On 02/22/2015 10:43 PM, Simon Hobson wrote:
OK, this is getting well off-topic for this list, this will be my final say on
the matter
Agreed.
Which is one reason it's very important to make sure you are not part of the problem. Allowing a
customer to sent "nasties" through your mail server is a good way of getting it
blacklisted - and then it certainly doesn't "just work". I can assure you that when your
server gets on a blacklist, your customers do complain - and they complain a lot louder than if you
block one or two spammy messages.
The best way to stay off blacklists is to block spam and nasties at source -
not just rely on the recipient to catch it later ...
It may be *one* way but it's certainly not the *best* way. In order to
get blacklisted, your sever would have to send at least a decent amount
of "nasties". To prevent that, you could either take the easy road and
just reject your customers' mail or you could sanction those specific
customers who are the actual cause. In the former case I'd accuse you of
being lazy, just as you accuse me of being part of some problem.
Don't get me wrong: I don't say it's impossible to get blacklisted -- I
say there are more sophisticated approaches to prevent being blacklisted.
By the way: I don't even reject virus/spam mail, I just tag them. If a client
is dumb enough to open the attachment of a tagged e-mail, so be it.
So you are part of the problem. It's already been said that tagging is
meaningless - yet you assume it's reasonable to expect others to act on your
tags.
It seems you got something wrong: Tagging of outgoing e-mails is
meaningless because the recipient will not pay any attention to the
tags. Tagging of incoming e-mail, however, is a way of telling your
client "There is something wrong with that e-mail. Therefore, I put it
into your Junk folder; better don't open it. If you still do, it's all
your fault.".
I don't get how you find it more appropriate to silently reject
someone's e-mail, be it infected or not. I also don't get how you can be
so disrespectful and declare me part of some problem for the second
time. It appears to me as if this is more of a personal problem for you.
Most of the customers are also not on managed networks. But on my own systems I block
outbound connections to port 25 other than what's needed (actually, I mostly have a
"block everything and allow what's needed" policy). It's all part of a layered
approach - you protect your systems, but you also add a layer that limits the damage if
they do get compromised.
Again: this scenario does not apply to me. But, for what it's worth,
let's assume one of your clients gets infected by a false negative (all
because you failed to raise your clients' awareness and gave them a
false sense of security by silently rejecting mail). This infected
client does two things: It tries to send spam through port 25 and
gathers information (keylogger/passwords, emails, internal information,
etc.) to upload it via https. The only way you would notice the latter,
is by analyzing logs and thereby discovering the former. But you just
silently dropped all those packets...
Or is your answer to simply block port 443 as well?
However, rejecting outgoing e-mail right away is not an option, which
ultimately makes the scanning of these messages redundant.
Which makes you part of the problem.
Maybe you should rather start educating people than to infantilize them.
Ask them to take over responsibility for their computers, to think twice
before opening attachments, especially if the mail is *not* stored in
the Junk folder. Let them send whatever they want, and check your logs
to find those clients who don't play along.
Most of all though: Stop insulting strangers on the internet by calling
them part of a problem that you and a few others made up. Or, at least
define what that supposedly problem is.
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
