[Dshield] Delayed Attachment Delivery?

Tony Earnshaw tonye at billy.demon.nl
Sat Feb 28 09:23:40 GMT 2004


lør, 28.02.2004 kl. 05.58 skrev Lewis Wolfgang:

> I work at a facility that processes more than 100,000
> incoming email messages per day.  Twice this week we've
> been compromised by viruses that managed to sneak in
> before the virus signatures recognized the infections
> (Netsky.c and Bagle.c).  The "zero day" effect has
> turned into a "zero hour" problem.
> 
> It would seem that if certain executable attachments could
> be delayed for a few hours before delivery we'd have some
> breathing room to allow the virus signatures time to
> settle in.  Known dangerous filetypes (and double-extent
> filenames) could be thrown away right away.  Zipped
> executables would be the candidates for delayed delivery.
> 
> Does anyone have any thoughts or recommendations?

Using Postfix as MTA (2.0 or upcoming 2.1) and header_checks, as well as
a suitable reject policy (smtp 4xx) this is a breeze. Remember in this
respect that MIME headers can be part of the body of a message. You
might even be able to do it even better with the Postfix snapshot (also
upcoming 2.1) policy daemon.

Obviously the downside would be, that you most probably use another MTA
than Postfix 2.x and that the decision even to consider implementing it,
the learning curve and implementation cost time. But, it's possible and
I do it already :)

--Tonni

-- 

mail: billy - at - billy.demon.nl
http://www.billy.demon.nl




More information about the list mailing list