Home / Blogs

ClamAV and the Case of the Missing Mail

Neil Schwartzman

Some email discussion lists were all atwitter yesterday, as Sourcefire's open-source anti-virus engine ClamAV version 0.94.x reached its end-of-life.

Rather than simply phase this geriatric version out (it was at least one year old, revised to versions .95 and .96 since release, and announcements about the need to upgrade had been made for six months) the development team put to halt instances of V0.94 in production yesterday, April 15, 2010. This was to protect users from an issue that existed with the older version in terms of its inability to be updated with fresh virus signatures.

In other words, the ClamAV developers caused version .94 to stop working entirely, and, depending upon the implementation, that meant email to systems using ClamAV also stopped flowing.

Yikes. Several high-profile anti-spam services were hit with an unanticipated shutdown, for example, Roaring Penguin's CANIT, with large incursion into the educational market reported incidents of downed systems. Michelle Sullivan of GFI Mail Essentials' SORBS also noted the inbound servers for the blacklist took a hit.

The Twitterverse wasn't pleased either — numerous systems administrators have been tweeting their chagrin at the move.

Some sender-side mailing lists noted a 3-5% drop in email deliverability yesterday; that sounds very much on the high side, given such figures invariably change from list to list. No major ISPs and receiving sites are using ClamAV on their production mail servers, but nonetheless, the concern isn't so much about dropped mails. By now, email systems have been re-arranged or upgraded.

Rather it is the reliance upon out-dated systems and anti-virus software. With zero-day exploits and a constant flow of malware, the latest and greatest commercial anti-virus software packages are only able to flag, at best, half of the viruses live on the net; at least 50% go undetected. Out-of-date anti-virus software is generally less effective at catching malware, and out-of-date system software tends to be much more vulnerable to exploit.

There were no winners here, recipients didn't get mail, receiver systems dropped mail, senders failed to get through, two high-profile spam-filtering services were adversely affected, and Sourcefire took it on the chin.

By Neil Schwartzman, Executive Director, The Coalition Against unsolicited Commercial Email - CAUCE. More blog posts from Neil Schwartzman can also be read here.

Related topics: Cyberattack, Email, Malware, Spam

 
   
WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

CANIT Update Neil Schwartzman  –  Apr 16, 2010 11:33 AM PST

David Skoll of Roaring Penguin corrected me:

Hi Neil,

You wrote:

"Roaring Penguin's CANIT, with large incursion into the educational
market reported incidents of downed systems."

Actually, we reported no such thing.  We anticipated problems and
complained on the Clam mailing list; we never reported downed
systems.

Regards,

David.

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Industry Updates – Sponsored Posts

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Port25 Announces Release of PowerMTA V4.5r5

New Case Study: Jobtome.com Replaces 30 Postfix Servers with a Single PowerMTA

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?

i2Coalition to Host First Ever Smarter Internet Forum

An Update on Port25 and the Future of PowerMTA - One Year Later​

Encrypting Inbound and Outbound Email Connections with PowerMTA

Resilient Cybersecurity: Dealing with On-Premise, Cloud-Based and Hybrid Security Complexities

V12 Group Sustains Customer Satisfaction by Deploying PowerMTA for Launchpad Platform

Verisign Releases Q4 2015 DDoS Trends - DDoS Attack Activity Increasing by 85% Year Over Year

Neustar Data Identifies Most Popular Times of Year for DDoS Attacks in 2015

The Framework for Resilient Cybersecurity (Webinar)

Sponsored Topics

Verisign

Security

Sponsored by
Verisign
Afilias - Mobile & Web Services

Mobile

Sponsored by
Afilias - Mobile & Web Services
Afilias

DNS Security

Sponsored by
Afilias
Port25

Email

Sponsored by
Port25