Silent virus list, was: Palyh-A virus

Steve Evans sevans at FOUNDATION.SDSU.EDU
Mon May 19 21:12:11 IST 2003 

I let the message go on to the receiver, and don't bother to tell the
sender.  The silent list keeps my users that are receiving Klez,
BugBear, etc, from even recieveing the e-mail with the stripped
attachment. 


Steve Evans
SDSU Foundation
(619) 594-0653 


-----Original Message-----
From: Julian Field [mailto:mailscanner at ECS.SOTON.AC.UK] 
Sent: Monday, May 19, 2003 11:28 AM
To: MAILSCANNER at JISCMAIL.AC.UK

At 19:07 19/05/2003, you wrote:
>Steve Evans wrote:
>>I agree with moving the silent virus list to a file.  I also think 
>>that file should be updated like the virus scanners IDE's are updated.
>
>I would second that.
>
>Don't we have several problems to overcome?
>
>1/ The silent virus list changes.
>Solution: do automatic updating.

Who gets to host it? I guess I could.

>1a/ Someone has to maintain the list.
>Solution: ?

Depends how up to date people want the list to be. If it becomes large
then we will just ditch sender warnings altogether (which I see as the
only feasible long-term solution).

>2/ Different virus scanners use different names for viruses.
>Solution: provide one file per virus scanner?

Eek. Nightmare. Doesn't matter too much if a few sender warnings don't
happen, I would just have 1 global list that included the most common
names of each virus.

>3/ Some viruses disguise the name of the sender.
>Solution: group viruses by the algorithm used to recover the email 
>address of the infected computer's owner.  "Silent" just means there is

>no such algorithm.  For really old viruses, the algorithm is to use the

>sender's e-mail address.  For other viruses, it's remove the leading 
>underscore.  (We blocked W32/Magistr.32768 at mm last week; it looked like

>the virus changed the first letter of the sender's name from an 's' to 
>a
>'t'.)

Don't think this is worth the bother.

Overall, I think we all need to move to a setup where we do sender
warnings for people on our site/domain and don't bother informing the
rest of the world at all. It seems slightly stupid to write a virus that
does *not* fake the sender address, I'm just slightly surprised that it
took so long before the virus writers started doing this. It's not
exactly hard...
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz MailScanner thanks
transtec Computers for their support

More information about the MailScanner mailing list