Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 23 Mar 2016 12:11:42 -0500 (CDT)
From:      "Valeri Galtsev" <galtsev@kicp.uchicago.edu>
To:        "Matthew Seaman" <matthew@FreeBSD.org>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: [Phishing]Re: Anti-virus for FreeBSD
Message-ID:  <50432.128.135.52.6.1458753102.squirrel@cosmo.uchicago.edu>
In-Reply-To: <56F2CC22.9090500@FreeBSD.org>
References:  <wu7vb4fm8ji.fsf@banyan.cs.ait.ac.th> <CALfReyeHNrqZsCd_-3gMb+5RDEnW8aK2QfYCDRSBG+3bN5tpsQ@mail.gmail.com> <1458712914.1578.37.camel@au.dyndns.ws> <62985.128.135.52.6.1458748953.squirrel@cosmo.uchicago.edu> <alpine.LRH.2.20.1603231224140.8892@sas1.nber.org> <56F2CC22.9090500@FreeBSD.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

On Wed, March 23, 2016 12:02 pm, Matthew Seaman wrote:
> On 2016/03/23 16:31, Daniel Feenberg wrote:
>> Is there a package out there that would block all email messages with
>> binary executable content? I understand that pdf and word files may
>> contain executable code - the package would have to be able to
>> distinguish such files with executable code and those without. (Is that
>> possible)?
>
> It is not possible a priori to strip out any file belonging to some
> arbitrary application which implements some sort of embedded macro
> language, let alone tell if any such file actually contains any
> executable bits.   The best you can do is recognise commonly used file
> formats where embedded code is possible, and strip those out.
>
> Any reasonable MTA should be able to do that for you, although it may
> take some rather more advanced configuration than is usually necessary.
>
> This is essentially the approach taken on these (FreeBSD) mailing lists,
> except here, it's reversed: all attachements are removed, except for a
> certain number of known-harmless ones, like PGP-Mime signatures or some
> simple text formats.

Brilliant! As opposed to flawed anti-virus logic!

>
> If you're specifically concerned about Phishing emails, rather than, say
> 'Spear Phishing' (ie. individually tailored messages) then your best bet
> is something like Vipul's Razor or DCC which are services that
> distribute checksums of known spam messages -- the concept being that
> spammers send out a large number of pretty much identical messages and
> it is highly likely that someone else has received the spam and reported
> it before it hits your mail server.
>
> 	Cheers,
>
> 	Matthew
>
>
>


++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?50432.128.135.52.6.1458753102.squirrel>