[pmmail-list] SirCam Virus Filtering Update

Lueko Willms pmmail-list@blueprintsoftwareworks.com
Sun, 05 Aug 2001 05:06:43 +0200 (MES) 

On Sat, 04 Aug 2001 17:25:40 -0500 (CDT), Maynard wrote:

> Don't get so bent on this, Kris; and don't take it personally.
> The fact that the AV community doesn't recognize the non-compliant
> "date: " string header is not relevant.

  Why do you think that a non-capitalized "date:" header is
non-compliant? 

  What makes you think that no other user agent sends out a
non-capitalized "date:"? 

>                                                       those more simple
> filters in use by those of us who don't mind a possible "false
> positive". 

  I do mind a "false positive" very much -- for one, because I would
be very embarassed if I told somebody "You have sent me a virus" when
this is not true or if I accidentally discard a message I want to
have and read and answer. 

  Your recently added 

   &attachment.name="$header.subject$"

  OTOH is a good one. I have looked for such a condition earlier.
Does that work? The name of the attachment is longer by the file
extensions. Why are there quotes on one side and not on the other? 

  So I would change my filter to check in this order: 

  1. Presence of attachement
  2. Size of attachment
  3. attachment = subject line  (subject line contained in attachment
name)
  4. date header non capitalized 
  5. typical first and last lines of body message. 

  At the same time, I look for possibilities to do a general virus
checking using the "P" or "PROGRAM" tag and call an external virus
checker which would make it possible to catch any virus, not just the
Sircam worm. 

  I want to notify my correspondents of the fact that they are
unknowingly spreading a virus, and, if possible, in which document
this virus is contained (a customer of mine regularly got a MSWord
document from their outside collaborators with a macro virus in it;
the regular virus checker could of course not find out the source of
that virus; just deleting the infected file and mail does not stop
the sender of spreading it). 

  

Yours, 
Lüko Willms 
Frankfurt/Main 
/ Lueko.Willms@T-Online.de 

- pmmail-list - The PMMail Dicussion List ---------------------------
To UNSUBSCRIBE, send a message to mdaemon@bmtmicro.com with the first 
line of the message body being...
UNSUBSCRIBE pmmail-list@blueprintsoftwareworks.com