Subject: Re: postfix md5 rule?
To: netbsd-help <netbsd-help@NetBSD.org>
From: Chuck Yerkes <chuck+nbsd@2004.snew.com>
List: netbsd-help
Date: 02/01/2004 00:21:53
vipul's razor?
"normalize" the message, run a checksum on it and compare.

And mime-defang gives you nice hooks to do this.

And no, it's not a NetBSD question.

Me?  I looked, with spamassassin, for a set of subjects AND
a set file attachment names AND a blob of text in that first
attachment.

80-100 /minute blocked.  The ones that slid through (there was
some combo I didn't get) were snagged by the AV stuff on the inside
scanner - I just cut the volume hitting it by 90%.

Quoting James K. Lowden (jklowden@schemamania.org):
> This isn't really a NetBSD question, but perhaps someone can give me a
> yea/nae to it.  
> 
> My latest antivirus idea is to have postfix burst MIME messages, and run
> md5(1) on each attachment.  It will compare the digest to a set of known
> digests; if the attachment it known, it will be deleted.  If the message
> contains only known attachments, the message itself will be rejected.  
> 
> Is this possible?  
> 
> As I am sent each new virus, I'll add it to my list of known digests.  I
> recognized mydoom fairly early in the cycle; it would have been trivial to
> extract it once and add its digest to my list of known pests.  
> 
> I even think this idea would be useful to ISPs.  When mail volume rises by
> an order of magnitude, and  90% of the traffic includes the same
> attachment, the ISP could mark the mail as virus-laden, park the
> attachment somewhere, and provide a URL to it.  In my imagination, this
> would happen automatically, thus preventing virii from getting much
> traction.  In the event the messages were bona fide (say, Kennedy is shot
> or something), the human recipients would still have the means to retrieve
> the attachment.  
> 
> But, whether or not anyone else would adopt my strategy, I'd still like to
> know: is it feasible?  
> 
> TIA.  
> 
> --jkl