[Mimedefang] ClamAV's Worm/Trojan/Joke/W97M classifications
Chris Gauch
cgauch at digicon.net
Thu Jun 30 13:45:33 EDT 2005
Matthew.van.Erde wrote:
> I see your point...
Finally (kidding)...
> I do have two more things to say though.
>
> 1. I do plenty of rejections before DATA time. For example, I reject
> invalid addresses at RCPT time, before I have a chance to scan for
> viruses. Isn't it this also bad under your standards? It also results in
> viruses-wrapped-in-NDRs being delivered to innocent bystanders. Are you
> suggesting I should defer all rejections until after I've scanned the
> data?
Not at all. I absolutely do the same thing you do. We definitely reject
tons of email before the SMTP data phase thanks to RBLs (spamhaus, for
example); plus we use greylisting/tempfails, which occurs before the data
phase in our configuration. However, because we reject mail from known bad
networks BEFORE the data phase, we never know if the email contained a virus
or not. There is risk in this -- yes, we could, in deed, reject a virus and
send it spiraling down to someone else, but stuff listed on RBLs tends to be
rejected more widely, so I'm comfortable with it. We always educate our
clients that by putting our trust in Spamhaus, we have to consider that no
one is perfect and that Spamhaus could blacklist a legit business or person;
but Spamhaus clearly has a good system in place for blacklisting, and we
have yet to have a false positive from Spamhaus. Also, rejections before
the data phase clearly reduce overhead, so that alone is worth it.
My belief is that once we KNOW (from the AV scanner) that a message is
infected, we throw it out. Otherwise, for more questionable stuff (like
domain mismatches, spam, etc.), we certainly always reject. The question I
would throw back at you is: why reject something that the AV scanner already
KNOWS is a virus? Why perpetuate the problem potentially further than it
has already gone?
Don't be surprised if viruses become even smarter in the future (if this is
not the case already); the virus could easily perform its own RBL lookups on
the IPs that they are forging to ensure that the IP is not rejected based on
an RBL, such as Spamhaus.
> 2. Imagine a USPS mail counter. Someone walks up to the counter with a
> 5lb package that has wires sticking out of it, smells of gasoline, and is
> ticking. The package has plenty of postage and the return address is the
> White House. (This USPS mail counter is not in the same ZIP code as the
> White House.)
>
> What is the mail clerk to do?
>
I think in this post 9/11 era this incident would wind up on the NBC
national news. No way that package is getting to its recipient. I see your
argument though, and it's certainly intriguing, but I don't think it adds
too much support for your position.
- Chris
------------------------------------------
Chris Gauch
Systems Administrator
Digicon Communications, Inc.
http://www.digiconcommunications.com
cgauch at digicon.net
More information about the MIMEDefang
mailing list