Jonathan Morton explained:
I did the same with SpamAssassin when Sobig.F started hitting me with
hundreds per day (bounces and infections alike). I manually set the
MICROSOFT_EXECUTABLE score to 10.0 (the default score is only 0.3) and
set up Procmail to dump messages above 8.0. I'm pretty sure that dealt
with over 99% of the problem.
I personally think that nearly all ISPs, especially those with a large
proportion of newbies, should delete directly-executable attachments
without question.
while there is an autocratic part of me that agrees most heavily with what you
say, I also fear the hubris inherent in the situation. This is what I think in
isolation place or spamtrap equivalent is what is called for. That way the user
can determine whether or not they really want that piece of e-mail. On the
gripping hand however I have rarely received an executable by e-mail from anyone
except someone I have had long conversations with (i.e. OEM technical support)
the nice thing about a spamtrap (at least the way I have designed/implemented)
is that I can get an audit trail of messages and who approved them. So in the
case of a virus, you can know which employee is a FWM and started the infection
process.
---eric
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg