But one of the emails I got was very interesting.
The subject of three of the emails was: "1/24/2016 10:42:18 AM" (or a similar date and time). The fourth one said "[WARNING: VIRUS REMOVED] 2/2/2016 7:59:52 AM". So I looked at the header.
Received: from ipb4.telenor.se (ipb4.telenor.se [220.127.116.11]) by
smtprelay-h12.telenor.se (Postfix) with ESMTP id 66690E996D; Wed,
3 Feb 2016 08:04:50 +0100 (CET)
X-Ironport-Av: E=Sophos;i="5.22,388,1449529200"; v="Mal/DrodZp-A'5'rd";
Subject: [WARNING: VIRUS REMOVED] =?ISO-8859-1?Q?2=2F2=2F2016_7=3A59=3A52_AM?=
Received: from ua-83-227-178-74.cust.bredbandsbolaget.se (HELO
server.herdevall.se) ([18.104.22.168]) by ipb4.telenor.se with ESMTP;
02 Feb 2016 07:59:59 +0100
Received: from localhost (localhost [127.0.0.1]) by server.herdevall.se
(Postfix) with ESMTP id 8BB8725A26CF; Tue, 2 Feb 2016 07:59:55 +0100
X-Virus-Scanned: amavisd-new at herdevall.se
Received: from server.herdevall.se ([127.0.0.1]) by localhost
(server.herdevall.se [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id
0jsyqQDombg1; Tue, 2 Feb 2016 07:59:55 +0100 (CET)
Received: from xserver.herdevall.se (unknown [22.214.171.124]) by
server.herdevall.se (Postfix) with ESMTPA id 99ADD25A26B7; Tue,
2 Feb 2016 07:59:53 +0100 (CET)
From: "micheline101" <firstname.lastname@example.org>
Yes, I know it's gibberish, but let me explain it to you. Email gets to you via a server a long way away from you. In this case, it came from xserver.herdevall.se. But that server was running a malware scanner (Sophos, version 5.22,384,1449529200), and that scanner spotted the malware (on one of the other emails, where it wasn't removed, VirusTotal said that Sophos was one of the products that spotted it).
So the Sophos product remover the malware before forwarding the email, and put the [WARNING: VIRUS REMOVED] in the subject.
This is more like it! The virus was removed before it was even mailed across the internet. But it's just a start. Here's what I think should happen.
1) More ISPs should be doing something like this, both at source and destination.
3) And with a bit of thought, a whole bunch of other categories of malware can be stripped out.
4) For example, any PDF file with the malformation that caused the exploit to trigger should be stripped out.
5) Any Word file of Excel file should have macros stripped out.