From owner-freebsd-questions@freebsd.org Wed Mar 23 17:11:43 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 48FA3ADB5DA for ; Wed, 23 Mar 2016 17:11:43 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from cosmo.uchicago.edu (cosmo.uchicago.edu [128.135.70.90]) by mx1.freebsd.org (Postfix) with ESMTP id 28D541D3F; Wed, 23 Mar 2016 17:11:42 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: by cosmo.uchicago.edu (Postfix, from userid 48) id 327FCCB8CB4; Wed, 23 Mar 2016 12:11:42 -0500 (CDT) Received: from 128.135.52.6 (SquirrelMail authenticated user valeri) by cosmo.uchicago.edu with HTTP; Wed, 23 Mar 2016 12:11:42 -0500 (CDT) Message-ID: <50432.128.135.52.6.1458753102.squirrel@cosmo.uchicago.edu> In-Reply-To: <56F2CC22.9090500@FreeBSD.org> References: <1458712914.1578.37.camel@au.dyndns.ws> <62985.128.135.52.6.1458748953.squirrel@cosmo.uchicago.edu> <56F2CC22.9090500@FreeBSD.org> Date: Wed, 23 Mar 2016 12:11:42 -0500 (CDT) Subject: Re: [Phishing]Re: Anti-virus for FreeBSD From: "Valeri Galtsev" To: "Matthew Seaman" Cc: freebsd-questions@freebsd.org Reply-To: galtsev@kicp.uchicago.edu User-Agent: SquirrelMail/1.4.8-5.el5.centos.7 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Mar 2016 17:11:43 -0000 On Wed, March 23, 2016 12:02 pm, Matthew Seaman wrote: > On 2016/03/23 16:31, Daniel Feenberg wrote: >> Is there a package out there that would block all email messages with >> binary executable content? I understand that pdf and word files may >> contain executable code - the package would have to be able to >> distinguish such files with executable code and those without. (Is that >> possible)? > > It is not possible a priori to strip out any file belonging to some > arbitrary application which implements some sort of embedded macro > language, let alone tell if any such file actually contains any > executable bits. The best you can do is recognise commonly used file > formats where embedded code is possible, and strip those out. > > Any reasonable MTA should be able to do that for you, although it may > take some rather more advanced configuration than is usually necessary. > > This is essentially the approach taken on these (FreeBSD) mailing lists, > except here, it's reversed: all attachements are removed, except for a > certain number of known-harmless ones, like PGP-Mime signatures or some > simple text formats. Brilliant! As opposed to flawed anti-virus logic! > > If you're specifically concerned about Phishing emails, rather than, say > 'Spear Phishing' (ie. individually tailored messages) then your best bet > is something like Vipul's Razor or DCC which are services that > distribute checksums of known spam messages -- the concept being that > spammers send out a large number of pretty much identical messages and > it is highly likely that someone else has received the spam and reported > it before it hits your mail server. > > Cheers, > > Matthew > > > ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++