"Virus via email" is dwindling, but not dying. I regularly see scams reported where people are asked to open the attachment, which purports to be some purpose but is of course a virus. For example: http://www.f-secure.com/weblog/#00001149 >From my own content, I see that old viruses are not dying out; people who are infected tend to stay infected. I suspect this is for multiple reasons, e.g. malware reports to their ISP are ignored, and many families of malware deliberately break the installed antivirus application, so subsequent pattern updates will never catch the malware that is already installed. I also use AVAFTERMJM in my Declude.Virus config file, because I find that my content is generally spam or ham, and not viral. Most of my inbound viruses are caught as spam. To get more accurate stats, I nightly virus scan my spam HOLD folder for today's spam, then record the counts. I'm attaching a graph in PNG format of the last 6 months of traffic. No fancy tools here, just manually pasting the daily values into Excel and making a chart. You can see that almost all of virus catching is either custom Declude filters to catch outbreaks of certain viruses, e.g. a specific SUBJECT or BODY text, or general spamminess, such as lighting up DYNA blacklists and having BADHEADERS with enough weight to HOLD the message. I don't use a greylisting or tarpitting front-end MTA like Alligate but if I did, I suspect that my inbound virus counts would be much lower, as I expect that all of these old virus SMTP libraries will not survive the greylisting or tarpitting, so the actual virus payload will not make it inbound to my Declude software for spam and virus scanning. Andrew 8)
________________________________
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Bonno Bloksma
Sent: Monday, March 26, 2007 5:38 AM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] virus via e-mail getting rare
Hi,
Is "virus via e-mail" a dying breed? There are days where I
barely get any virusses via e-mail. Most of what get's caught is
malfomed mail, 99% spam.
I just did a test to see if my virusscanners are still working
correctly, eicar is still being caught by both F-prot and Sophos so all
seems to be woking. Both scanners are also correctly updating their
database.
Met vriendelijke groet,
Bonno Bloksma
hoofd systeembeheer
tio hogeschool hotelmanagement en toerisme
begijnenhof 8-12 / 5611 el eindhoven
t 040 296 28 28 / f 040 237 35 20
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> / www.tio.nl
<http://www.tio.nl>
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
VirusVolumes.png
Description: VirusVolumes.png
