[Mimedefang] ClamAV's Worm/Trojan/Joke/W97M classifications

Matthew.van.Eerde at hbinc.com Matthew.van.Eerde at hbinc.com
Thu Jun 30 15:26:12 EDT 2005


Chris Gauch wrote:
> Matthew.van.Erde wrote:
> 
>> 
>> That's the price you pay for accepting the virus in the first place,
>> Chris. :) Next time make sure to keep your gateway AV as up-to-date
>> as the next-hop machine's.
> 
> Not really what I meant I guess.  What I meant was that your virus
> rejection would go to an innocent bystander, regardless of what phase
> you were rejecting, and that "innocent bystander" could be one of my
> clients, who had nothing to do with the virus.  I was just simply
> stating that it was frustrating to field the calls by the bystanders
> who have no clue what the rejection means or why they got it.  Not
> that I let a virus through -- I was referring to the rejection
> notice.  Sure, viruses get through every now and again, but we keep
> our definitions up-to-date, no problems there. 

I'm going to try to be very clear here... don't take offense, I'm not talking down to you, just trying to avoid ambiguity.

host infected.cableuser.example has a virus.

A fake email is generated:
To: joe at joe.forwarder.example
From: angel at innocent-bystander.example

infected.cableuser.example connects to mta.forwarder.example
mta.forwarder.example ACCEPTS THE MESSAGE for joe at forwarder.example
joe at forwarder.example .forward's to joeandmary at end.example
mta.forwarder.example connects to mta.end.example
mta.end.example realizes - at the end of the DATA phase - that this is a virus.

NOW DIFFERENT THINGS COULD HAPPEN

1) mta.end.example ACCEPTS THE MESSAGE and action_discard()s it (or quarantine)
In this possibility, mta.forwarder.example has an easy life - it fulfilled its responsibility to deliver the message as far as it is considered, it doesn't have to construct any bounce messages, etc.  It doesn't know or care that it delivered a virus.

mta.end.example could send informative messages, in case of false positives:
1a) Send no informative messages, just log
1b) Send an informative message to joeandmary at end.example that a virus was dropped
1c) Send an informative message to angel at innocent-bystander.example that a virus was dropped
1d) Send informative messages to both angel at innocent-bystander.example and joeandmary at end.example

OR

2) mta.end.example could REJECT THE MESSAGE
Now mta.forwarder.example has to make a decision.

2a) mta.forwarder.example could DROP THE MESSAGE based on Reject =~ /virus/
2b) mta.forwarder.example could CREATE A BOUNCE MESSAGE
In this case there is a further option.
2b1) mta.forwarder.example could INCLUDE THE VIRAL MESSAGE IN THE BOUNCE MESSAGE
This is the default action for many MTAs.
2b2) mta.forwarder.example could SEND A BOUNCE MESSAGE CONTAINING ONLY SOME INFORMATION ABOUT THE VIRAL MESSAGE
This requires some judgement to be exercised as to exactly what information to include.

My call...

IF I'M THE OWNER OF THE infected.cableuser.example COMPUTER:
I will install SMTP-aware virus-scanning desktop software such as AVG.  I will configure my MUA to use the cableuser.example mail server for SMTP.  (POP3 is another matter.)

IF I'M THE HEAD OF THE cableuser.example NETWORK:
I will block direct outgoing SMTP unless the user specifically asks for it.
I will log, and scan, all SMTP that passes through the official mail servers (inbound and outbound.)

IF I'M THE ADMIN OF THE mta.forwarder.example SERVER:
I will scan all incoming email for viruses.
If mta.end.example rejects, I will attempt to send a bounce message containing only some information... basically, the relevant headers.

IF I'M THE ADMIN OF THE mta.end.example SERVER:
I will reject detected viruses, and I won't lose any sleep over angel at innocent-bystander.example's infection.  If innocent-bystander.example yells at me, I'll tell them to check their headers and go yell at mta.forwarder.example.

IF I'M THE ADMIN OF THE innocent-bystander.example NETWORK:
I'll either install adequate virus protection or outsource the email server.  Worst-case, users can sign up with freemail accounts and use those.

-- 
Matthew.van.Eerde (at) hbinc.com                 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com         Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"




More information about the MIMEDefang mailing list