[87149] in North American Network Operators' Group
Re: Clueless anti-virus products/vendors (was Re: Sober)
daemon@ATHENA.MIT.EDU (Douglas Otis)
Tue Dec 6 16:50:49 2005
In-Reply-To: <Pine.NEB.4.63.0512061112330.6808@server.duh.org>
Cc: "Steven M. Bellovin" <smb@cs.columbia.edu>,
"Church, Chuck" <cchurch@netcogov.com>, nanog@merit.edu
From: Douglas Otis <dotis@mail-abuse.org>
Date: Tue, 6 Dec 2005 13:49:53 -0800
To: Todd Vierling <tv@duh.org>
Errors-To: owner-nanog@merit.edu
On Dec 6, 2005, at 8:19 AM, Todd Vierling wrote:
>
> On Mon, 5 Dec 2005, Douglas Otis wrote:
>
>> A less than elegant solution as an alternative to deleting the
>> message, is
>> to hold the data phase pending the scan.
>
> Contrary to your vision of this option, it is not only elegant; it
> happens
> to be the *correct* thing to do.
Holding at the data phase does usually avoid the need for a DSN, but
this technique may require some added (less than elegant) operations
depending upon where the scan engine exists within the email stream.
Waiting for the scan to complete adds stack overhead (assuming a good
black-hole list is being used). Albeit small, there is never 0%
false detections of malware. It would seem that when a DSN is
required, as a general practice, the DSN should not include message
content. This should at least thwart this vector being used to
spread malware and spam. Preventing the spread of a virus seems
key. There is always BATV to clean-up spoofed bounce-addresses in
the meantime.
-Doug
