[Mimedefang] ClamAV's Worm/Trojan/Joke/W97M classifications

Les Mikesell les at futuresource.com
Fri Jul 1 11:06:06 EDT 2005 

On Fri, 2005-07-01 at 08:24, Jim McCullars wrote:

> > No, this is the other side of the same SMTP conversation.  I'm asking
> > you to consider what a rejection sets in motion.
> 
>    Because I am scanning at the MX for my domain, and because the vast
> majority of these viruses come from a hijacked PC with its own SMTP engine
> that don't do returns, I think that most of them end there.

Once again, consider what happens in this scenario: a new virus is
introduced that your scanner doesn't catch yet.  A machine in your
domain is sending messages with every permutation of addresses it
can find in it's contact list and received emails as the To: and From:
addresses through your outbound relay.  A receiving relay has a
better scanner or just pulled the update that catches this one.  Would
you prefer it to drop the message quietly or issue a reject, knowing
that the bounce to the forged From: is very likely to infect another
one of your user's machines?

If there are 8,000 new viruses introduced in a year and it takes
several days to identify them in the scanners, this is not at all
unlikely. Our company submitted one to McAfee, Symantic, and Clam
on a weekend and the update didn't include it until Tuesday for
McAfee and Symantic, and Clam didn't add it until we resubmitted
with one of the commercial scanner's identifiers.  That one was
generating so much network traffic that it literally took down the
network - our redundant Cisco's both decided to take over because
they couldn't see each other's HSRP heartbeats.  After that experience
I'm convinced that anything that identifies a virus should do
everything possible to make sure it does not reach another windows
machine.

> > There really is no question about what you have to do with a negative
> > DSN from the next MTA.  Likewise they have no choice about what to
> > do when you issue one.
> 
>    Again, you are assuming that these virus programs perform to standards.
> I think this is an erroneous assumption.

No, I am talking about programs that forward through the relay they
find configured in outlook.  Some do, some don't.  I'd expect more and
more to do that, or try both ways as more ISPs block port 25 to home
connections except to their own relays.  The reason viruses keep getting
worse is that each new one can combine all of the old ways of spreading
to have a better chance to spread before the scanner definitions start
to block them.

-- 
  Les Mikesell
   les at futuresource.com

More information about the MIMEDefang mailing list