[Esa-l]Re: Sircam virus filter

Floyd Pierce floydp at boxusa.com
Thu Aug 2 05:28:33 PDT 2001 

Why is a users mailbox filled up if the messages are poisoned? The
only mailbox at risk on my system would be mine from the SECURITY
WARNING messages :-(

Of course we only are getting 10 SirCam's a day. Not bad for a
thousand users.

--
Floyd Pierce              | Director of Information Technology
Phone  847-790-2830 (IL)  | Box USA
Phone  817-783-2355 (TX)  | floydp at boxusa.com
Fax    847-790-2880       | floyd at floydbob.com




> -----Original Message-----
> From: esa-l-admin at spconnect.com [mailto:esa-l-admin at spconnect.com]On
> Behalf Of Juan Manuel Calvo
> Sent: Thursday, August 02, 2001 7:19 AM
> To: jhardin at impsec.org
> Cc: esa-l at spconnect.com
> Subject: Re: [Esa-l]Re: Sircam virus filter
> 
> 
> > On Wed, 1 Aug 2001, Juan Manuel Calvo wrote:
> > 
> > > I have found a very simple solution to the Sircam problem. Your
> > > procmail sanitizer allows defang the attachment but the users
> > > receives the email.
> > 
> > Not if you poison *.bat *.pif *.lnk and *.com - is there really any
> > reason to be accepting these sort of attachments from random people
> > out on the Internet?
> 
> I'm poisonig all executable extensions but Sircam fills the user
> mailboxes,
> some of my users get over a hundred infected messages overnight,
> mailbox strikes the quota and loose or delay more important messages.
> 
> > 
> > > I have added the following lines in my /etc/procmailrc BEFORE
> > > the sanitizer:
> > >
> > 
> > That's a signature-based defense. What if SirCam mutates a little?
> 
> Your sanitizer will poison the attachment, my users will have to clean 
> your mailboxes and loose some messages, and I'll have to change de
> signature,
> not a real danger.
> 
> -- 
> Ing. Juan Manuel Calvo                       |TE: +54-11-4314-2269
> Director del Centro de Computos              |FAX:+54-11-4314-1654
> Universidad Del CEMA                         | 
> Cordoba 374 (1054) Capital Federal, Argentina| http://www.cema.edu.ar
> _______________________________________________
> E-mail Security Announce list mailing list
> E-mail Security Announce list at spconnect.com
> http://www.spconnect.com/mailman/listinfo/esa-l

More information about the esd-l mailing list