The following comments are based on observations and not necessarily
researched facts. The old list appeared to be procmail based and was
open, e.g. allowed non members to post to the list, hence the Spam. The
current list appears to be mailman based and only allows members to
post. It is much better. If the above are correct a member posting
"contaminated" messages will be allowed to post and is outside the list
manager's direct control short of a completely moderated list (an
unreasonable expectation for a public forum).
In addition to virus checking my mail server utilizes the anomy
techniques to help in blocking this type of message. Content is treated
without perusal; the anomy filter reacts to file (attachment) type and
name. Executables (exe, com, scr, dll, et al) are either quaratined or
dropped. Unknowns are "defanged" by renaming to a non executable file.
Known benign type are allowed through untouched, e.g. jpg, tiff. HTML
can either have active content disabled or one of the other rules
applied. Therefore, it does not depend on pattern files. If interested
I can provide more information on my implementation only! Debian Linux
release 2, I386 Kernel 2.4.31, Postfix 2.2.8, Anomy 1.76, Cyrus-imap
2.2.12, Cyrus-SASL 2.1.21, SpamAssassin 3.1.0, Perl 5.8.7.
http://mailtools.anomy.net for the curious.
Respectfully,
Michael M. Rach
Dennis Davis wrote:
On Wed, 18 Jan 2006, Jeffrey T Eaton wrote:
From: Jeffrey T Eaton <[EMAIL PROTECTED]>
To: info-cyrus@lists.andrew.cmu.edu
Date: Wed, 18 Jan 2006 14:15:01 -0500
Subject: Re: Spamming IP-Address: 202.80.59.3
well, apart from the fact they are being distributed through
info-cyrus. although it has been much better recently, why is
info-cyrus the only mailing list i get viruses and spam through?
how hard is it to put a virus checker in place? dom
A virus checker is in place. We run ClamAV on all of our mail
servers. Sadly, this does not help when the signature doesn't
come out promptly, and the messages are being sent with a (forged)
from address of a valid subscriber.
That's why I prefer to run two virus checkers on all mail.
Sometimes one is quicker than the other at flagging up new viruses.
I believe commercial anti-virus companies, eg Messagelabs, will
similarly run mail through several virus checkers. I suppose I'm
lucky in that we have a site license for Sophos.
Anyway the ClamAV signature for this particular virus was made
available last night. ClamAV now detects this nasty as Worm.VB-9.
----
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
