[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AntiVirus for sendmail

Erm,
As I didn't reply to your history-of-linux rant, it's a bit embarrassing
that I'm going to have to reply to your post.

Your post was total crap.

First, I remember when Netscape would would merrily execute Javascript
inside HTML emails. "Outlook 97", as was, wasn't even on a the Select
beta CD to 6 months later.

Eudora not execute code? Check out the SecurityFocus Bug database:
  2002-11-20:  Qualcomm Eudora Known File Attachment Location
Vulnerability 
  2002-11-13:  Qualcomm Eudora File Attachment Spoofing Vulnerability 
  2002-10-10:  Qualcomm Eudora MIME Multipart Boundary Buffer Overflow
Vulnerability 
  2002-07-24:  Qualcomm Eudora Hidden Attachment Execution Vulnerability

  2002-03-22:  Qualcomm Eudora WebBrowser Control Embedded Media Player
File Vulnerability 
  2001-04-18:  Qualcomm Eudora File Attachment Vulnerability 
  2001-03-22:  Qualcomm Eudora 'Use Microsoft Viewer' Code Execution
Vulnerability 
  2000-09-07:  Eudora Client and Path Disclosure Vulnerability 
  2000-05-15:  Qualcomm Eudora Pro Long Filename Attachment
Vulnerability 
  2000-04-28:  Eudora 4.2/4.3 Warning Message Circumvention
Vulnerability 
  1999-09-17:  Eudora 3.X with PGP "Spelling" Vulnerability 

I wrote a proof a concept Unix virus years ago, and it was both more
aggressive and portable than anything I've seen apart from Code Red.
- and only because I wasn't on scene for the Morris Worm - did everyone
forget that baby? Killed the "net" flat for days and it was so
aggressive
it escaped it creator.

99% of virii are over a year old, according to the big cleaning
companies you quote, so why do you need up-to-the-minute updates anyway?

Even when "I Love You" hit, and I saw the whole thing "live", because
I let it in to the Uks biggest bank (!), we had a couple of hours to
prepare and delete the emails as they came in, until a generic filter
was in place.

What you need is something like MIMEsweeper (for W2k) to content
check email against your security policy and run a virus checker over
the emails too. And don't forget disclaimers, "bad word" checkers and
other things that can get your company in court if they are missing.

As for "MS Proprietary attachment type", email is text, sometimes
encoded text (eg.BASE64) sometimes encapsulated (e.g. MIME), but
if MS have some "magic" header field or embedded token, fine
- I'll just remove that header/token or pattern or "stuff" as it
goes through mimesweeper...


Dom
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dom De Vitto                                       Tel. 07855 805 271
http://www.devitto.com                         mailto:dom@devitto.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 


-----Original Message-----
From: owner-misc@openbsd.org [mailto:owner-misc@openbsd.org] On Behalf
Of Chuck Yerkes
Sent: Friday, January 03, 2003 6:17 PM
To: misc@openbsd.org
Subject: Re: AntiVirus for sendmail


Quoting Orpheus (orpheus@metempsychosis.com):
> does anyone have any opinions for the best combination of a sendmail 
> and antivirus solution for 3.2 (current or stable)? this is for a home

> network of basically 3 computers and i'm not to keen on $600 AUD + for

> RAV or Vexira, plus I'd like some opinions on how they go
> (stability/effectiveness/etc.) in the wild.
> 
> I currently use F-Secure for my XP machines and am very happy with it 
> ... looks like their gateway AV is only for Linux though, so I'm not 
> confident with compile issues..

Let's recall too, that there are no "EMail viruses."
There are "Outlook Viruses."

This was key when clients complained that they had to spend $5,000 to
protect their email.  Eudora doesn't execute code for you; nor Mozilla,
PINE or Mutt.  Outbreak with rummage through badly broken MIME, seek out
and run code that other clients don't even see as attachments.  Plus,
Outlook will sometimes use an MS Proprietary attachment type that
changes depending on version-du-jour.  Good luck seeing some of those -
they slip through anything that looks for MIME and uuencoded stuff..

So if you have 1 Windows machine, you need AV for that anyway. If it can
check all incoming mail attachments (hooking into the mail client
perhaps), then you should be set.


You want to look for something that can get updated IMMEDIATELY, and
that's where the McAfee and Trend tools were worth paying for at
companies.  I've used the Sendmail MILTER versions of those, but
Sendmail (Inc) only supports a couple OSs.