[67140] in North American Network Operators' Group
Re: antivirus in smtp, good or bad?
daemon@ATHENA.MIT.EDU (Joe Maimon)
Tue Feb 3 11:54:27 2004
Date: Tue, 03 Feb 2004 11:49:40 -0500
From: Joe Maimon <jmaimon@ttec.com>
To: nanog@merit.edu
In-Reply-To: <6.0.1.1.2.20040203112344.0328f268@mail.amaranth.net>
Errors-To: owner-nanog-outgoing@merit.edu
Daniel Senie wrote:
>
> At 10:13 AM 2/3/2004, Joe Maimon wrote:
>
>
>
>> Daniel Senie wrote:
>>
>>>
>>> At 08:58 AM 2/3/2004, you wrote:
>>
>>
>> <snip>
>>
>>> Why must systems accept mail that's virus laden or otherwise not
>>> desired at a site?
>>>
>>> The "bounce" you refer to invariably ends up going to the wrong
>>> person(s), so that's an exceptionally BAD idea. Many viruses (most
>>> of the recent ones) forge the sender information. So either
>>> accepting and silently dropping, or rejecting the SMTP session with
>>> a 55x are the only viable choices.
>>
>>
>> What you are saying is that every mailhost on the Internet should run
>> up to date and efficient virus scanning? Pattern matching and header
>> filtering? Should the executable attachmant become outlawed on the
>> Internet? Recognize when a "to be bounced email" is a spoof and
>> discard the DSN?
>
>
> I'm saying, if you are going to run a virus scanner on your mail
> server, then either have it reject at the SMTP level or drop the
> messages on the floor. Accepting the email and then boucing it to
> someone who didn't send it further propagates the virus' annoyance
> level to otherwise unaffected people.
>
<snip>
I agree. Rejecting with a 550 after DATA completes is becoming more
common and acceptable.
I think we have all agreed in previous threads that if a mail anti virus
scanner does not know how to differentiate between a virus that spoofs
the sender and one that doesnt, it should silently discard all virus
infected email -- OR notify the local administrator/user at their
choosing, but NOT bounce it.
