Filed in by Kirk Averett | February 28, 2005 12:02 pm
We are constantly updating our virus and spam filtering features. The sad reality is that virus and spam attacks change frequently so email providers have to keep up the pace or end up disappointing their customers.
Our Newest Filters
If one of our users sends an email with a virus in it, the email will not be delivered, and the user will receive an automated response from our server that lets the user know that their machine appears to be infected with a virus and needs to be disinfected. This is still .reactive. support, I know. But I just can.t think of a good way to download the right fix for each type of computer and each type of infection and then send that to the infected user. Let me know if anyone has any ideas.
We have also improved our scanning inside of attached graphics files (.png, .jpg, .gif) for certain types of viruses that use buffer overflows inside those graphics files to infect a new system.
Most commonly an email virus makes a fake .From. address for new emails it generates. A lot of people like to reply to an emailed virus and say something useful like, .Hey, Bob, you have a virus.. But because the .From. address was forged, Bob.s computer wasn.t really infected.Bob was simply another name in the address book of the infected computer. I did this once a long time ago. Sorry, Ted.
In an interesting but only partially related note, lots of anti-virus programs would auto-reply to these virus emails and accuse good people like Bob and Ted of being infected when they really weren.t. Our system at Webmail.us has always been smart and kind enough to not bother the addressee.s in the .From. field.
Anyway, a few viruses now use the real sender’s email address in the “From” field and use proper SMTP settings from the computer’s email program. In our case we can see these attempts and will be letting the user know that they need to look at running some anti-virus updates.
And we needed to increase our scanner.s abilities with graphics files. Some graphic files have a little information field that indicates the total size of the graphic file. But certain viruses now put in a bad piece of data in that size field and then tack on malicious computer instructions at the end of the graphic file that act as the virus. We.re now better at catching those viruses.
The Order Of Things
We scan for viruses first. That way, if a message is infected with a virus, we can skip the spam filtering and save a little processing power for moving more legitimate email.
More To Come
I.ll give an overview of our entire virus and spam prevention approach sometime in the next few weeks for those of you who are curious.
Source URL: http://www.rackspace.com/blog/a-few-things-about-our-virus-and-spam-filtering/
Copyright ©2014 The Official Rackspace Blog unless otherwise noted.