Wandering Thoughts archives

Our current email anti-virus system is probably ineffective now

Last month I noticed that classical viruses by email were still around, despite a past history of low virus detection by our main mail system. Well, funny you should mention that. As it happens, late last week the whole university was battered a large tide of infected phish/virus emails over several days (and we had several infections ourselves). If our anti-spam system is any good at detecting viruses, I'd expect a serious uptick in virus detection because the actual rate of virus emails was clearly up significantly.

The good news is that there is a definite uptick over the two days with the bulk of the attack. The bad news is that it is not to very high numbers; 81 Monday, 95 Tuesday, 112 Wednesday, 101 Thursday, and 47 Friday. A normal weekday appears to run around 50 viruses detected a day. And it's highly likely that at least some viruses made it through this screening to reach our users.

(Note that some of these 'viruses' are actually phish spam. It's possible that they're phish spam with executables attached; I don't know.)

It's possible that some of the viruses were detected as spam, but there are two strikes against this. The first is that detected spam volume does not seem to fluctuate much over those days. The second is that detecting viruses as spam instead is actually bad for us; if it's detected as an actual virus, the anti-spam system removes the viral content instead of merely marking the Subject: line.

Unfortunately I don't know what options we have, and also how much work it's worth putting into this in general. After all, if our actual virus email rate is quite low outside of anomalies such as this it probably doesn't matter that our current anti-spam system seems at best so-so at detecting viruses. We could plow a lot of time and effort into evaluating (free) options like ClamAV only to find out blocking only a small extra amount of email, which hardly seems worth it.

(I have complicated attitudes on anti-virus stuff, but the short summary is that I think it's very dangerous to put much emphasis on email filtering keeping them out.)

I've now seen comment spam attempts from Tor exit nodes

As I mentioned on Twitter, I've recently started seeing some amount of comment spam attempts from IPs that are more or less explicitly labeled as Tor exit nodes. While I haven't paid exhaustive attention to comment spam sources over time, to the best of my awareness this is relatively new behavior on the part of my comment spammers. To date not very many comment spam attempts have been made from Tor IPs and other sources still dominate.

Since none of the comment spam attempts have succeeded, I face no temptation to block the Tor exit nodes. There are plenty of legitimate uses for Tor and I'd much rather have my logs be a little bit noisier with more failed comment spam attempts than even block a legitimate anonymous comment.

(Really I only block comment spam sources because I'm irritated at them, not because I think they represent any particular danger of succeeding. So far I've seen no sign that the robotic form stuffers are changing their behavior in any way; they've been failing for more than half a decade and I expect them to keep failing for at least the next half a decade. It's very unlikely that my little corner of the web is important enough to attract actual human programming attention.)

Given that this is a recent change, my suspicion is that Tor has simply become increasingly visible and well known to spammers through its appearance in stories about Silk Road and other hidden services (and people using it). Apparently some malware is now starting to use Tor to contact its command and control infrastructure, too, and certainly we've seen attackers use Tor to hide their IP origin when they access cracked accounts.

(Ironically this makes access from Tor exit nodes a glaring sign of a cracked account for us, since basically none of our users do this normally. Conveniently there are sources for lists of Tor exit nodes (also).)