<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/1.1.10">
</HEAD>
<BODY>
Happy to provide a backup server for the updates files.<BR>
<BR>
Steve<BR>
Steve Swanye<BR>
<A HREF="mailto:steve@swaney.com">steve@swaney.com</A><BR>
<BR>
On Mon, 2003-05-19 at 14:27, Julian Field wrote:
<BLOCKQUOTE TYPE=CITE>
<PRE><FONT COLOR="#737373" SIZE="3"><I>At 19:07 19/05/2003, you wrote:
>Steve Evans wrote:
>>I agree with moving the silent virus list to a file. I also think that
>>file should be updated like the virus scanners IDE's are updated.
>
>I would second that.
>
>Don't we have several problems to overcome?
>
>1/ The silent virus list changes.
>Solution: do automatic updating.
Who gets to host it? I guess I could.
>1a/ Someone has to maintain the list.
>Solution: ?
Depends how up to date people want the list to be. If it becomes large then
we will just ditch sender warnings altogether (which I see as the only
feasible long-term solution).
>2/ Different virus scanners use different names for viruses.
>Solution: provide one file per virus scanner?
Eek. Nightmare. Doesn't matter too much if a few sender warnings don't
happen, I would just have 1 global list that included the most common names
of each virus.
>3/ Some viruses disguise the name of the sender.
>Solution: group viruses by the algorithm used to recover the email
>address of the infected computer's owner. "Silent" just means there is
>no such algorithm. For really old viruses, the algorithm is to use the
>sender's e-mail address. For other viruses, it's remove the leading
>underscore. (We blocked W32/Magistr.32768@mm last week; it looked like
>the virus changed the first letter of the sender's name from an 's' to a
>'t'.)
Don't think this is worth the bother.
Overall, I think we all need to move to a setup where we do sender warnings
for people on our site/domain and don't bother informing the rest of the
world at all. It seems slightly stupid to write a virus that does *not*
fake the sender address, I'm just slightly surprised that it took so long
before the virus writers started doing this. It's not exactly hard...
--
Julian Field</FONT>
<A HREF="http://www.MailScanner.info"><FONT SIZE="3">www.MailScanner.info</FONT></A>
<FONT COLOR="#737373" SIZE="3">Professional Support Services at </FONT><A HREF="http://www.MailScanner.biz"><FONT SIZE="3">www.MailScanner.biz</FONT></A>
<FONT COLOR="#737373" SIZE="3">MailScanner thanks transtec Computers for their support</I></FONT></PRE>
</BLOCKQUOTE>
</BODY>
</HTML>