Using spam tools for viruses

[Thomas Cameron <th...@camerontech.com>]

Howdy -

I recently responded to a thread on a local LUG mailing list where a guy
wanted to report a virus as spam.  I have always thought that using a
spam tool to fight viruses was wrong, and I said so.  He asked why, and
basically my response was "use the right tool for the job," as in use a
virus tool for viruses, and use a spam tool for spam.

What is the "conventional wisdom" on this list?  Should viruses be
reported as spam?  If so, why?  If not, why not?

Thanks!
Thomas

Re: Using spam tools for viruses

[JamesDR <ro...@bellsouth.net>]

Thomas Cameron wrote:
> Howdy -
> 
> I recently responded to a thread on a local LUG mailing list where a guy
> wanted to report a virus as spam.  I have always thought that using a
> spam tool to fight viruses was wrong, and I said so.  He asked why, and
> basically my response was "use the right tool for the job," as in use a
> virus tool for viruses, and use a spam tool for spam.
> 
> What is the "conventional wisdom" on this list?  Should viruses be
> reported as spam?  If so, why?  If not, why not?
> 
> Thanks!
> Thomas
> 
> 
Yes and no. Normally what I do if a host is streaming out many viruses 
to my server, and its ip address is in a US based range owned by an isp 
I recognize, i'll usually call their ISP and tell them that one of their 
customers is infected, and it would be nice to let them know before they 
are RBL'd (not talking about res dynamic accounts, rbl's handle that.) 9 
times out of 10, the stream of viruses stop. I won't report them for 
spam, because often enough, it's a SOHO that has one computer infected. 
Things happen (they shouldn't if everyone was a perfect admin, but we're 
human) and often times, there is no administrator on site to handle the 
normal biz of systems admin. I don't use SA for virus scanning -- it is 
not for that, I use clamav mostly for that purpose, and has worked well 
for me for quite some time.  SA isn't as efficient as clamav is at 
detecting viruses (amount of memory/cpu.) Like you said, right tool, 
right job.
There is the matter of virus notifications -- these are spam. I don't 
want to hear if someone spoofed my address, and sent you a bazillion 
emails with a virus attached -- not my problem. Check my SPF records, 
that sender is not in the allowed list to send mails from. These I do 
report.

-- 
Thanks,
JamesDR

Re: Using spam tools for viruses

[Alan Premselaar <al...@12inch.com>]

Thomas Cameron wrote:
> Howdy -
> 
> I recently responded to a thread on a local LUG mailing list where a guy
> wanted to report a virus as spam.  I have always thought that using a
> spam tool to fight viruses was wrong, and I said so.  He asked why, and
> basically my response was "use the right tool for the job," as in use a
> virus tool for viruses, and use a spam tool for spam.
> 
> What is the "conventional wisdom" on this list?  Should viruses be
> reported as spam?  If so, why?  If not, why not?
> 
> Thanks!
> Thomas
> 

Thomas,

  here's my 2 cents worth.  It seems like you have two seperate
scenarios you're talking about here. actual virus protection and
seperate, reporting.

I personally think it's important (also) to use the right tools for the
right job, therefor I use both anti-virus software *AND* anti-spam
software.  It's also important to understand what these products do and
what their individual limitations are and how to get them to compliment
each other in your installation.

with regards to reporting a virus as spam, If the virus is sending an
email that is spammy, I think it doesn't hurt to records and report
those emails as spam.  It will help to train your bayesian database and
also help community services (i.e. DCC, Spamcop, Razor, etc) to provide
information about the characteristics of that mail.  HOWEVER; reporting
the virus signature is a different story.  I don't think the actual
virus signature should be reported as spam.

lastly, there's the general logic of "do you want one product that does
a whole bunch of things but in a mediocre way? or do you want a bunch of
products that do one thing really really well?"

alan

Re: Using spam tools for viruses

[Nix <ni...@esperi.org.uk>]

On Mon, 24 Oct 2005, wayne@schlitt.net whispered secretively:
> I'm not sure what the SA folks think about this now a days.  A while
> back, they removed the checks for MS executables as being spam
> indicators even though the test actually is a very good indicator of
> spam.

That's because it didn't work very well. The new AntiVirus plugin
does a much better job, but note that it is *not* an antivirus plugin
despite the name: it's a suspect-extension-and-content-type detector,
so if your users are in the habit of mailing executables or PowerPoint
documents or things of that nature around, the plugin will cause FPs.

>         Instead, SA is detecting email worms via the Bayesian analysis,
> detecting keywords that match MS executables, even though it doesn't
> do anywhere near as good a job.

That's because there aren't many such keywords.

> Email worms are one of the most dangerous and destructive forms of
> UBE.  They directly lead to open proxies that are used for "regular"
> spam.  IMHO, they should be paid *more* attention to than "regular"
> spam, not less.

The problem is that the properties of worms are totally different to the
properties of spam. Spam is wildly variable but intended to contain
components that are read by human beings, and the vast majority of
SpamAssassin's rules look for things on that basis. Worms are vast lumps
of mostly-invariant binary data: the regex rules, the URIBL system, and
the Bayesian analyzer are mostly useless on them, and that doesn't
really leave very much bar header analysis (and half of those rules are
useless on worms too). SA has *no* facilities for spotting patterns in
big lumps of binary data, let alone automated partial disassembly and
static behavioural analysis routines, unpackers for UPX and OLE
unpackers and so on, like many virus scanners have. There is almost no
overlap between the jobs they have to do, or between the nature of the
emails they trap.

Plus, even with the sa-update system, worms change so fast that, with
SA's regex matching and URIBL rendered useless by the binary-lump nature
of worms, SA would never spot most new worms. (The only reason it spots
most spam is because rules that caught old spam often catch new spam
too.  Rules meant to catch old worms pretty much *never* catch new ones
unless, like the MICROSOFT_EXECUTABLE rule, they're so general that they
could easily catch lots of stuff that isn't wormy as well.)

Plus, worms are often so large that scanning them with SA is
astonishingly inefficient. SA is many, many times slower than a
dedicated tool like clamav and can never do as good a job as one of
them. SA would need *tens of thousands* of individually crafted
anti-worm rules to do as good a job as clamav --- and that's *orders of
magnitude* more rules than SA has right now. It'd become unimaginably
slow and immensely bloated, and would *still* do a bad job.


So even though they're UBE, executable lumps aren't something that SA
can efficiently spot. (Equally, though, sometimes antivirus tools like
clamav start attacking things that perhaps they shouldn't: clamav
catches some phishing scams, so those of us with corpuses have had to
stop it rejecting such mails lest it bias the corpuses, as SA *is*
intended to catch phish.)

-- 
`"Gun-wielding recluse gunned down by local police" isn't the epitaph
 I want. I am hoping for "Witnesses reported the sound up to two hundred
 kilometers away" or "Last body part finally located".' --- James Nicoll

Re: Using spam tools for viruses

[wayne <wa...@schlitt.net>]

In <11...@ml110.camerontech.com> Thomas Cameron <th...@camerontech.com> writes:

> I recently responded to a thread on a local LUG mailing list where a guy
> wanted to report a virus as spam.  [...]
>
> What is the "conventional wisdom" on this list?  Should viruses be
> reported as spam?  If so, why?  If not, why not?

I think it is very important to distinguish between different types of
viruses and worms.

An anti-spam tool is not going to be very effective or useful in
locating and removing viruses and worms that infect things like MS
Word documents, spread sheets, and legitimate executables that have
been corrupted with a virus.  These are worms and viruses that
propagate via other means that just happen to be in email.


Viruses and worms that propagate via email, such as Klez, Mydoom,
etc. are Bulk, Unsolicited and Email (aka UBE), and thus are hard for
anti-spam tools to *NOT* detect.


For reasons I have never agreed with, many people view email worms to
not be "spam".  Some of these people think that only UCE is spam.
Others seem to think that it is "unfair" to report infected machines
as sending spam.  This is slowly changing.  Spamcop, for example, has
changed their policy and now lets you report email worms as spam.
Abuse desks (that would act on "regular" spam) are no longer
dismissing complaints about infected machines and are taking actions
to get these machines fixed.


I'm not sure what the SA folks think about this now a days.  A while
back, they removed the checks for MS executables as being spam
indicators even though the test actually is a very good indicator of
spam.  Instead, SA is detecting email worms via the Bayesian analysis,
detecting keywords that match MS executables, even though it doesn't
do anywhere near as good a job.


Email worms are one of the most dangerous and destructive forms of
UBE.  They directly lead to open proxies that are used for "regular"
spam.  IMHO, they should be paid *more* attention to than "regular"
spam, not less.


-wayne