[nSLUG] Re: Strategies for fighting spam and Win32 email viruses via dialup
aa056 at chebucto.ns.ca
Tue Jul 1 14:13:56 ADT 2003
On Tue, 1 Jul 2003, Mike Spencer wrote:
> "George N. White III" <aa056 at chebucto.ns.ca> wrote,
> > Most anti-spam and anti-virus strategies involve filtering the
> > message contents, which clearly isn't feasible on a ppp link when
> > the message volume exceeds the link capacity. Are there filters
> > that work with a pop server using only the headers?
> I agree that the filtering should be done on the server during the SMTP
> transaction. But the typical dial-up user has no control over that.
> Can you read your CCN mail via POP3? I've been testing a perl script
> that reads a local config file, then opens a socket to port 110,
> retrieves the headers of messages using "TOP n 0".
Yes -- I've considered this route, probably with a rule that rejects
messages with large attachments unless they come from my whitelist.
> The config file contains whitelists of IP addresses and From:
> addresses; blacklists of CIDR blocks and From: addresses. (And every
> spam that gets through gets its originating IP CIDR block manually
> added to the blacklist.)
> The script checks against the white- and black-lists, then does a
> DNSBL lookup at Osirusoft.com, deletes messages that match blacklist
> entries or that resolve in the DNSBL. After the script runs, I then
> tell my mail reader to fetch the mail. It finds the mailbox purged of
> most spam.
> This could be tweaked to add matching worm/virus indicators known to
> appear in the headers. Also could check for size since POP3 will
> report number of octets in each waiting message. Could also be
> tweaked to retrieve just a few lines of the body and look for /^TVq/
> (base64 encoding of magic number "MZ" for MS .EXE executables) that's
> in the first data line of most executable worm/virus attachments.
> This script is way too slow for dealing with hundreds of messages per
> hour or more but works nicely for dozens per day or the occasional
> list spew or mail bomb.
There might be a way to run the script on a machine with a high
speed connection, but POP3 is not good about sharing access, so
I might as well forward everything to a fast machine and redirect
the accepted messages to a "secret" account with dialup access.
George White <aa056 at chebucto.ns.ca>
Head of St. Margarets Bay, Nova Scotia
More information about the nSLUG