On 2003-04-24, 15:03:29 (+0200), Szûcs János wrote:
> It seems nowadays it is trendy for email worms to travel in zip files, thus
> avoiding being revealed by simple mail scanners like anomy. I myself use
> anomy and may have missed a lot of these worms until I realised this fact
> not so long time ago.
This is news to me. :-) Could you give me an example of a worm which
sends itself in this fashion? Or possibly send me a sample?
> Is it planned to build the following features into anomy?
> - either scan inside zip attachments, or
> - check the filenames inside the zip attachment, (and e.g. quarantine
> any zipped attachments containing an executable).
These features will not be added to Anomy itself, mostly because the
functionality is already there:
- If you are using Anomy with an antivirus scanner (which is
recommended) then most such scanners will scan the contents of
zip files.
- You could quite easily create your own shell-script "scanner" and
plug into the Anomy rulesets. Such a shell script would simply
do "unzip -l" and grep the output for file names such as
"blah.com" or "blah.exe". If such a filename is detected the
scanner would return an exit code which Anomy had been configured
to interpret as "infected" and treat accordingly (e.g. by
defanging the attachment or quranatining it).
-- Bjarni R. Einarsson PGP: 02764305, B7A3AB89 74726@xyz.molar.is -><- http://bre.klaki.net/Check out my open-source email sanitizer: http://mailtools.anomy.net/ Spammers, please send lots of mail to: 74847@xyz.molar.is
Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=Juggler