[unisog] antivirus that works despite ssl

Joseph Brennan brennan at columbia.edu
Mon Jul 9 15:55:27 GMT 2007

power less <absolutelynopower at gmail.com> wrote:

> I'm staying away from
> the word antivirus now. That seems to imply to a lot of  people that
> there is A VIRUS, or there isn't. Nothing less than that is a non-issue
> for them apparently.

If this refers to my previous message, it's quite a distortion.  My
point was that identifying virus in email is a different thing than
identifying other threats like links in email to bad web pages.  If
a given antivirus product found nothing in these messages, that made
sense to me since there was no virus in them.

>  There have been a lot of click-free exploits historically often
> involving javascript or some application that is executed automatically,
> particularly some kind of multimedia thing.

Sure.  This is the case for not rendering scripts in email--
either use a client that ignores them, or have the server comment
out script tags.  The latter is more generally applicable.

I'll propose a more radical idea too: clickable links are bad.
It's pretty easy to click accidentally with a touchpad.  In the
threat pages you cited, one "Solution" offered is never to click
on links.  If people had to copy and paste into a browser maybe,
just maybe, they'd think for a half second.

Ideally email clients would render only a subset of html needed
to format text.  No reading files from the net, no scripts, no
click-here links.

I don't expect these protections to be implemented by popular
software because they go against commercial interests.  Gmail is
not going to disable web bugs, or stop making every reference to
a hostname or IP address into a clickable link; advertising is
their only source of income.  Outlook is not going to do anything
like that either since the companies buying Exchange want to do
Internet marketing.

We've been making some efforts here to stop the worst of it, just
using perl code executed by the Mimedefang milter.  We disable
scripts by commenting out the tags, for example.

I wonder how much users are ready for.  Is anyone actually
following a security "Solution" like telling users never to click
links in mail, or to read mail in plain text?

Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology


More information about the unisog mailing list