[Mimedefang] Best method of dealing with automatic - propagationvirus mails

[Edward Wildgoose]

Les,

We are talking somewhat cross purposes I think, however, regardless of that I suspect that bashing my point harder and harder isn't going to convince you and I don't have a new incisive argument so I won't waste your time by flogging this argument to bits.

However, if you will bear with me a little longer I would like to pick up two points from your email.

1) The first point.  I think there is a difference because the chain of SMTP servers is usually quite short, something like desktop goes to smart MX which goes to main destination MX which probably either delivers or hands over to an internal MX and delivers.  

The point being that the "smart MX" is the hub and the first point of contact for most infected desktop machines.  If you could put even minimal virus blocking on a majority of Smart SMTP relays (and I kind of used the phrase "Large ISP", but really I meant the big hubs that most desktop users drop their mail into), then I suspect that you would eliminate a lot of problems at source.  It is *likely* to be very easy for the owner of the Smart Relay machine to know who is virus infected because they are probably the ISP for the person in question and can tie accounting records together, yada yada

2) I honestly hope that it doesn't make things worse for everyone else (but I can see that it isn't clear cut), I certainly wouldn't advocate it if I thought it did.  My gut feel is that is simply the lesser of a number of evils.

The really crunch is that many admins are actually on shaky legal ground to simply drop email.  Clearly you can't reliably inform the sender, and the recipient is more and more likely to be uninterested in knowing about a virus.  However, lets suppose the world evolves again (and it will) and virus's start to transit in document files again (deliberately sent by user).  Now we are back to my "big CEO" example who will be annoyed that your mail server is quietly dropping his email without telling ANYONE!  

People waste a lot of time with email black holes.  I have wasted a ton of time with people who claim that anything sent by X to me always gets lost (they had a "rule" set in outlook to file in a sub-folder), and email which never arrived from a client (14 hours later the mail arrived and the timestamps in the header clearly showed their mail server sat on it for 13:59.59 - However, they still ring us up and blame us every time it happens again and we still have to waste the time investigating in case it is our fault...)

So emotionally I would prefer a solution which doesn't create an email blackhole.  To me at least the "reject" is the better of two evils (and personally I think the only other option is accept the mail, "bin it" and warn the recipient)

OK, have laboured this to far.  Thanks for listening.

Ed W

-----Original Message-----
From: Les Mikesell [mailto:les at futuresource.com]

> I really don't see that it is any more complicated than
> this.  I personally would love to just accept the virus
> and drop it quietly, but this is unethical (see other email).
> You should NEVER quietly discard email and not tell someone.

Yes, this is why there is no practical difference in accepting,
then bouncing or rejecting at the SMTP level.  You are forcing
the prior hop to perform exactly the same bounce and it is
wrong for the same reason it would be wrong to do it yourself.


> So the next best thing would be for us all to just reject
> connections that we don't like and if enough people do it
> then eventually we are rejecting the connection at source
> (this has got to be a clue to the poor infected soul if
> they can't click send/recv without getting an error message
> from their ISP which says "Sorry you are infected with a
> virus you may not send email...", and the stuff never gets
> out in the first place.

Sorry, but I can't agree that the right way to fix a problem
is to make it worse for everyone else.  The source of the
problem isn't from ISPs anyway, it is the vulnerable software
that a certain monopoly put on everyone's desktop a few years
ago.  If you can figure out how to get rid of that, I'm with
you...