I've noticed some effects of the virus attacks of the past months on the way I usually deal with email:
- My procmail recipes have become much more aggressive. Since I receive more than 150 virus mails a day I don't want to wade through them looking for false positives. All mails containing .exe/.scr/.bat/.pif attachments are going to /dev/null automatically. If you send me an executable attachment, I'll never read your mail, so don't wait for a response.
- White-lists have become even more useless than they've been before.
- The Bayesian spam filter I use sees so many virus mails in .zip attachments or bounces that it is starting to classify spam mails as non-spam if they don't contain a virus. By now I'm receiving more virus mails and bounces than spam. I haven't found a way around that, yet.
- I don't read any mailer-daemon responses anymore. This is really bad. Most if not all mailer-daemon mails are because of servers that have received a virus that forges the From header to look like one of my addresses, that's why I've stopped to pay attention to them. But this also means I may fail notice that a legitimate email I really wanted to send has not been delivered.
path: /en/malware/viruses | #
I wouldn't be surprised if it is going to spread extremely fast in Germany
From: Info@rtl.de Subject: RTL: DSDS Deutschland Sucht Den Superstar (DSDS) auf RTL. Hallo, Du wurdest zufällig von ca. 85.000 E-Mail Adressen ausgewählt, um bei RTL DSDS in der Zuschauer Jury mit zu Voten. ...
RTL is one of Germany's largest television companies (leading in market share during the last months). DSDS is "Deutschland sucht den Superstar", the German version of "Star Search", which has been the most successful TV show in the last year (don't ask why). And the email tells me I could become part of an online jury. Oh, and it contains a Windows executable with the extension .bat.
path: /en/malware/viruses | #
Similar to Brian I'm writing this so I have a place I can link to when people assume I'd be sending virus mails to them. Go and read Brian's article for the longer version of
Almost all recent worms and viruses fake the from address. If you receive a worm sent from any of my addresses, you can be absolutely sure that I haven't sent it.
Due to server-side filtering (big kudos to the people responsible for the apache.org mail infrastructure) I'm getting far less Mydoom worms now. I still keep getting bounces, which certainly is annoying. Being the moderator for a couple of mailing lists doesn't help either.
I've noticed that those viruses are causing problems to statistical spam detectors, mails without a virus get a higher probability of being ham now. So far I've been filtering out all mails with "bad" attachments (I don't have any use for .exe or .scr files) before ifile sees them, but I cannot remove all "zip" attachments.
path: /en/malware/viruses | #
I received about 50 copies of that new virus during the past twelve hours. What's worse than that are more than 200 bounce messages, as usual about half of them containing the virus itself.
For the record, I'm not the sender of those virus mails, I don't even run an operating system it could affect.
Dear virus detection software writers, please get a clue. The forged sender of such a virus message is most probably not yet affected by the virus. In sending "back" that thing, you help spreading it.
Now back to refining those procmail recipes so that I don't have to see the garbage at all.
path: /en/malware/viruses | #