[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Re: Filtering sobig with postfix

To: <full-disclosure@lists.netsys.com>
Subject: Re: [Full-Disclosure] Re: Filtering sobig with postfix
From: "gregh" <chows@ozemail.com.au>
Date: Thu, 21 Aug 2003 07:52:09 +1000


> ----- Original Message ----- 
> From: vogt@hansenet.com 
> To: madduck@madduck.net ; full-disclosure@lists.netsys.com 
> Sent: Wednesday, August 20, 2003 11:27 PM
> Subject: AW: [Full-Disclosure] Re: Filtering sobig with postfix


> > > /see attached file for details/ REJECT
> > 
> > this incurs a factor 2-4 performance drop, and it could also elicit
> > false positives. you should definitely do more than just REJECT
> > (i.e. write out a message: s/REJECT/554 Suspected virus/).

> Agree, a message would be good.


Just wanted to mention that I have been testing a few Windows based anti spam progs for customers. Spamkiller has the ability to pick things out quite nicely that some others dont appear to do. I have found the Sobig emails all seem to have a header line in it with "Found to be clean" as a way to attempt to fool something or other that there is no virus attached to the email. Filtering on that header seems to keep them all out so far.

Noted the FROM header can be anyone, like other viruses have done in the past, from the infected system's email address book or possibly anywhere on the hard disk.

Greg.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- AW: [Full-Disclosure] Re: Filtering sobig with postfix
  - From: vogt@hansenet.com

Prev by Date: [Full-Disclosure] HP-OV is Impacted by Blaster
Next by Date: Re: [inbox] Re: Fwd: Re: [Full-Disclosure] Administrivia: Binary Executables w/o Source
Prev by thread: Re: [Full-Disclosure] Re: Filtering sobig with postfix
Next by thread: AW: [Full-Disclosure] Re: Filtering sobig with postfix
Index(es):
- Date
- Thread