From owner-freebsd-questions@freebsd.org Wed Mar 23 17:02:40 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 569DDADB2CE for ; Wed, 23 Mar 2016 17:02:40 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [IPv6:2001:8b0:151:1:c4ea:bd49:619b:6cb3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D591C186A for ; Wed, 23 Mar 2016 17:02:39 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from host-4-75.office.adestra.com (vpn-1.adestra.com [46.236.37.122]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: m.seaman@infracaninophile.co.uk) by smtp.infracaninophile.co.uk (Postfix) with ESMTPSA id 813D9E700 for ; Wed, 23 Mar 2016 17:02:34 +0000 (UTC) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=FreeBSD.org Authentication-Results: smtp.infracaninophile.co.uk/813D9E700; dkim=none; dkim-atps=neutral Subject: Re: [Phishing]Re: Anti-virus for FreeBSD To: freebsd-questions@freebsd.org References: <1458712914.1578.37.camel@au.dyndns.ws> <62985.128.135.52.6.1458748953.squirrel@cosmo.uchicago.edu> From: Matthew Seaman Message-ID: <56F2CC22.9090500@FreeBSD.org> Date: Wed, 23 Mar 2016 17:02:26 +0000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="XqUXa3vlmG9RiPmI43iUINWdNUjRshse4" X-Virus-Scanned: clamav-milter 0.99.1 at smtp.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=1.0 required=5.0 tests=SPF_SOFTFAIL autolearn=no autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on smtp.infracaninophile.co.uk X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Mar 2016 17:02:40 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --XqUXa3vlmG9RiPmI43iUINWdNUjRshse4 Content-Type: multipart/mixed; boundary="2IaAQDaID2iq2T5AXAnmqre65PrJ1pJji" From: Matthew Seaman To: freebsd-questions@freebsd.org Message-ID: <56F2CC22.9090500@FreeBSD.org> Subject: Re: [Phishing]Re: Anti-virus for FreeBSD References: <1458712914.1578.37.camel@au.dyndns.ws> <62985.128.135.52.6.1458748953.squirrel@cosmo.uchicago.edu> In-Reply-To: --2IaAQDaID2iq2T5AXAnmqre65PrJ1pJji Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 2016/03/23 16:31, Daniel Feenberg wrote: > Is there a package out there that would block all email messages with > binary executable content? I understand that pdf and word files may > contain executable code - the package would have to be able to > distinguish such files with executable code and those without. (Is that= > possible)? It is not possible a priori to strip out any file belonging to some arbitrary application which implements some sort of embedded macro language, let alone tell if any such file actually contains any executable bits. The best you can do is recognise commonly used file formats where embedded code is possible, and strip those out. Any reasonable MTA should be able to do that for you, although it may take some rather more advanced configuration than is usually necessary. This is essentially the approach taken on these (FreeBSD) mailing lists, except here, it's reversed: all attachements are removed, except for a certain number of known-harmless ones, like PGP-Mime signatures or some simple text formats. If you're specifically concerned about Phishing emails, rather than, say 'Spear Phishing' (ie. individually tailored messages) then your best bet is something like Vipul's Razor or DCC which are services that distribute checksums of known spam messages -- the concept being that spammers send out a large number of pretty much identical messages and it is highly likely that someone else has received the spam and reported it before it hits your mail server. Cheers, Matthew --2IaAQDaID2iq2T5AXAnmqre65PrJ1pJji-- --XqUXa3vlmG9RiPmI43iUINWdNUjRshse4 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQJ8BAEBCgBmBQJW8swpXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTn4EcP/0d41VzJF0PH/Yp2JElbyEvx c2Zf3Hh3IVnLaItoE1ZhHZx3Q9pShd3ny9yRm3yU7Q2j4ZB5bCYTZXeagN1gkA75 QaYa4en0srqzMGm17TsKap+BDzfChTZJNgK4xEXCaQ/cAwoSUakC/a7NYjVR0PNI zWFspOxFPO8ZTq9TAWGosjVMg/NjuRAmr7G1VgprEGmVqJLPnLbMpYodlWdLLl3P 4gD/fviY6NilkaD9XSk+QcBLQYGPeQ42SexUjsnsU7zMbgF8745LBMIKF1D6BLxj 6f1h+li1EnuXjO+ZFWBiOao5gNfZxOA1HssidFL9EU+ou/HUXQyhyw49MCCPvOVd lzTjF8+9xOyLNqS3JaL6Z9yA8Gdxy3wPipyYzE5GdwiuG21KIgfOS4OQRSD/rOO5 uhgN2rsgxJygM7NuYp4r0IwfQ7ciuC3bFQqWQY4syO5SsSL50vuHMhzC4qHqFW5e KnAuPlxZSv2avSWwFl9E03pww3G9O5BfRkoQgV/W9/M0CRW88btQjtez+lKZJQ4i 6MZKCXiJw+FkIyZGBn+Wm9fQFcq0lmkPpVTeZoXrCNxL8y4EJw1cvctttFsDreFj qKOPy5RKA4DBv43b6WwslO95vr3JGy6Mg8JfQfEIN8oD6FjOJnwDBtowlo17dKcG coNKy6rtiUBeijdx+rG6 =JVOF -----END PGP SIGNATURE----- --XqUXa3vlmG9RiPmI43iUINWdNUjRshse4--