Well, this thread has gone on long enough that I'll throw in my comments
too! LOL
I have a few clients that are small ISP's. They scan all email in and out
of their mail servers; just in case one of their clients ends up sending out
viruses or malware - likely as a result of the client system being infected.
Any email that doesn't scan clean is rejected before acceptance, so there's
no danger of backscatter - and that is a critical choice. Notices of virus
found are sent to an notification mailbox for reference in case a customer
calls up the help desk with problems sending email - we would have a log of
the failed send attempts - help desk doesn't have access to system logs, but
they do have access to the mailbox. One of the clients also has a graph
with counter showing number of detected viruses per hour over the last few
days. If that graph spikes they know to check the logs or notification
mailbox to see which host on the network might be attempting such activity.
For corporate customers, I have a client with an all Mac network. No virus
scanning of any type on the clients, and yet someone is always bringing in a
file on flash drive to send that seems to have a virus in it. We catch
those at the mail server before it goes out, thus keeping them from
upsetting their clients. (They almost lost a multi million $ contract
before this system was in place, because one of their people kept trying to
send the same infected word doc over and over.)
All of the mail servers I've installed are really overkill as far as
processing power goes, so running scans in and out doesn't hurt much, but it
does cause a several second delay for every email going through the system.
A user clicking send/receive on an outlook client will see it sit there for
maybe an extra 5 seconds at peak loads per outbound email, but that's not
become an issue for anyone yet.
I agree, I would never trust another sites scanning to protect my systems,
so adding a header to outbound messages that they have been scanned is
probably not necessary, but it also doesn't hurt anything in my opinion.
If you are setting up a low powered mail server, and I'm talking 300mhz P3
low, you might want to limit the scans to one way, inbound, but if you have
the cpu power to handle the operation there's nothing really to loose.
So really, all of these issues could be alleviated if all of these entities
had tighter security, but they are all stretched pretty thin for the IT
staff. Sometimes a little hardware/software setup can really aid IT in
doing their job, and they should follow up from that point to make sure
things are resecured.
To each their own, but when you've got a server that will handle the scans
there's little reason not to do it, but several reasons that you might do
it.
Dan Metcalf
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
