![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
lnrMaking myself cross-eyed peering at viruses and system filters this afternoon.
Most things with an executable attachment we bounce, in case they're viruses, with a message saying to zip it up and try again if they really wanted to send it. Klez and various other viruses forge the sender though, and we don't want to go round sending bounces to forged senders who will either be confused about it or will just bounce back again. So we want to try and freeze any of them that actually look like Klez. So gradually our system filter turns into not-very-good virus detection software. It really would be better if we could find the manpower to sort out a real one instead.
Anyone who's actually using something with exim already do feel free to let me know what it is and how easy it is to set up :-) I think we investigated something in the past but it fell down because we couldn't get it to send bounces as the error sender, this is before my time though.
Most things with an executable attachment we bounce, in case they're viruses, with a message saying to zip it up and try again if they really wanted to send it. Klez and various other viruses forge the sender though, and we don't want to go round sending bounces to forged senders who will either be confused about it or will just bounce back again. So we want to try and freeze any of them that actually look like Klez. So gradually our system filter turns into not-very-good virus detection software. It really would be better if we could find the manpower to sort out a real one instead.
Anyone who's actually using something with exim already do feel free to let me know what it is and how easy it is to set up :-) I think we investigated something in the past but it fell down because we couldn't get it to send bounces as the error sender, this is before my time though.
Re: exim 3 or 4?
Date: 2002-10-03 10:11 am (UTC)We're already bouncing anything which looks like an executable from the file extension, we just want to freeze all the ones which are easily spotable as viruses which forged where they're from, as it's pretty pointless bouncing those. Anyway, think I've hacked together some heuristics for the most common Klez variants and some the new BugBear ones, so we're install new filters tomorrow when we've time to watch them.
I just think coming up with these heuristics myself is a bit reinventing the wheel, and a square wheel at that.
As for real attachments: our bounce message says to try again and zip it :-) We're still exim3 FWIW, exim4 *will* happen, but we're too busy and I've been too crap. Nice to be getting stuff done again, but I'm rapidly running out of to-do list, which at the moment is a bad thing as I'm likely to just sit and twiddle thumbs instead of doing anything useful.
Re: exim 3 or 4?
Date: 2002-10-04 03:14 am (UTC)- A Windows executable starts with the letters "MZ".
- At file offset 0x3C there's a little-endian 4-byte number X.
- At file offset X there are the letters "PE".
These are fundamental properties of the Windows executable file format, incredibly unlikely to be fulfilled by accident by some other type of file. (Well, actually they also match Windows bitmap font files because Windows uses the executable format as a container for those, but that doesn't usually seem to be a problem. If it did start to be a problem I'm fairly sure I could concoct a slightly more elaborate criterion that only fired on files which had at least one code section.)I don't even try to work out what sorts of executable are safe and what sorts are viruses. That way lies virus checker software, which means you need to update it whenever a new strain comes out, and I haven't got the time :-)