Slashdot Mirror

Maybe it's because I'm using MailScanner and ClamAV.

The popular MailScanner spam/virus filter removes 1x1 Web bugs by default so there are quite a few mail servers out there that will neutralise this issue.

EICAR is detected by all AV products including ClamAV.

I'd put it in a zip file, then attach the zip to an email message. Show how real viruses propagate by mail. How about putting a copy on a USB pendrive then running eicar.com from Autostart? Any Windows AV product with a decent autoscanner should detect both of these and pop up a warning.

If you want to get really fancy you can set up a Linux box running MailScanner with ClamAV and send an "EICAR-infected" e-mail message through it. You'll see MailScanner detect the virus, put it in a quarantine, and send notices to the admin and, optionally, the sender.

For a lay audience I think it's more important to stress the vectors than to concentrate on the payload itself.

Now if you could only find a site distributing Antivirus 2010. If you do, make sure you're using a Linux machine when you visit the site. If your class understands that there's more to the world than Windows, see how long it takes them to understand why there can't really be an AV program "scanning the C: drive."

Dear oh dear.

May I introduce you to MailScanner? It will also scan links and remove any that look like they link to something dodgy.

(And I don't have anything to gain from this - I'm just a very happy user).

MailScanner has had the option of "disarming" scripts in email for years now.

Allowing scripts in email messages is as bad as allowing them in advertisements on web sites.

    You may be correct on that. I just looked at their page, and it looked similar to the one where I remember it basically saying if you wanted to be delisted you were SOL.

    On a few occasions, because another company used an irresponsible blacklist, I'd have to move the mail server just to get the mail working. That never made sense either. They'd complain to me that they didn't receive our mail, but it was an irresponsible blacklist on their side that caused the problem. That only happened 3 or 4 times over the last decade, but it was still an annoyance.

    I hate the spammer problem, but I hate the irresponsible blacklists more. Well, it's more of a problem that some folks use the blacklist as a make/break decision, rather than just a suggestion. I've used Mailscanner for several years, which can use multiple blacklists to score the message. When I set it up, one isn't enough to judge it as spam, but if say 3 of 5 do, then it won't be delivered.

I wasn't talking about linked images; those can be disabled easily in Thunderbird. My comment concerned images attached to the message itself. Oftentimes that sort of messages consists of a line or two of text and an attached gif.

I'm well aware about protecting privacy and disabling linked images. I use MailScanner which automatically disables linked images by default.

www.mailscanner.info

Absolutely MailScanner - thread over!

http://www.mailscanner.info/

Our organisation runs 5 Linux Servers around the UK for mail services and they are all using MailScanner + Postfix + SpamAssassin + ClamAV + Bitdefender.

Great installation instructions (all-but bitdefender) here: http://www.hughesjr.com/content/view/14/

The mailing list for MailScanner is very well supported by the users and the devs.

MailScanner has detected a possible fraud attempt from "email1.paypal.com" claiming to be AllPosters.com

MailScanner has detected a possible fraud attempt from "email1.paypal.com" claiming to be TigerDirect.com

Disney's Toontown
        Time Consumer Marketing

eBags

MailScanner has detected a possible fraud attempt from "email1.paypal.com" claiming to be ZipZoomFly.com

MailScanner has detected a possible fraud attempt from "email1.paypal.com" claiming to be ESPN.com

yes, there is.

http://www.mailscanner.info/

it's redirected to http://www.sng.ecs.soton.ac.uk/mailscanner/, but it's legitimate in the sense that mailscanner.info is a lot easier to remember

Frickin' lasers! Seriously, though, this is a great shame and has also affected servers hosted by the MailScanner Team - there's a news item on the front page of their site about the fire.

unless they scan at the packet level, but Mailscanner http://mailscanner.info/ already does a pretty good job of detecting and disarming those types of messages already. My MailScanner setup uses Postfix / Postgrey / Clamav / Spamassassin / bayes / Rules DeJour /w some custom rules of my own thrown in.. And so far my users have not seen one phish attempt nor virus and not only that but Mailscanner has been detecting these for over a year now.

ClamAV is completely useable, personally I see no need for any other. As for a milter being hard to setup, try installing MailScanner http://www.mailscanner.info/ - it will automatically use ClamAV if it's installed (you can add, delete others via a conf file) and it'll even automatically update it for you too. If more corportations would 'trust' open source, it would be very easy to put a virus/spam/dcc/greylist/mailscanner solution; even in front of their precious exchange server!

How about a combination of MailScanner, ClamAntivirus, and,SpamAssassin.

All FOSS, easy to install, and extremely effective. You could even keep your Exchange server; just put the scanning box between it and your inbound email firewall. (You do have an inbound email firewall, right?) I assume you also scan outbound email as well. For those, just set up Exchange to use the scanner box as a "smart host."

MailScanner

MIMEDefang

SpamAssassin

MailScanner is a brilliant piece of work which integrates Sendmail/Postfix/Exim/whatever with SpamAssassin (plus Razor/Pyzor/DCC) and ClamAV/BitDefender/Sophos/Mcafee/etc, all driven by highly customisable rulesets. It's open source, support via the MailScanner Mailing List is second to none, and its author, Julian Field, is always improving an already excellent product. I cannot recommend it highly enough.

The only difference is in that I wasn't spamming something. I was demonstrating how the spammers hide their source. And my destination list was of 1, not millions.

I'm really not for direct marketing. I don't like a newspaper full of ads. I don't like that 90% of the mail coming to my house is advertising. And I don't like that 99% of the traffic coming to our mail server is advertising.

I'm all for a 100% ban on spam. If I never received another piece of spam, I'd be a very happy camper. As it is, we receive between 80k and 100k pieces of email on our mail server per day. The viruses are automagically deleted (no executable-ish attachments at all), and the spams are tagged by several means so the users can filter them.

My users are pretty happy. They don't get much of the 'evil' of Email in their box. The occasional piece of spam makes its way through. I'm down from 1000+ per day to maybe one or two per day.

BTW, I *HIGHLY* recommend MailScanner (http://mailscanner.info).

We could all take on the new Lycos approach, and kill either the spammers or the Internet at large. Set up your mail server to `ping -c 10000000 $spamserver`. They send spam, we detect spam, their connection goes to shit. The more people they hit, the more traffic they generate. They send a million pieces of spam, that's a million people hitting them back. But again, we're using an illegal tactic to stop a grey-market business.

In most areas, spam isn't illegal.

I'd like it if I didn't receive another unsolicited AOL CD in the mail, but what do I do, send 10k letters back to AOL? Nope.

Maybe the e-postage propositions are a good choice, but who's to collect the postage? If I have to receive 100k emails a day, I damned well want to be reimbursed for the server time (cost of a good machine, time maintaining it, etc)

He's not he only person it works great for. I SysAdmin a ~400 employee international company - who deals alot with Asia. We use MailScanner (SA as the anti-spam piece), and my users see maybe one spam per week now. No training was done whatsoever, only added an additional blacklist, and away we went. My home system, recieving about 300 spams per day, also uses MailScanner - I cant remember the last time I actually saw a spam in something other than my SPAM folder - and 9 months without a false positive...

Geeze, what are you doing wrong?

Patching isn't dead, it's still needed.

What's frightening, however, is that Antivirus vendors still haven't got it. Weekly, or even daily pattern updates are NOT sufficient to prevent the spread of viruses and worms.

For example, W32/Zafi.b@MM was in the wild on June 11th this year, and was detected and stopped on the same day by Bitdefender and ClamAV on our MailScanner box. McAfee released its 4366 DAT files 2 1/2 days later, on June 14th.

Similar slow responses happened with Netsky and Bagle, IIRC.

The biggest trouble we have is getting past the mindset which says "we have up to date antivirus on our PCs therefore we're safe". I beg to differ.

Phil

There are several infection vectors used by the current round of viruses. I'm assuming that even fully patched versions of Windows, Outlook Express, and Internet Explorer are vulnerable to security exploits (they are).

1: Executable attached to email, either auto-infecting or using the social engineering made possible by Microsoft's "virus-friendly" File Extension Hiding. So people click on what they think is a text file attachment (where even the icon makes them think that it is a genuine text file). As I've repeatedly said before, it is time that Microsoft released a patch to completely diasble and remove this dubious feature from Windows.

Cure: Use a non-Microsoft email reader - Pegasus Mail, Thunderbird, whatever.

2: Social engineering via email. Who in their right mind would open an attached password-protected .zip file where the password was given in the email body?

Cure: User education.

3: Seemingly innocent HTML emails which contain an OBJECT DATA exploit.

Cure: Don't use Outlook. Use an email gateway box running MailScanner to disarm dangerous HTML tags.

4: Worms spread via direct connect to your PC.

Cure: Proper firewalling, use application proxies and don't NAT anything to the net. This is more appropriate in a corporate environment.

5: Web pages with dangerous HTML which, by exploiting IE or Outlook Express vulnernabilities, run malware on your PC.

Cure: Use a proxy server which strips all dangerous tags; Dump Internet Explorer and use Mozilla Firefox instead.

6: You are "Protected" by Antivirus software but the virus / worm got you before the vendor's weekly update came out. (Waving to McAfee and Symantec as I write this). This is the BIGGEST change I've seen in virus behaviour this year. Since February, we've been catching viruses/worms before some of the main vendors have had updated patterns out. (thanks ClamAV and Bitdefender).

Cure: Antivirus vendors need to release patterns as soon as they've got the virus signatures tested, and not wait to see if an outbreak happens. Users need to update their virus patterns on an hourly basis, not weekly.

That'll do for starters.

The only argument that I've heard that makes any sense is if someone is against Gmail beacuse of this ad thing, so they dont sign up for the service, but then all their friends do so when they send email tot hem, their emails are scanned for content, even though they're not signed up with the service.

Hmm, messages scanned for content by the receiving mail server... nothing at all like these MailScanner and SpamAssassin packages that we have installed on our mailservers, that scan every piece of received mail for content. :)

(and we don't even tell the sender that we're "reading" their mail!)

I found ZoneAlarm to be quite a hit on my machine's performance. I also didn't like having to deal with 10 prompts everytime I opened a net-using program.

For me, this is the reason I run ZoneAlarm. I want to know if some piece of malware is trying to phone home. For me the dangerous vector is web sites since I scan all my mail with MailScanner and ClamAV. Just blocking messages with executable attachments stops nearly all common email viruses/worms/trojans. It's that spyware stuff that poses a greater threat here.

And, just what performance hit are we talking about? A pop-up warning box that you can clear with one click? My copy of ZA is running in just 2MB of memory and has no apparent effect on the system's responsiveness.

... can't you just pre filter all email attachments and run them through your own scanner

Just to clarify, we do filter attachments, using some in-house software called MailScanner. The points I brought up were just interesting thoughts on the subject.

That being said, we still get people mailing us with "Please can you send me the attachment you removed" messages, when it's quite blatantly a virus... Some people just never learn!

However, now we run into confidentiality issues. Of course the file is already compressed with gzip or bzip2, but will Google's text analysis algorithms be designed to decompress files and index the contents? (Since virus scanning software like MailScanner already does this, I'd guess the answer is yes.) Most of the information that's sent to us is proprietary, and some of it may be governed by rules like HIPAA. The obvious solution is to encrypt the compressed file before shipping it, of course.

There's also the problem of deleting last Tuesday's message before sending the new one. I suppose I could script lynx for this. Any other suggestions (other than manually deleting it from a web browser each day)?

Julian Field updated MailScanner on Thursday to disarm the latest "OBJECT DATA exploit" code. You'll want the "beta" 4.29.4 version (or later).

Stops unwanted mail dead.

Finally be able to stop bitching about your inbox.

100% Free.

Small catch: you need your own mailserver. Answer: add procmail to your recipie. Ha, get it?

MailScanner
SpamAssassin
ClamAV

That's somewhat of a ridiculous comparison. If you're going to compare OSS and closed source methodologies, you should not do the equivalent of comparing a teen garage band with the New York Philharmonic. A better comparison would be "enterprise" closed source, versus open source that has a lot of manpower behind it.

The open source that tends to get used the most is the stuff that has a strong userbase and active developers. The 14-year-old-written "this is l33t so I wrote it, visit my blog d00d!@!@!!" kind of software is occasionally useful if you need something to do a small, handy thing on your workstation, but rarely gets used heavily in production -- even by workplaces using open source.

More likely, the software written is by some post-graduate or a group of programming enthusiasts who are interested in the program concept or have found it useful and decided to help improve it. Most of the GNU software, MailScanner (an extremely flexible virus/spam gateway), and the Linux kernel itself, is written in this manner. Many of them release designs and papers, something which the companies you're speaking of often keep in-house and hidden from the public.

Now to my personal mistrusts. I personally mistrust software that's probably written by someone with a passing familiarity with Visual Basic, who does not speak my language and does not document the program properly. If you wonder what I mean, try installing some of that "bonus software" that comes with your inkjet, scanner, or CD writer on your system and you'll learn a painful lesson. Not all software written by a company is good, or even has a reasonable design behind it -- and sometimes, even with a reasonable design it's still programmed badly.

I highly recommend MailScanner works with a large group of AV software, allows you to filter by magic! (file content, that is :)
Also works with SpamAssassin, RBLS, and all sorts of other goodies

That's Beagle.K (or Beagle.J, it's linked from the story, though), I've only recieved one, but it's annoying as all hell to block.
I'm now blocking all encrypted zip attachments via my trusty MailScanner
(there's a beta version which adds this, I couldn't trust the filename rules, and wouldn't block all zip attachments)

It's true. We've been using a combination of MailScanner, Spamassassin, and ClamAV on ours and a number of customer mailservers for a little over a year now. Don't seem to remember any viruses getting through, and many times Clam has an update before the commercial vendors. It's also got _great_ support through the mailing list(s). I would recommend ClamAV wholeheartedly.

We've just started using MailScanner on a box running Fedora Core 1 here. So far MailScanner with SpamAssassin, DCC, Razor and Pyzor is doing a good job, but it is too early for us to get meaningful statistics. A nice web front end for MailScanner is MailWatch, and we monitor the throughput and performance of the box with MailScanner-MRTG.

Phil

I've found the easiest way to implement SpamAssassin is to invoke it through MailScanner. MailScanner uses third-party virus scanners and can optionally invoke SpamAssassin as well. With the free ClamAV antivirus product, you can build a powerful open source mail scanner. Even without a virus scanner, MailScanner detects and quarantines executable attachments and other dangerous content which represent the most common types of mail-borne viruses and worms.

RedHat installs the daemonized version of SA as well as the SA Perl scripts. Using the daemon, the easiest implementation is to invoke SA in /etc/procmailrc on the mail delivery host; for mail gateways running sendmail, you need to use the milter interface. I've found the MailScanner+SpamAssassin approach much easier to configure than either of these methods, and you get virus scanning to boot!

I suspect if the reviewer had compared SA 2.60+ to the commercial products, rather than the older 2.44 version used in the review, SA would have shown better results.

I'd agree with the reviewer that one of the things SA lacks is an easy method for users to interact directly with the program. (Part of the issue has to do with security; SA runs as root. As I read the review, I wondered how the other products allow users to interact directly with the scanners without sacrificing security.) It's not easy to maintain per-user Bayesian filtering, for instance, but I generally recommend having the mail client, e.g., Mozilla, handle these tasks.

based on the number of spams that are getting through. It has jumped up again (doubled) in the last 1-2 months.

On which ISP? On one using proper blacklists, some good regexp rules (SpamAssassin) and some site-wide applications of the engine (MailScanner), spam is minimized. You'll get some false negatives, but it's a trickle, not a torrent.

Ever since installing the above at work (it's a .gov whose entire address list has been passed around the Internet like a trading card), spam has decreased to around 3-5 false negatives a day. Life is good.

And BTW, to the people who are moaning about the computing power needed to run SpamAssassin and MailScanner (MailScanner, especially, is a hog, no denying it) -- perhaps you need to think about replacing that 386 running RedHat 6.0 in your parent's basement. It's probably been 0wN3d a couple dozen times anyway.

mailscanner one of the nice open source free scanning engines has a feature like that, called silent delete, for spoofing viruses I believe.

Some filters do, you might want to try MailScanner which has an option to clean silently on a per virus name basis (and optionally still delivering a message to the postmaster)

While not necessarily IMAP related, you may want to look in to MailScanner. It's a mail relay program that accepts all incoming mail for your domain, does some analysis on the email and then forwards it on to your internal mail system. It can use something like 14 different virus scanners (all at once!) to do signature-based virus detection. At my work, we just use the attachment blocking feature to strip out attachments that we don't want coming in via email. 95% of the attachments that get quarantined at the mail gateway are viruses! It also integrates with spamassassin to help stop spam. It can automatically remove hostile HTML/scripting tags if you want, too.

We're using a neat MRTG based tool called mailscanner-mrtg to monitor our Mailscanner system. It produces pretty graphs.

All in all, it's a really great first line defense tool for keeping corporate email secure!

Good luck!

ACK and you shall receive.

another alternative is MailScanner with any of these AV programs
Sophos, McAfee, F-Prot, Command, Kaspersky, Inoculate, Inoculan, Nod32, F-Secure, Panda, RAV, Antivir, ClamAV, Vscan.
Installs basically as a drop in for exim, Postfix, sendmail and ZMailer.
I've been using this with sendmail and the free for personal use version of F-Prot.
it keeps the (possibly multiple) attached AV scanners updated and has internal support for SpamAssassin.

While this will cut your spam down to virtually nothing, you are limited in that the method you describe is accepting only messages that you whitelist. You will lose e-mail from anyone who you havn't whitelisted, even if it is a legitimate message.

Without further working this would make most mailing lists be filtered into spam, as well as anyone who was trying to contact you for the first time.

I've found that using something like SpamBouncer or MailScanner is much better in regards to not losing AS MUCH legitimate e-mail than a pure whitelist is. Of course you add a whitelist beyond using the various spam filters, but a whitelist alone is way too restrictive to use in a corporate (or even personal IMO) environment.

And coupled with MailScanner, it's even better. MailScanner facilitates virus/exploit checking, among other things.

We also use mailscanner here at Southampton (unsurprisingly, given that it's developed locally). It's a capable piece of software, and has a sizeable number of installations worldwide (the maintainer's current conservative underestimate is 7000-8000 sites with a throughput of around 3.5 billion messages per day).

Accoring to the analysis by Sophos

Note that W32/Bugbear-A tries to copy itself to all types of shared network resource, including printers. Printers cannot become infected, but they will attempt to print out the raw binary data of W32/Bugbear-A's executable code. This usually results in many wasted pages.

Judging from the questions I've had over the past two days (from users, about incoming emails which have been 'disinfected') its also worth noting...

the worm can spoof the From and Reply To fields in the emails it sends. [Like Klez & YaHa do]

We use MailScanner along with a Sophos engine to filter our incoming mail - and we've caught dozens of this worm in the last two days. Remembering the trouble from Nimda last year I'd recommend MailScanner to everyone, its free & can be used with a variety of engines. [I'm not associated wuth the MailScanner project BTW]

I use mailscanner with sendmail to scan mail for viruses . It has a number of nice features such as the ability to block certain types of attachments (e.g. exe's) - this can be configured to block/ allow any attachment based on regular expressions. It relies on third party virus engines - I use Sophos at work and f-prot on my home network, but others work too. It also integrates well with spamassassin to effectively tag spam.

If you have a mixed network with samba shares you might also like to have a look at Rainer Link's samba-vscan VFS module for samba at the openantivirus site.

at work i set up mailscanner, which uses sophos anti-virus engine, and also spamassassin to tag all the spam. overall, very nice setup. ohh, i use sendmail for the transport.