(FWIW, the original inverse question/argument was about blindly
accepting third-party claims that something was clean; I responded
noting that I would [mostly] happily trust third-party claims that
something *wasn't* clean.)
Jerry wrote:
Lets take this from the top.
You, and other advocates of enforced screening of sent e-mail are
assuming that all individuals who send e-mail would abide by that
edict. Obviously you know that is a false assumption. Spammers
obviously would not adhere to that edict; nor would the majority of
casual e-mail users.
... er, whut? What edict?
Spammers do everything they can to wiggle past filter systems; that's a
given.
Users (from my perspective wearing my ISP mail admin hat, customers)
aren't generally computer professionals; sooner or later someone *will*
get infected with something (or more than one something), and they'll
start spewing out garbage.
I can take measures to slow down the flood of garbage, or I can put up
with not being able to communicate with a large chunk of the rest of the
Internet because nobody wants to accept the garbage they'd have to take
along with my legitimate traffic. (True, it takes a while to get this
far, but it's not exactly an unlikely scenario. I've seen a number of
corporate customers get widely blacklisted due to *one* virus-infested
PC spewing garbage through their Exchange server for a matter of hours.)
There is just no incentive to do so. It therefore
becomes the responsibility of the recipient to insure the integrity of
the document(s) that they accept.
Of course. That doesn't mean it's a waste of time or resources to be
careful about what you emit from your mail system.
To mangle a phrase I first heard in relation to sendmail:
"Be careful/precise in what you emit/generate, be liberal in what you
accept"
Second, you appear to be under some sort of misguided belief that all
scanning engines are equal and that they are 100% accurate.
I'm not. But even if I was... How does that translate to "It's a waste
of resources to scan outbound mail"? Stopping some of the crap is
better than stopping none.
Third, you seem to believe that the sending of a malicious e-mail would
result in your network being blacklisted. That is also false.
No, not really, having seen it happen, and having done so more than
once. Admittedly, not due to one email (in either case)... but viruses
don't just send one copy, they spew out multiple copies to everyone in
your address book plus whatever they get from their botmaster. Repeatedly.
I bet other ISP mail admins can relate.
Now, if
you were sending a multitude of such documents, that could very well
happen.
You just said this was a false claim.
However, if you are in fact sending hundreds of malicious
documents you have problems that far transcend simply screening of your
transmissions.
No, you just have a nontrivial network.
Even as a small boutique ISP (~1200-1300 dialup customers) before being
swallowed by a larger company, when we introduced outbound virus
scanning in ~2001 we regularly found virus mail originating from
customer systems. Customers therefore knew about the virus(es) that
slipped past their desktop AV (if any) much, *much* earlier than they
might have otherwise. A few of the viruses were even Javascript viruses
that attached themselves to legitimate mail.
Catching a couple hundred viruses per *day* was normal traffic for those
~1200 users, for a while.
We also tried sending automated "you have a virus" and "$sender tried to
send you a virus" notices. With a staff of two-and-a-half at the time,
we quickly stopped doing that, because of all the calls asking what this
was all about.
> In reality, a user running his own mail server has a
greater chance of getting blacklisted if they produce 'backscatter'.
Probably. But a small personal-domain system is "trivial" in scale.
You have to, or at least should screen all received documents anyway.
Yep.
Wasting time and resources to do it on transmitted as well as received
ones is redundant.
How so? What if there's a virus undetected by your desktop AV that
attaches itself to a Word document you received and need to pass on to a
group of others (this is not exactly an uncommon scenario, sadly), but
detectable by Clam? (Or whatever AV you run on your mail server.)
If your network is spewing large amounts of garbage
you do have a serious problem. One that should be corrected at the
source. If you don't know how, or lack the fortitude to do so, then
perhaps you should consider hiring a professional to do it for you.
What, you expect an ISP to pay to clean up their customer's personal
systems because they visited a dubious website from a PC that hasn't had
Windows updates in months, and whose AV install is broken and/or
outdated, and just got pwned by the virus-of-the-day? Are you willing
to pay 3x+ your current Internet bill to pay for the staff needed to do
so? Does your ISP even have a local office (so you wouldn't have to
ship your PC off to Lower Elbonia for this <ahem> "free" virus cleanup)?
We *do* actually lock the accounts of residential customers who have
been found to be spewing junk; corporate customers get a somewhat more
flexible response but ultimately if they continue to spew junk they lose
the right to send through our mail relay, and their static IP will end
up on public blacklists.
On *corporate* networks, scanning outbound mail allows you to, y'know,
*detect* things like an virus-infested PC... If you want to find
viruses on your network, you have to scan the network traffic
*somewhere*, and among other reasons, outbound mail is convenient to
plug into.
-kgd
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
