Subject: Re: postfix md5 rule?
To: None <netbsd-help@NetBSD.org>
From: James K. Lowden <jklowden@schemamania.org>
List: netbsd-help
Date: 02/01/2004 03:42:30
On Sat, 31 Jan 2004 23:05:46 -0800, "David S." <davids@idiom.com> wrote:
> >
> > My latest antivirus idea is to have postfix burst MIME messages, and
> > run md5(1) on each attachment. It will compare the digest to a set of
> > known digests; if the attachment it known, it will be deleted. If the
> > message contains only known attachments, the message itself will be
> > rejected.
> >
> > Is this possible?
>
> The spammers are already ahead of you here. Look at the end of just
> about any spam e-mail these, and see something like
>
> txuyuryykexjerudeezzqkgu glg zw haexz mcgu atzadyvf dsz
Spam I actually have under control, pretty much, famous last words.
Viruses are a nuisance, though, because they originate from anywhere, and
sometimes superficially seem to be from someone I know (by design). The
payload of a virus-sent message, I believe, is fixed, which is why I want
to analyze the attachment in the MTA. If I get clever enough, I won't
even maintain my "known attachments" list manually. I'll keep a digest of
every attachment ever received, and the location of the file, if any.
The probability of any two people sending me the same attachment for
ligitimate reasons is really, really small, and from three people, smaller
still. If the same thing arrives three times, I'd be happy to have my
system assume it's a virus and react accordingly. Beats waking up to 100
useless messages the next morning.
Per Perry's suggestion, I already reject most attachment types, but .zip I
allow, for obvious reasons. Automatic examination of the attachment seems
like the next logical step.
--jkl