[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Asrg] Zombie spam

Further thought, a lot of the more recent ZIP viruses are using
encryption to stop the package getting through. so looking for
executable content is not going to work.

How about this for an alternative scheme?

1) Block all directly executable content entirely, notify in cases 
	that do not look spammy.

2) In the case of a document format that may contain macro content
	allow through directly iff a scan shows that there are no
	live macros, otherwise quarantine.

3) In the case of a zip file allow it through directly iff:
	a scan of the contents shows it to not contain any executable
	otherwise quarantine.

4) In the case of quarantined content send a not out to the end user
	and they can pick it off a web site.

The thing I find attractive about this scheme is that it eliminates the 
need for maintenance of a library of virus fingerprints. That particular
strategy does not seem to have eliminated viruses over the past 15
years and does not seem to be working very well now that the viruses
are propagating much faster and spam trojan techniques seem to be used
more.



> -----Original Message-----
> From: Hallam-Baker, Phillip 
> Sent: Monday, July 19, 2004 8:14 PM
> To: 'Tony Finch'; asrg at ietf.org
> Subject: RE: [Asrg] Zombie spam 
> 
> 
> Are the zip file messages viruses or trojans?
> 
> I don't see how a true virus is going to propagate if it relies on 
> people opening up a zip file from someone they don't know. But I can
> see that blasting it out as spam might be a viable means of 
> distributing 
> a trojan. 
> 
> Anyone got some hard data on the different vectors in use here?
> 
> 	Phill
> 
> > -----Original Message-----
> > From: asrg-bounces at ietf.org 
> [mailto:asrg-bounces at ietf.org]On Behalf Of
> > Tony Finch
> > Sent: Monday, July 19, 2004 6:39 PM
> > To: asrg at ietf.org
> > Subject: Re: [Asrg] Zombie spam 
> > 
> > 
> > "Alan DeKok" <aland at ox.org> wrote:
> > >Tony Finch <dot at dotat.at> wrote:
> > >>
> > >> I have had some success with running an anti-virus scanner 
> > over all the
> > >> email passing through my relays.
> > >
> > >  Heck, check for:
> > >
> > >/^((Content-(Disposition: attachment;|Type:).*|\ +)| 
> > *)(file)?name\ *=\ 
> > *"?.*\.(lnk|asd|hlp|ocx|reg|bat|c[ho]m|cmd|exe|dll|vxd|pif|scr
> > |hta|jse?|sh[mbs]|vb[esx]|ws[fh]|wmf)"?\ *$/      REJECT  
> > attachment type not allowed
> > 
> > We do something like that as well, but there have been viruses
> > recently which occupy zip files (which we can't block 
> because of past
> > recommendations to our users which painted us into a corner) and at
> > least one which uses an exploit that requires no attachment at all.
> > 
> > Tony.
> > -- 
> > f.a.n.finch  <dot at dotat.at>  http://dotat.at/
> > FORTIES CROMARTY FORTH TYNE WEST DOGGER: SOUTHERLY BACKING 
> > SOUTHEASTERLY 4 OR
> > 5, OCCASIONALLY 6 LATER IN TYNE. RAIN OR SHOWERS. GOOD 
> > OCCASIONALLY MODERATE.
> > 
> > _______________________________________________
> > Asrg mailing list
> > Asrg at ietf.org
> > https://www1.ietf.org/mailman/listinfo/asrg
> > 
> 

_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg