What we do is: when the exe contains a recognized exe, just ignore it and drop it in a virus quarantine. When it seems OK, send a message about its arrival and keep it in another quarantine, where it can be released by an IT employee. Furthermore, selected recepients can be marked to be able to receive such files without hold. This works quite OK, and we never passed a virus through it.
When you believe that your business needs routine transfer of executables via mail between random customers and all inside employees, you indeed have serious problems...
I completely agree with that! Many companies run badly designed virus scanners, that rely on uptodate virus signatures, determine file types by looking at the name, and send "virus warning" messages to the "sender" of the message.
Running this below-par scanning software, which is often considered "enterprise strength" in Windows e-mail environments, is a big part of the problem in every outbreak.
Much of this time is spent waiting for devices to respond. The BIOS tries to activate any diskdrive it supports, then waits for the drive to respond. There is some (conservative) timeout on that query, because the BIOS does not know how quick a working drive is going to respond. So it may wait.5 seconds for a diskdrive, adding up to 2 seconds for two drives.
Similar waits are going on all over the hardware detection and test process, and they are all adding up.
Things that could be done:
1. review delay times, detection algorithms. see if a quicker detection can be done
2. make sure the delays don't add up. i.e. perform detections and tests in a parallel (multitasking) fashion
That is why I am a bit astonished that he finds a 20% slowdown, then also examines the increased size of the executables, finds it is about 20%, and considers that a minor issue.
I think the 20% increased size is the reason for the 20% worse performance, because memory access is often the bottleneck for real-life programs.
Is there any reasonable list left that has open proxies (trojan infected Windows PCs)? Those are the prime source of spam these days, but they need a quick-acting blocklist.
The warranty ensures, that in the event that an infringement issue is identified in Red Hat Enterprise Linux software code, Red Hat will replace the infringing code.
What use is that? When the SCO case really holds up, the issue is not to replace the code but to pay them their royalties. Those payments is what should be guaranteed, not the replacement of the code. Such a replacement will be just as free as the original code.
When the company blocks.exe files because of policy, and the scanner allows them through by simple renaming, I can hardly call that a 100% effective strategy.
Your scanner only stops the virus attacks because the attacks have not yet been clever enough. And it will fail to stop trojan attacks like christmas cards that people forward to eachother, and that they will willfully guide around your scanner.
Don't tell me that doesn't happen. I have been running a scanner that detects those attempts for the past 5 years, and I have seen several cases of such detections.
I do this as well. Of course you must make sure you use a valid detection mechanism. Many commercial scanners use the extremely naive approach of checking the file extension! This means that.exe files can be sent through these by renaming the file (e.g. to.jpg), then adding a comment "please rename the file to.exe".
You would not believe it, but even the most well reknowned scanners use this stupid method. I have seen countless examples of "funny programs" being blocked on the mailscanner, and then the same file arriving half an hour later, renamed to.jpg or.gif, and with the added guidance for the receiver. Of course it was again blocked by my scanner, but apparently this method works on the commercial scanners and the users know the workaround.
There even has been one trojan that uses this method by packing the program in a.zip and telling the user to unzip and then run the program.
It is a nice idea. In fact, dosemu already had some interesting possibilities for saving memory. I wrote the network driver for dosemu, it emulates a "PC/TCP packet driver". In a normal DOS system, that driver would be loaded in high memory, but in dosemu there was only a small block of code residing in the BIOS area (required because of the interface definition for packet drivers), and the actual driver code is 32bit. So, dosemu can be considered to have "PC/TCP packet driver support in the BIOS", and no memory has to be wasted on loading a driver:-)
DOSemu runs the dosbox as a VM86 task, it should run at the full speed of the host processor. There will be some slowdown when you try to run graphic applications in an X window, but other than that there is no "emulation" going on.
I've always thought that ISPs should add a default "smtp" zone for their customers that resolves to their mail server. That way, you can set your progarm up to use "smtp" and no matter where you are, it will resolve properly.
Actually, when you set the default search domain to the ISP you are dialling in to and fix the SMTP server to "smtp", this usually works. Setting the search domain is easy when you get your address using DHCP, and could be done in an ip-up script in other situations.
I would advise you to read before you write. SPF was invented especially to cater for your situation. The quick way out would have been to use MX records as the only validation, but this was not done.
Give an advertiser a useful tool, and he will abuse it until nobody wants the tool anymore! Apparently advertisers never consider this effect, they make the same mistake over and over again.
- They changed television from an information/entertainment medium with the occasional advertisement into a continuous show of advertisements with the occasional show element inbetween. Result: people buy VCRs and TIVO, to skip the ads.
- when they discovered the banner ad they did not stay with displaying a logo and static advertisement text, no it all had to be animated and blinking. Result: people install banner blockers
- then they discover the pop-up, and abuse it to such a level that some sites cause an endless loop of popups and the amount of popups is annoying in generel. Result: people demand popup blockers.
When will they learn to be moderate? Probably never.
>All that happens is that a discreete icon shows up in the statusbar. If you really like, you can click on this icon and say "allow popups from this host".
It is a start, but I think it s*cks that you cannot simply view the popup by clicking on that icon, but have to add the site to a whitelist and then do a reload, hoping that the same popup will appear. They should fix that.
For one, make sure that the user-id that you use to do daily work on your computer is not allowed to install software. Only the administrative user can do that, and you switch to that user when you have bought a shiny new CD, not when some sleezy popup appears.
That is what you get for expressing pressure in millimeters mercury... of course that should have been sixteenths of an inch of mercury, to be NASA unit-compatible.
Here it usually works OK because most mails coming in from genuine sources are not written in English. So a lot of English words usually means it is spam.
But in an environment where all mail is in English and contains the kind of words they add to the message, it would be more difficult. (I saw things like: meeting financial government department etc)
Slashdot Mirror
What we do is: when the exe contains a recognized exe, just ignore it and drop it in a virus quarantine.
When it seems OK, send a message about its arrival and keep it in another quarantine, where it can be released by an IT employee.
Furthermore, selected recepients can be marked to be able to receive such files without hold.
This works quite OK, and we never passed a virus through it.
When you believe that your business needs routine transfer of executables via mail between random customers and all inside employees, you indeed have serious problems...
We block almost all attachments, but allow .zip files through
.zip files, and block .zip files containing executables but allow those with plain documents through.
A good scanner can look inside
If I were you, I would consider upgrading to a better scanner.
I completely agree with that!
Many companies run badly designed virus scanners, that rely on uptodate virus signatures, determine file types by looking at the name, and send "virus warning" messages to the "sender" of the message.
Running this below-par scanning software, which is often considered "enterprise strength" in Windows e-mail environments, is a big part of the problem in every outbreak.
A well configured enterprise mail server will not be fooled so easily. Our mailscanner sees the zip, looks into it, finds the .exe, and blocks it.
>an SMTP server knows *nothing* about the connecting host other then IP address
You will be surprised how much can be deducted from an incoming TCP connection. Read up on tools like nmap.
Much of this time is spent waiting for devices to respond. .5 seconds for a diskdrive, adding up to 2 seconds for two drives.
The BIOS tries to activate any diskdrive it supports, then waits for the drive to respond. There is some (conservative) timeout on that query, because the BIOS does not know how quick a working drive is going to respond. So it may wait
Similar waits are going on all over the hardware detection and test process, and they are all adding up.
Things that could be done:
1. review delay times, detection algorithms. see if a quicker detection can be done
2. make sure the delays don't add up. i.e. perform detections and tests in a parallel (multitasking) fashion
That is why I am a bit astonished that he finds a 20% slowdown, then also examines the increased size of the executables, finds it is about 20%, and considers that a minor issue.
I think the 20% increased size is the reason for the 20% worse performance, because memory access is often the bottleneck for real-life programs.
Looks good, lets try it...
Is there any reasonable list left that has open proxies (trojan infected Windows PCs)?
Those are the prime source of spam these days, but they need a quick-acting blocklist.
The warranty ensures, that in the event that an infringement issue is identified in Red Hat Enterprise Linux software code, Red Hat will replace the infringing code.
What use is that? When the SCO case really holds up, the issue is not to replace the code but to pay them their royalties. Those payments is what should be guaranteed, not the replacement of the code. Such a replacement will be just as free as the original code.
When the company blocks .exe files because of policy, and the scanner allows them through by simple renaming, I can hardly call that a 100% effective strategy.
Your scanner only stops the virus attacks because the attacks have not yet been clever enough. And it will fail to stop trojan attacks like christmas cards that people forward to eachother, and that they will willfully guide around your scanner.
Don't tell me that doesn't happen. I have been running a scanner that detects those attempts for the past 5 years, and I have seen several cases of such detections.
The .bin file makes it through the scanner
You scanner is a useless piece of crap.
You should *never* send a bounce message for an incoming virus.
I do this as well. .exe files can be sent through these by renaming the file (e.g. to .jpg), then adding a comment "please rename the file to .exe".
.jpg or .gif, and with the added guidance for the receiver. Of course it was again blocked by my scanner, but apparently this method works on the commercial scanners and the users know the workaround.
.zip and telling the user to unzip and then run the program.
Of course you must make sure you use a valid detection mechanism.
Many commercial scanners use the extremely naive approach of checking the file extension!
This means that
You would not believe it, but even the most well reknowned scanners use this stupid method. I have seen countless examples of "funny programs" being blocked on the mailscanner, and then the same file arriving half an hour later, renamed to
There even has been one trojan that uses this method by packing the program in a
It does not matter how many bits your computer has, it matters if the DNS protocol is still in use by then.
If it is, it will break because of this change. The older timestamp format had a much longer lifetime.
Of course there will be major problems in 2038, probably much worse than in 2000. This small issue will not contribute too much.
It is a nice idea. :-)
In fact, dosemu already had some interesting possibilities for saving memory. I wrote the network driver for dosemu, it emulates a "PC/TCP packet driver". In a normal DOS system, that driver would be loaded in high memory, but in dosemu there was only a small block of code residing in the BIOS area (required because of the interface definition for packet drivers), and the actual driver code is 32bit.
So, dosemu can be considered to have "PC/TCP packet driver support in the BIOS", and no memory has to be wasted on loading a driver
DOSemu runs the dosbox as a VM86 task, it should run at the full speed of the host processor. There will be some slowdown when you try to run graphic applications in an X window, but other than that there is no "emulation" going on.
DOSemu is not like VMware or even Virtual PC.
I've always thought that ISPs should add a default "smtp" zone for their customers that resolves to their mail server. That way, you can set your progarm up to use "smtp" and no matter where you are, it will resolve properly.
Actually, when you set the default search domain to the ISP you are dialling in to and fix the SMTP server to "smtp", this usually works.
Setting the search domain is easy when you get your address using DHCP, and could be done in an ip-up script in other situations.
I would advise you to read before you write.
SPF was invented especially to cater for your situation. The quick way out would have been to use MX records as the only validation, but this was not done.
Give an advertiser a useful tool, and he will abuse it until nobody wants the tool anymore!
Apparently advertisers never consider this effect, they make the same mistake over and over again.
- They changed television from an information/entertainment medium with the occasional advertisement into a continuous show of advertisements with the occasional show element inbetween. Result: people buy VCRs and TIVO, to skip the ads.
- when they discovered the banner ad they did not stay with displaying a logo and static advertisement text, no it all had to be animated and blinking. Result: people install banner blockers
- then they discover the pop-up, and abuse it to such a level that some sites cause an endless loop of popups and the amount of popups is annoying in generel. Result: people demand popup blockers.
When will they learn to be moderate? Probably never.
>All that happens is that a discreete icon shows up in the statusbar. If you really like, you can click on this icon and say "allow popups from this host".
It is a start, but I think it s*cks that you cannot simply view the popup by clicking on that icon, but have to add the site to a whitelist and then do a reload, hoping that the same popup will appear. They should fix that.
For one, make sure that the user-id that you use to do daily work on your computer is not allowed to install software. Only the administrative user can do that, and you switch to that user when you have bought a shiny new CD, not when some sleezy popup appears.
That is what you get for expressing pressure in millimeters mercury... of course that should have been sixteenths of an inch of mercury, to be NASA unit-compatible.
Here it usually works OK because most mails coming in from genuine sources are not written in English.
So a lot of English words usually means it is spam.
But in an environment where all mail is in English and contains the kind of words they add to the message, it would be more difficult.
(I saw things like: meeting financial government department etc)