ClamAV
My users are generally good at not clicking on the infected attachment when there’s a mass-mailing worm going around, but we still have to pick through dozens of these emails. To keep them from hitting the mail server to start with, we just installed Clam AntiVirus. Yes, reading Slashdot comments for articles is sometimes useful. When we looked at the MTA antivirus problem early last year, the open source solutions didn’t seem to fit well, or didn’t seem ready, but ClamAV works very well. Currently, not quite a week after the main Worm.SCO.A outbreak, we’re getting about 1 such email every minute or two.
Note that I had issues with the clamav-milter that ships with ClamAV. Things broke when the number of pre-spawned child processes were exhausted by a burst of email, or by processes that got stuck for some reason; there were progressively more clamfi_abort messages in the log. We switched over to smtp-vilter, which seems more stable, though a bit of a pain to install (the gotchas have to do with its chroot, and the creation of the necessary files/folders therein).
Products like ClamAV makes me wonder how commerical anti-virus software can stay in business, at least for MTA scanning. ClamAV is free (in terms of both beer and speech) and is updated as fast as the big companies. The main problem for ClamAV is that there’s no program to intercept Windows calls; but this is an issue for desktop use, not for the mass-mailing worms. Anyway, there’s a perceptive piece at attrition.org that talks about how those annoying and useless emails that anti-virus software send out are fundamentally spam, especially since the vendors know that the mass-mailing worms forge their From: lines.
Last observation: most of the Worm.SCO.A mail seem to be targeted at non-existent email accounts. Not just defunct accounts (that’s obvious), but also accounts that never existed. These non-existent accounts are of the form common-name@example.com, e.g., betty@example.com, john@example.com, and so on. Joel speculates that these non-existent accounts are the result of spam sitting in people’s mailboxes. When Worm.SCO.A scans the mailspool of an infected computer, it’s using the fake From: addresses generated by spammers as To: addresses for virus mailings. If this scenario is true, then spammers have made the mass-mailing worms less efficient.
Update: 864 instances where the MTA blocked a virus on 1/30/04, of which 826 were Worm.SCO.A, 35 where Worm.Gibe.F, and one each of Worm.Sober.C1, Worm.Dumaru.A and (nostalgia!) Klez.H.
Update 2: Version 0.65 had stability issues, which caused the MTA not to work very well. I can try the CVS version, or wait for 0.66. I’ll think I’ll do the latter.