On Fri, 8 Aug 2008 [EMAIL PROTECTED] wrote:
> > telnet isps-server 25 ... HELO bogus ... MAIL FROM:<[EMAIL PROTECTED]>
> > telnet victims-server 25 ... HELO isps-server ... MAIL FROM....
> > If victim's SMTP server fails the DATA with a 5xx code, then
> > backscatter goes [EMAIL PROTECTED]
> .... it is not my problem what the ISP's mail server
> does with it after I send a 5xx.
Well, first of all, yes it IS. It's *everyone's* problem. That forged
address could be on *your* server, and *you* get the backscatter from some
other victim system that also "doesn't care what the ISP does with it"...
That being said, I agree that the number of viruses that still try to find
and use an infected PC's SMTP server is very small... In which case the
odds of hitting a false positive via a mail relay are greater than hitting
a virus via a mail relay. Now that you make me think about it, the only
time I ever see backscatter from a virus is when someone uses a virus
checker that generates its own DSN rather than issue SMTP 5xx rejections.
I am so *very* glad that ClamAV is just a *reporting* tool! :)
> If anything it encourages the ISP to virus filter their users and take
> care of abuse problems rather then silently sweeping them under the
> rug.
Begging pardon, but just because someone uses a standard postfix config
and follows the standard 'recommended' practice of listing dial-up IP's as
'trusted clients' does not mean they are 'sweeping' anything under their
'rug'. It is just a choice made to minimize the performance hit of
scanning and filtering mail that is 99.99+% valid.
BUT this practice of not scanning mail from trusted clients is only
'safe' if virus checking is done post-SMTP, in procmail. Otherwise, there
is the risk that mail from one user of a system to another will not be
virus checked at *all*, permitting the spread of viruses within a given
user base.
So my closing thought is that I will want to do two things with my new
"Mail Avenger" setup:
1) I will want to run clamav on *all* messages, regardless of source.
This will prevent intra-system viruses and also cut down on
backscatter by preventing my server from relaying an outgoing virus.
2) I will want to check in procmail to see whether an intra-system
message passed through my SMTP or was directly delivered via LDA, and
in the latter case I will need to run clamav from procmail.
So thank you all, for stirring up some good serious thoughts!
- Charles, HWCN
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
