Domain: anomy.net
Stories and comments across the archive that link to anomy.net.
Comments · 23
-
The base problem...... is still not solved, i.e. how trivial is for unaware users to launch a mail attachment, or how integrated is the html engine in the mail renderer that enables automatic or so launching of attachments. Ok, the main culprits here are Microsoft, and in particular Internet Explorer and Outlook, mail based worms are hard to be found for other plataforms or even mail clients, but the end users play an important role too.
To be honest, i dont receive in my gmail account mail worms, but that is because gmail executable attachment filtering. But in a server i administer there are a constant flow of mail worms (that dont impact end users thank to anomy sanitizer and ClamAV) but the biggest part of them are not for especific individuals but for randomgeneratedname@mydomain.com, almost none hits a real account. Not sure what or how many worms of this kind are, but a few infected people generates a lot of mail traffic this way.
-
Re:KasperskiNever was infected by a virus myself. But had a BBS whose files were checked against virus, worked in LANs where workers had not a lot of common sense sometimes, and avp is pretty good for checking for virus in mail servers (i.e. teamed up with anomy sanitizer).
To be "unprotected" from virus is ok if you have common sense, firewalls and safe software (i.e. windows is not in that category, and if well linux is pretty safe against virus, maybe is not 100% safe against worms), but when you talk about a lot of people, common sense looks not so common.
-
Re:MIME DefangOr better yet, Anomy Sanitizer. It disables "active" html content (i.e. javascript) attached to mails, can quarantine/rename files by extension, and of course, can call a configurable antivirus to check and take actions.
That is mostly the way i use it, disabling html, checking attached files for virus, and the windows executable extensions that passed the antivirus check gets renamed anyway to make them not executable without strong user action. Attached HTML pages sometimes don't look/work as desired, but I not have to worry about someone receiving this particular piece of spam.
-
Re:Not everyone can use Mozilla...What is more unfortunately is that some business requires the use of Internet Explorer to be able to get some information from their, and worse, that could happen with gubernamental sites or in any case sites with information you can't simply ignore. If one of those sites have some way to put random content there, a lot of visitors (specially the ones forced to use internet explorer) will be very angry.
For the organizations that requires the use of internet explorer/outlook, this kind of attacks could be a serious headaches, one can send to most email addresses in there a tricky mail and in matter of hours half of their desktops could be gone, unless they use some kind of active protection (i.e. Anomy Sanitizer that not only can check/clean virus, but also disable the "active" content in html mails)
-
Re:Maybe...
That's why, at our site, all incoming email goes through the Anomy Sanitizer. It removes unknown HTML tags, like <vframe> or <script>, as well as filters offsite images to eliminate so called web-bugs.
Oh, and it's fast, too. -
Re:Depends on actions of the mail client
No e-mail client should ever request content from a remote server and/or load images without a direct action by the user.
True, but I deal with it on the server. Use Anomy to filter out the crap. It removes harmful html and inline images leaving behind harmless html that still has bold, underline, etc. It can be run standalone or from mimedefang (or another perl script).
It's great. The annoyance of spam drops dramatically when it is reduced to simple text. -
Re:I posted an Ask Slaskdot on this...
So why don't you just filter out the crap? Use Anomy to filter out the inline images and harmful html. It leaves behind harmless html that still has bold, underline, etc.
Anomy can be used standalone or as part of mimedefang (or another perl script).
The annoyance of spam drops dramatically when it is reduced to plain text. -
Sanitizer
Impossible to protect against brand new viruses immediately? Not quite: Strip every attachment that's executable in Windows. It's not 100% foolproof, but it goes a long way. That's what make Anomy Sanitizer so useful.
Andrew Klaassen
-
Re:Time to update the antivirus model?I use Anomy Sanitizer for mail gateways. It just put in quarantine and remove from the original mail what have a banned extensions (.pif/.scr/etc), or are detected by an antivirus (but not cleaned, detection is enough for the automatic part), do some cleanings in the text like removing in the html the dangerous tags, and the end user gets the original messages with a warning for each quarantined attachment.
People are still getting a lot of mail because of virus, but they receive the text (not the dangerous part), and I can recover quarantined attachments if was the antivirus had a false positive or a banned extension file was really meant to be sent. Also happened several times that someone sent files from infected machines without being aware of that or joke programs that could make trouble, where i don't want to let pass the file but yes the text.
-
Re:Server-side filters?I use Anomy Sanitizer for meta-processing the mail (cleaning up dangerous html, renaming dangerous extensions, etc) and a virus scanner (f-prot, avp, clamav) for checking files.
The detected as virus or disabled extensions goes to a quarantined area (avoiding losing desired attachments because false positives from antivirus or that a someone really wanted to send a
.pif/.scr/etc) and the executable extensions that passed are renamed to avoid exploiting browsers/mailclients/stupidusers vulnerabilities (well, at least users should take extra work to save and rename then to have an opportunity to think) and to prevent new virus that are not yet detected by the antivirus. -
Re:Mainstream Media Coverage
yplically they include a large image at the top which is the entire intended content of the image and then a bunch of dictionary words at the bottom. It's basically impossible to filter these out unless you filter out ALL HTML e-mail because they don't contain any typical spam text.
You aren't thinking very much. Just filter out the IMG tag from the email, and allow the rest through.
Almost no legit email has embedded IMG tags that are useful to you.
Anomy is a great tool to filter out crap from html email. It allows the basic html tags to go through, so you can still get messages from lusers who use outlook.
Of course, I still use a text-based email program: pine. -
Re:Nothing to worry about.
The concept is that the spammer has to find words that are so common in a person's ham that including them in spam would fool the filter. However, as those words are unique to each person, a lot (thousands or more) of spam must be sent to test the filter. The problem for the spammer is to figure out which spam actually got through (in order to identify the important words) - something s/he's not able to do for users with a decent email client...
I like using Anomy with html email. It strips out annoying html from email messages, including inline IMG tags, javascript and other crap.
Incidentally, it protects lusers who use outlook from many html based exploits. -
Re:A Very easy solution
Well, there are a lot of scripts to handle virus and such for linux mail servers. The one i use (Anomy Sanitizer) not only enables to call an antivirus to check a file, but also enables you to rename extension or mangle completely the file name. The policy i take, for the executable files that are ok for the antivirus, is to rename them i.e. myfuturevirus.exe to myfuturevirus_exe.disabled so if the antivirus not detected it yet the user still have the choice to not run it or take a lot of troubles to run it.
-
Neat, but even simple measures aren't usedThis would be a neat way to watch for nasties on the wire. But most ISPs still don't use even the simplest form of filtering on their mail servers that would stop all viruses cold. The goddamn software is free; why can't ISPs use it? For filtering out viruses at mail servers:
-
Re:They're annoying
Anomy mailtools does this one better, stripping out malicious HTML like spam web bugs and such. I'm currently implementing it on my employer's mail servers: http://mailtools.anomy.net/.
-
Virus filtering is not just antivirus software
From Symantec report the file extensions are just
.pif and .scr. Filtering "executable" extensions at mail server (i.e. renaming normal executables like exe to _exe.renamed and removing/putting in quarantine not normal executable extensions like pif, scr, sys, etc) in addition to scanning with antivirus (with a combination like Anomy Sanitizer and a good antivirus) avoid me all of the troubles with this one. -
Re:openrbl.org is a useful toolOur mail server does not use any blacklists, which is a shame because we get quite a bit of spam. But we are a business and I cannot take the risk of a client email bouncing, especially if they are innocent and the blacklist is wrong.
Why not use SpamAssassin? I have the same situation here at work, and using SpamAssassin works like a champ. I use that along with Anomy. SpamAssassin scans and scores the mail as being possible spam.
I currently specify a score of 6+ as spam. Then that mail gets sent through an anomy script, which strips out any executable or virus-possible files (I tell people here to request zipped files if they want
.exe attachements). It also scans the score of the message -- if it's 12+, it dumps the mail into a spam jail directory for three days, but no real person gets that mail unless it's a message they were expecting and never got.Now all spam with a score of less-than 12 doesn't get to the recipent, but any with a score of 6-11 gets to the user with "***** SPAM *****" prepended to the subject, along with a body prefix stating what rules the mail "broke", then the original mail as an attachement. All of this is configurable, of course.
-
Re:Not just a .exe
At my work I filter email virus with Anomy Sanitizer, scaning them with an antivirus and even if it don't detect a virus, renaming executable extensions like that ones, defusing active html and dangerous mime types and more. Anyway, today I received copies of Bugbear at a rate that only thinked it would be possible only with an internal infection, and make me doubt of how well it was working. But after checking mail logs, it turned to be just mail coming from outside. I wonder what will happen in the next few days, but in some places could make internet unusable.
-
Sendmail has it's benefits... ;o)On the other hand, if you're unlucky enough to be running an MTA other than Sendmail as a mail hub, relaying to sendmails you don't have the access needed to upgrade, then the people you are relaying to are in trouble and you don't have many tools to protect them.
The sendmail patch protects machines relayed to - so people running sendmail on their mail hubs will have far less reason to worry about the machines behind them.
;-)Note that this also applies to ISPs using something other than sendmail - any linux/*bsd user who fetchmails his inbox and then pipes it through sendmail can get rooted that way as well. At the moment, ironically enough, the only umodified MTA which is known to protect the users behind it is: sendmail!
But just in case using a sendmail security bug as a reason for upgrading to sendmail seems distasetful to you, my open source Anomy Sanitizer has had code to prevent attacks like this for quite some time now. Or if you prefer throwing money at the problem, you could sign up for a managed e-mail security service (yes, they pay my salary).
-
sanitizer?
Nobody uzing sanitizer/a? here?
-
Several checks...There are a number of things I would suggest depending on you risk level. My company used to get hit all the time from mail viruses and worms but I installed Anomy Mail Tools and we have not had a problem since. Anomy will defang and quarantine attachments based on the extension and it will remove harmful javascript. For files that are common and potentially dangerous like Excel and Word files we use the Kaspersky Antivirus to scan the attachment since a simple extension rule won't work.
Like I said, we have not had any worms get through our mail server. However we did have one person download an attachment from an AOL webmail system. She infected herself and some customers but all her attachments were removed before getting back in to our users.
;-) This too can be stopped by using Squid and some rules about downloadable files. There is a simple explanation of this within this nice little security manual from Gentoo -
Anomy + AVP + Spamassassin works great.I have been using Anomy Mail Tools to make decisions about incoming attachments and JavaScript infected messages. I use AVP (although I'll likely switch to one of the free scanners listed in this thread) to scan certain attachments (.doc,
.xls, etc.) but otherwise data formats get through and executables get quarantined. If someone wants an executable from quarantine I scan it with Norton Antivirus (thanks Win4Lin) simply because I think that Symantec does a fine job of keeping their system up to date (and I do it maybe twice a year). I also use SpamAssassin for spam filtering. It works really well.
One other thing to watch out for... I had become fairly lazy about scanning the desktop since incoming mail was virtually 100% clean and since nobody uses floppies any more. Then I had a user download an infected file from her personal webmail account. I went crazy trying to figure out how this thing got in until I finally got a confession on the webmail use. -
Anomy mail toolsCheck the anomy mail tools. It can disable the active content of emails (like renaming
.exe to .exe.disabled or modifying the included javascript in html attachs to make them not executables). Also you can check and/or clean the attachments with antivirus and tools like that.Also some antivirus have mail checking engines for linux, like avp or antivir, and with a policy of having the databases updated, this can work almost unattended.