Security Incidents mailing list archives
Re: Possible Mail server compromise ?
From: "Faas M. Mathiasen" <faas.m.mathiasen () googlemail com>
Date: Thu, 21 Feb 2008 11:31:02 +0100
Dear Valdis, Interesting, have you compared your results with another scanner ? If you just scan with ClamAV you can't obviously really tell what you missed that other scanners found. On Wed, Feb 20, 2008 at 11:59 PM, <Valdis.Kletnieks () vt edu> wrote:
On Wed, 20 Feb 2008 17:48:10 +0300, Eygene Ryabinkin said: > Tue, Feb 19, 2008 at 07:46:35PM +0100, Faas M. Mathiasen wrote: > > ClamAV ? Lowest detection rate in the industry, > > Possibly... Where is the statistics? Let's inject a little bit of actual reality here, shall we? When you look at the crap that *actually arrives*, the vast majority of it is so old that almost *everything* should be catching it. Our main mailscanner hub statistics for last week: Date: Mon, 18 Feb 2008 01:12:02 -0500 Weekly Virus Summary 3581 Total Virus Detections Breakdown by Virus Family: 692 MYDOOM (19.32%) 615 PUSHDO (17.17%) 605 NETSKY (16.89%) 302 MYTOB ( 8.43%) 286 IFRAME ( 7.99%) 149 VIRUT ( 4.16%) 143 BUGBEAR ( 3.99%) 135 ( 3.77%) 123 NYXEM ( 3.43%) 112 SALITY ( 3.13%) 97 ZAFI ( 2.71%) 77 BAGLE ( 2.15%) 65 LOVGATE ( 1.82%) 42 DLOADR ( 1.17%) 25 ENCPK ( 0.7%) 17 PUSHU ( 0.47%) 15 DUMARU ( 0.42%) There we go. The top 17 accounted for 3,500 out of 3,581 of the detects, or 97.7% of them. And before you ask, yes, I'm pretty sure there weren't any floods of fail-to-detects caused by some new unknown in the last week, or it would have been all over the various security lists. OK, so maybe 2 dozen or so missed detects got through. However... Once you get to 95% or 97% on the e-mail scanning, your user community is much more in danger of getting nailed by something they got off a P2P net or a drive-by fruiting from some website they visited.
Current thread:
- Re: Possible Mail server compromise ?, (continued)
- Re: Possible Mail server compromise ? Jon Oberheide (Feb 13)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 19)
- Re: Possible Mail server compromise ? Bob Toxen (Feb 19)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 19)
- Re: Possible Mail server compromise ? Valdis . Kletnieks (Feb 20)
- Re: Possible Mail server compromise ? Bob Toxen (Feb 20)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 20)
- Re: Possible Mail server compromise ? Eygene Ryabinkin (Feb 20)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 20)
- Re: Possible Mail server compromise ? Valdis . Kletnieks (Feb 20)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 21)
- Re: Possible Mail server compromise ? Paul Schmehl (Feb 21)
- Re: Possible Mail server compromise ? Jon Oberheide (Feb 20)
- Re: Possible Mail server compromise ? Valdis . Kletnieks (Feb 20)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 20)
- Re: Possible Mail server compromise ? Peter Kosinar (Feb 20)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 21)
- RE: Possible Mail server compromise ? Richard C Lewis (Feb 22)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 26)
- Re: Possible Mail server compromise ? Eduardo Tongson (Feb 20)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 20)