On Tue, Sep 21, 2004 at 06:39:25PM -0500, Damian Menscher wrote: > On Wed, 22 Sep 2004, Jan Pieter Cornet wrote: > >On Mon, Sep 20, 2004 at 04:26:40PM -0700, [EMAIL PROTECTED] > >wrote: > >>It is perfectly acceptable to place an explanatory message in an SMTP > >>REJECT message. > > > >Acceptable, maybe, but I believe it's better to simply discard all > >viruses. > > And most sane people believe you are wrong.
I don't think the derogatory comment is necessary. As a riposte: I'm not alone in this, far from it, actually. A similar request was recently issued by virusalert.nl, a dutch organisation on virus prevention. See http://www.virusalert.nl/?show=nieuws&id=559 > No, you also guard against false positives. True. However, I've never seen any in email. I might be persuaded to only discard when two independant virus scanners detect the malware. > >However, if the remote end is a real mailserver, either because the [...] > That is not your fault. It is the fault of the remote mailserver. > Educate them. "It's the fault of the remote server". Well, maybe. But I'm still looking through RFCs that say that you SHOULD not send nasty windows executables with the SMTP protocol. Hopefully an RFC that says something similar is in the works? Seriously, you cannot possibly expect all mail servers out there to suddenly install decent virus filters. Some mail servers will probably never install virus filters, instead using other lines of defense against viruses. You cannot dictate how someone else runs their server. So, the effect of the 5xx reject is, in the worst case, resulting in the virus being sent elsewhere (in the form of a bounce). So while you're protecting your own users, you are directing the virus "attack" to some unsuspecting bystander. At least, if you look at the big numbers. Most emails containing viruses are forging the From address, these days. (If I look at our own stats, out of 140K viruses blocked yesterday, 2 are EICAR, 3 "Joke" type viruses and one word 97 macro virus. That's less than 0.004% of the viruses. I could be missing one or two other non-faking viruses though, I don't know every virus brand). If the entire world adapted proper virus filters, then, yes, it would be wise to respond with a 5xx reject to a virus (also, it would change practically nothing, except for the case of false positives). > A common problem I see in the AV community is that they forget that > *email* is a service. It must work. Antivirus is a cute little feature > we tack on top to make life more convenient, much like anti-spam tools > are added. But virus/spam blocking is a feature -- not part of the > basic service. Please do NOT break the service. Reliable email > delivery depends on not having messages get lost. True. However, sit at an ISP helpdesk for a day and you'll learn how email does get lost. People are simply clumsy with it. That's reality :( We're not living in the friendly academic internet of 1993 anymore. And, the people complaining about bogus virus notifications is far greater than the number of people complaining about not receiving a warning after sending a virus. In fact, I believe that last number is close to zero. It probably comes down to the number of false positives that can be expected. I've found a bit of ranting on the net, about virus scanners seeing eachother as false positives, and mcafee having lots of false positives, but I haven't found any hard statistics, unfortunatly. Is anyone aware of something tangible? -- #!perl -wpl # mmfppfmpmmpp mmpffm <[EMAIL PROTECTED]> $p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+ $_[2]}->(map{/p|f/i+/f/i}split//,$&)+97):qw(m p f)[map{((ord$&)%32-1)/$_%3}(9, 3,1)]),5,1)='`'lt$&;$f.eig; # Jan-Pieter Cornet ------------------------------------------------------- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
