[unisog] Rejecting, bouncing, stripping, delivering viruses

Karl A. Krueger kkrueger at whoi.edu
Wed Jul 28 18:39:51 GMT 2004


On Wed, 28 Jul 2004 11:35:07 -0400, Gary Flynn <flynngn at jmu.edu> wrote:
> We've stripped zips in the past temporarily as circumstances
> dicated but after Monday we're looking strongly at making
> it permanent.

We avoid "stripping" any attachments.  If a message is indeed junk, then
AFAICS no part of it should be delivered.  Delivering the virus message
with the virus removed just annoys the recipient and makes him call his
tech support -- "Do I have a virus?  It says here 'virus removed'."

Our clients get a -lot- of "dead viruses" that result when another site
is stripping virus attachments out before relaying.  They don't like
getting them.  Unfortunately since the "dead virus" message now contains
no virus code, our anti-virus software doesn't block it.  These are in
the same category as the erroneous bounce messages that some server-side
anti-virus software sends in response to forged viruses.  In both cases,
I've taken to adding some of these anti-virus software messages to our
content filters.


We also avoid rejecting attachments by filename, since viruses lie about
filenames and Microsoft apparently has an unending supply of filename
extensions that translate as "run me".  Instead, we match the Base-64
encoding of the Microsoft EXE magic numbers ("MZ" header) using a
regular expression:

	/^TV(oAAAEAA|oAAAQAA|oFAQUAA|oIARMAA|ouARsAA|pAALQAc|pCAQEAA|pOAAcAA|pQAAIAA|pyAXkAX|qAAAEAA|qQAAIAA|qQAAMAA|qaAAMAA|qiAAQAA|r1AR4AA|rNABIAN|rQAT8AA|rhARwAk|rmAU4AA|ryAAgAB)/

This will catch an EXE attachment *regardless* of the filename the virus
puts on it.  We also used a similar regex to match the Base-64 encoding
of the header of ZIP files, temporarily, until ClamAV came out with
definitions for MyDoom.M.

We use this (and lots of other patterns) with Postfix body_checks, which
means that offending messages are rejected during the SMTP conversation
rather than accepted and bounced -- so we never generate a spurious
bounce message.


Once we accept a message, we do perform additional checks on it --
ClamAV and SpamAssassin.  SpamAssassin is purely advisory -- it marks up
the headers of "suspect" messages so that people can filter them at the
client if they want.  Our ClamAV wrapper script shunts virus-infected
messages to a separate "quarantine" directory -- it neither bounces nor
delivers them.

-- 
Karl A. Krueger <kkrueger at whoi.edu>
Network Security -- Linux/Unix Systems Support -- Etc.
Woods Hole Oceanographic Institution




More information about the unisog mailing list