[33350] in bugtraq
Re: RFC: virus handling
daemon@ATHENA.MIT.EDU (Daniele Orlandi)
Tue Feb 3 01:43:08 2004
Message-ID: <401808A4.9010301@orlandi.com>
Date: Wed, 28 Jan 2004 20:08:20 +0100
From: Daniele Orlandi <daniele@orlandi.com>
MIME-Version: 1.0
To: bugtraq@securityfocus.com
In-Reply-To: <1075304734.29593.147.camel@hostmaster.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Thomas Zehetbauer wrote:
>
> 1.1.) Configuration
> Unless the virus scanner provides special handling for worms and virii
> which knowingly use a faked sender address
I think that virus scanners SHOULD provide some sort of information on
the reliability of headers and SMTP envelope of the virus e-mail and act
accordingly.
I use amavisd-new which has support for listing viruses/worms that fake
the sender's email address. Unfortunatelly the list is external to the
actual virus scanner and has to be updated manually.
This is a major problem, since the administrators are often (an with
good reason) not responsive enought with the rapid floods like the one
we saw recently.
> it should not send out notification messages unless the administrator has
> been warned that these notification messages may not reach the intended
> recipient and has still enabled this feature.
I would say that a virus scanner SHOULD NOT send notifications unless it
has informations on the reliability of the sender's e-mail address.
> 1.2.) Format
> These messages cannot be easily filtered because they come in many
> different formats and do often not contain any useful information at
> all.
They could be formatted with a message/delivery-status part but the
problem wouldn't exist at all if all the notifications are sent to the
real infected recipient.
Bye.
--
Daniele Orlandi
