F-prot update

[Rick Cooper]

> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> Behalf Of Dan Hollis
> Sent: Saturday, March 06, 2004 6:48 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: F-prot update
>
>
> On Sat, 6 Mar 2004, Julian Field wrote:
> > At 19:12 05/03/2004, you wrote:
> > >On Fri, 5 Mar 2004, Julian Field wrote:
> > > > At 13:27 05/03/2004, you wrote:
> > > > >I guess the f-prot update will mean more
> changes to MailScanner
> > > > I'm not going to rush out a new release for
> that, as MailScanner now
> > > > performs filename checks on the contents of Zip
> files anyway, even if they
> > > > are password-protected.
> > > > So it doesn't really give you very much extra
> value when used within
> > > > MailScanner.
> > >f-prot doesnt actually unzip the file and check it,
> it just adds new
> > >heuristics for filename size and extension.
> > >It would be nice if mailscanner could deal with
> password protected
> > >archives by extracting the password from the mail body...
> > That's a natural language parsing problem, which is
> incredibly difficult to
> > do with any reliability.
>
> Except that all the known viruses so far use known
> static phrases. Theres
> a limit to how much phrases could be 'randomized'
> before they become
> incomprehensible to the intended target.
>
> Parsing static phrases for passwords would be useful
> right now, and for
> the short term future. Various virus filtering
> software does it already
> (mailscanner alas is one that does not). No, it isnt
> perfect forever but
> that doesnt make it completely useless or even impractical.
>

It would take about a day for the virus authors to start
embedding small .gif or .jpg inlines that are random sized with
random passwords in random places with random nulls and padding.
It would be difficult even for SA to catch something like that
because the image/text ratio would be small, no static strings
and a common element in ham. What then? ban all inline images?
Then there is the old trick of having a readme type file in the
archive that is not password protected and contains the password
information so you have to look for that too. Not to mention
resource usage. I feel for the ISPs who do not have control of
their user policies (like no password protected zips) but there
is a limit to how much MailScanner should try to do. Look at the
problems some larger sites are having with resources since Julian
made the mime parsing more robust, and now you have MS trying to
find figure out how a virus author is trying to obfuscate a
password.

It's a question of how much is too much. MS is not the only
player in the virus/spam game. I actually have seen little in
terms of viruses because they are generally not very rfc
compliant so they are stopped in the smtp session. When Netsky,
Bagle, and MyDoom came around I saw/see little of the actual
virus in my logs what I saw a huge increase in helo rejects
because the host name was not FQDN ( a lot of names like SAM, or
Bill, or SERVER), or no Message-Id, etc. The MTA can stop a lot
of both spam and viruses if you just work on your access lists a
bit (which is a very easy thing with exim's acls). Most of the
viruses that actually make it past the RFC checks come from MTAs
bouncing the full message back to the innocent user from whence
they *think* it came.

Julian is right on this.

My 2 cents