[SPAM Rating - Moderate] Re: [Dshield] new MyDoom infected attachments

Tom Geairn tgeairn at newviewconsulting.com
Thu Feb 5 18:28:02 GMT 2004

This is probably more of an answer than you were looking for, but...

It varies by client, but basically an email goes through the following
tests.  Most things are not black & white (except as noted), but are
given a point value to be used later in the process.

*	Incoming SMTP check
o	Is the sending host in the local blacklist? DROP CONNECTION
o	Is the sending host in the local whitelist? RELAY TO FILTERING
*	Filtering (Headers)
o	Is the sender in the local blacklist? DELETE
o	Is the sender in the local quarantine list?  QUARANTINE
o	Check for known worm signatures in header.  QUARANTINE
o	Is the sender in the local whitelist? RELAY to NEXT FILTER
o	Reverse IP mismatch? ASSIGN POINT VALUE
o	From domain does not match sending host domain? ASSIGN POINT
*	Filtering (Content / Attachments)
o	Message to a honeypot address?  Add sender to blacklist or
quarantine list
o	LDAP lookup of recipient fails?  QUARANTINE
o	SPAM tests (keywords, heuristics, attachment count, URL count).
o	Unknown Attachments? QUARANTINE
o	Known Attachments contain macros (from non-whitelisted sender)?
o	Other tests (recipient count, BCC count, etc).  ASSIGN POINT
o	Known Attachments (.pdf, .doc, .zip, .xls, .jpg, .tif, etc) from
known user (one I've sent to before or Whitelisted, database size and
ageing date varies by client). PASS to AV
o	Known Attachments from unknown user? QUARANTINE or PASS to AV
(depends on client, most just pass to AV or use a smaller list of
allowed attachments)
*	Filtering AV
o	Mail server based AV Check fails? QUARANTINE
o	Write attachment to disk for disk based AV (from a different
vendor).  Failure? QUARANTINE
*	Final Rating
o	Use accumulated point value to rate message.  Rewrite subject
and add header info to possible spam message.  Messages get rated from
"clean" (no info added to message) to "Very High" indicating almost
certain spam.  Once a message has gone through all of these tests, "Very
High" is also very rare.

Whew!  This process is almost instantaneous and is generally done using
two+ machines (incoming hardened gateway machine(s) + internal filtering
and delivery machines(s)).  Smaller clients have this all going on with
one mail server, or we provide a forwarding service.  By having to jump
through so many hoops before reaching the AV checks, we can avoid
placing too much reliance on the AV.  

The "quarantine list" of senders was useful during the early stages of
MyDoom as the worm was sending to unknown email addresses, resulting in
the addition of the sender to a "quarantine all messages from this
sender" list.

Obviously the above flow of tests gets customized somewhat for each of
our clients, and there are a variety of other checks we can add to the
list depending on the need.  One popular addition is a database lookup
for a string contained in the header or subject line.  This is used so
that replies to a message don't get dropped.  If I send a message to you
with "Incident ID:XXXXX" in the subject and you reply, your reply won't
get dropped based on content alone.

-Tom Geairn
NewView Consulting, LLC

-----Original Message-----
Will you share you list of allowed extensions?

More information about the list mailing list