June 02, 2003

Darned naive mail filters

There's yet another variant of the sobig virus/worm/whatever thing running around. This one apparently replaces Palyh thing (The one from "support@microsoft.com") that was running around. Palyh had a May 30 drop-dead date, so I can only assume the thing was proof-of-concept, designed either to show off someone's Studly Programming Skillz or as a study in spread characteristics in preparation for a nastier attack.

The proliferation of this damn thing isn't the big problem. The big problem is all the gateway filters that are in place that block the worm and incorrectly bounce back notice of an infected mail message. You'd think at this point that people would have figured out how to properly bounce, or at least not improperly bounce, these damn things, given how many worms and viruses have built-in SMTP capabilities with spoofed senders. (I can, after all, pretty much guarantee you that I'm not sending out infected mail) I've gotten more bouncemail for this thing than I have actual copies of the virus.

This recent spate of virus crap has prompted me to try and get some virus checking built into the mail server here, since I'm tired of wasting disk space on this crap, and I'd rather the other folks using the mail services here don't have to deal with it. (I think only one or two people are actually at risk, as everyone else is a mac or pine user, but....) I gave ClamAV a shot, to see if I could use it, as it seems like the only free game in town. And, while it seems to work pretty well as a virus checker, I haven't figured out how I can use it on my system.

It's not that there aren't instructions in there--there are. I can use it as a sendmail milter, or I can use it through amavis somehow. Unfortunately, the build of sendmail I'm running doesn't have milter support (and it's an 8.11 release of some vintage or other) and I can't for the life of me figure out how to make amavis-ng install and configure right. (The fact that the docs are all .texi files, and the version of makeinfo I have doesn't like them, doesn't help) Google wasn't much help locating instructions to use ClamAV with just procmail. Bleah.

I'm sure some of the problem is the vintage of the software on the server, and I'm getting more and more tempted to just rebuild it from scratch, but that really requires a second machine to build into. OTOH, this beast is getting pretty limiting for what it does, so a new box may well be in order, and I can relegate this thing (an old 300Mhz no-cache Celeron) to being a slow Parrot tinderbox machine. (Though, given a few hundred spare bucks to buy a new server, well, I'd rather buy an iPod... :)

Posted by Dan at June 2, 2003 03:57 PM | TrackBack (0)