[87137] in North American Network Operators' Group
Re: Clueless anti-virus products/vendors (was Re: Sober)
daemon@ATHENA.MIT.EDU (Douglas Otis)
Mon Dec 5 20:38:34 2005
In-Reply-To: <20051205040452.6C5B03C0159@berkshire.machshav.com>
Cc: "Church, Chuck" <cchurch@netcogov.com>, nanog@merit.edu
From: Douglas Otis <dotis@mail-abuse.org>
Date: Mon, 5 Dec 2005 17:38:00 -0800
To: "Steven M. Bellovin" <smb@cs.columbia.edu>
Errors-To: owner-nanog@merit.edu
On Dec 4, 2005, at 8:04 PM, Steven M. Bellovin wrote:
> "Church, Chuck" writes:
>>
>> The ideal solution would be for the scanning software to send a
>> warning only if the virus detected is known to use real addresses,
>> otherwise it won't warn.
>
> A-V companies are in the business of analyzing viruses. They
> should *know* how a particular virus behaves.
It is common to find detailed descriptions offered by the company
that indicates the behavior of the detected virus, which often
includes spoofing the bounce-address. A less than elegant solution
as an alternative to deleting the message, is to hold the data phase
pending the scan. Another solution would be not returning message
content within a DSN. This would mitigate the distribution of
viruses, as well as forged bounce-addresses sent to a backup MTAs as
a method for bypassing black-hole lists. Would changing what is
returned within a DSN in all cases be a solution?
-Doug
