  For really old viruses, the algorithm is to use
>> the
>> sender's e-mail address.  For other viruses, it's remove the leading
>> underscore.  (We blocked W32/Magistr.32768 at mm last week; it looked
>> like
>> the virus changed the first letter of the sender's name from an 's'
>> to a
>> 't'.)
> Don't think this is worth the bother.
> Overall, I think we all need to move to a setup where we do sender
> warnings
> for people on our site/domain and don't bother informing the rest of
> the
> world at all. It seems slightly stupid to write a virus that does *not*
> fake the sender address, I'm just slightly surprised that it took so
> long
> before the virus writers started doing this. It's not exactly hard...
> --
> Julian Field
> Professional Support Services at
> MailScanner thanks transtec Computers for their support
> --
> This message checked for dangerous content by MailScanner on StrongBox.

This message checked for dangerous content by MailScanner on StrongBox.

More information about the MailScanner mailing list