Can We Effectively Scan For E-Mail Viruses?

A couple of questions here, first from DavidBrown: "It occurs to me that with the recent virus/worm/whatever stories, maybe the solution to e-mail viruses isn't to go out and install on every desktop virus software that nobody likes to run - it slows you down, and doesn't feel 'natural'. Maybe we should screen for questionable macros and infected attachments at the ISP mail server level?" but before we screen, we first need effective filters which is the subject of kevin42's question: "I've tried many different filters and strategies for reducing spam that comes into my domain. The problem is I still get a ton of spam, and when I look at what the filtering is catching it's only like 5% of all the spam. A search on freshmeat finds tons of apps and filters, but I've tried a few and none seem to work. Trying them all will take forever, so does anyone have experience with some that will actually work?"

David adds: "Yahoo mail seems to do this. Once a new virus is detected, ISP's can install new updates much faster than most users." ISPs are implementing this, just not fast enough for most people. Which ISPs (especially national ones) have hardened their systems against such viruses and, more importantly, who hasn't?

It works

[djweis]

We are using AMaViS on machines at my employer. It isn't the most efficient program, it ends up forking about 4-5 times for a plain text message (!) but it does work. Two drawbacks are 1. it replaces the delivery agent (usually procmail or deliver) and c. it only works for accounts local to that machine.

Now that I look again, there seems to be a way to use it on a relay. If you do that, make sure it's a beefy machine. Getting 20-30 messages/minute gets the load average into the sendmail stops talking to you range.

Looking in the wrong places

[v4mpyr]

If you want a security tool check SecurityFocus. They have all kinds of neat toys that actually work.

--

Spam filtering via procmail

[Elkman]

Luckily, I've been able to avoid most E-mail viruses (except for the chain letters, anyway). I usually find out about them at work, and there's usually enough people panicking about them when I get in that I know not to read my mail.

As far as spam filtering goes, though, it's nearly impossible to do it effectively using a prebuilt package. The spammers seem to have plenty of new tricks up their sleeve all the time. (My favorite is the one saying "This is not spam." If you have to say it isn't spam, then it's spam.) I've written some rather elaborate filtering using procmail, and it's been quite accurate. The best part is that I can make adjustments as I go along. On the flip side, it isn't 100% effective -- occasionally spam gets through, and occasionally it misses something that is spam. And, of course, to program in procmail you have to have a good understanding of how regular expressions work.

You can take a look at my procmail filter here, as well as a score-based algorithm that only bounces the mail if it matches more than one of the phrases listed there. Go ahead and use those examples if they help. And, check out procmail.org for all the documentation.

Procmail trap

[Brazilian+Geek]

I really don't know what the filter's name is but I do know that it stops known files, mangles attachment extensions, mangles IMG tags and a whole other truck load of stuff, best of all it doesn't interfere with anything but depends on procmail of course.

Here's a link to the homepage.

It is score based, runs really fast, sanitizes headers, HTML and MIME attachments - since it's based on the procmail ruleset, it can easily be adapted to your needs. It features external "poisoned" files (and extensions) that you can block off.

I've been using it since 1.088 (I think) and I've had no bad things to say about it!