Wandering Thoughts archives


Our current email anti-virus system is probably ineffective now

Last month I noticed that classical viruses by email were still around, despite a past history of low virus detection by our main mail system. Well, funny you should mention that. As it happens, late last week the whole university was battered a large tide of infected phish/virus emails over several days (and we had several infections ourselves). If our anti-spam system is any good at detecting viruses, I'd expect a serious uptick in virus detection because the actual rate of virus emails was clearly up significantly.

The good news is that there is a definite uptick over the two days with the bulk of the attack. The bad news is that it is not to very high numbers; 81 Monday, 95 Tuesday, 112 Wednesday, 101 Thursday, and 47 Friday. A normal weekday appears to run around 50 viruses detected a day. And it's highly likely that at least some viruses made it through this screening to reach our users.

(Note that some of these 'viruses' are actually phish spam. It's possible that they're phish spam with executables attached; I don't know.)

It's possible that some of the viruses were detected as spam, but there are two strikes against this. The first is that detected spam volume does not seem to fluctuate much over those days. The second is that detecting viruses as spam instead is actually bad for us; if it's detected as an actual virus, the anti-spam system removes the viral content instead of merely marking the Subject: line.

Unfortunately I don't know what options we have, and also how much work it's worth putting into this in general. After all, if our actual virus email rate is quite low outside of anomalies such as this it probably doesn't matter that our current anti-spam system seems at best so-so at detecting viruses. We could plow a lot of time and effort into evaluating (free) options like ClamAV only to find out blocking only a small extra amount of email, which hardly seems worth it.

(I have complicated attitudes on anti-virus stuff, but the short summary is that I think it's very dangerous to put much emphasis on email filtering keeping them out.)

spam/LowVirusDetection-2015-01 written at 01:36:54; Add Comment

Page tools: See As Normal.
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.