Slash Boxes
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
More | Login | Reply
Loading... please wait.
  • by Matts (1087) on 2002.05.09 17:19 (#8219) Journal
    This is probably our number one question about spamassassin. My response is that catching viruses is a hell of a different task to catching spam. While the engine is similar, the structure around it is different (it's kinda like the difference between a car and a boat).

    Heuristically detecting viruses is a bitch of a problem. Well not exactly a bitch, it's actually far easier than detecting spam because you can determine that something is trying to do something malicious (even in PE code) (I had a talk about this for OSCon, but it was rejected - we do all of this in perl). Whereas with spam we have to detect the malicious language, if you like. The problem with viruses is you have to decode stuff - PE files, Word documents, Javascript, etc. That's the hard part.

    So the plan for SpamAssassin is to not do virus detection, ever. At least for now.
    • I'm fine with SpamAssassin not doing virus detection. (Not that it matters, as there aren't any functional WinBoxes around the house) I was just kinda hopeful that the klez worm mail would have a distinctive enough signature that it'd be able to detect it without me actually having to do any work. :)

      Still, can't complain--it works as advertised, and rather well at that. And thanks to Nat, I managed to abuse it into doing things it didn't advertise, so I'm happy. It's on my permanent list 'o cool system uti
      • Now if we could just get these twits to stop doing this sort of nonsense in the first place....

        Hey don't say that! If it wasn't for microsoft and their great security I wouldn't have a job ;-)

        I'd give you the key to detecting all Klez variants if I knew exactly what it was myself, but I can't grok our AV guy's code. It's something to do with disassembling the PE code (Win32 binary) and detecting it based on the lack of the CompanyName header in there. Or something like that.

        Also of interest may be OpenA []
        • I'm sure you could find something useful to do with your time if you weren't writing virus filtering code. :)

          I threw a rule with a weight of 5.6 in my SpamAssassin config files for messages with a Content-ID: header in the body. Rumor has it that it's not a 100% guarantee, but it's working as a filter trigger for me.