Jason Haar wrote: > Jesse Guardiani wrote: > >>I'm eager to hear what Jason Haar has to say about this. I don't know >>how error codes are generated in q-s so I can't really comment on the >>usability of the above code, but in concept it looks like what I'm >>suggesting. >> >> > I'm afraid I really don't like this. This issue is as old as the trees.
No it isn't. It's brand new, because before the psender functionality was added (which is great functionality, BTW) most people were sending notifications for EVERYTHING. Now, most people don't send notifications, so false positives become more of a problem. > As anyone who has been on any Qmail lists for any length of time knows, > issues to do with patch-clashes/etc are routine. Personally I think DJB > made a bad mistake in not allowing output from the qmail-queue process > to flow back to qmail-smtpd. If he had, then we could EASILY do what > you ask - in fact - that was originally what I wanted to do with > Qmail-Scanner! > > But instead, as qmail-smtpd error msgs are static, Q-S has to generate > it's own error e-mails. There's no way I'd want Q-S to generate a perm > error - because otherwise all the sending SMTP server sees is "5xxx perm > fail" - not exactly useful. Obviously patching Qmail to have more error > msgs would fix this particular issue, but read on... > > Let's think this through. > > 1. I am an infected Windows PC. I use SMTP to send the virus to my > default SMTP gateway, it rejects the message (due to virus) at the SMTP > layer. The virus doesn't report that SMTP error to the end user - so > they are unaware they are infected. Right. This is absolutely fine. No harm done. > 2. I am an infected Windows PC. I use SMTP to send the virus to my > default SMTP gateway, it doesn't do virus scanning so it just passes it > on to the next SMTP gateway. Eventually it meets a gateway that rejects > the message at the SMTP layer. The SMTP failure generates a bounce that > goes to the "MAIL FROM" address - which isn't the infected user - so > they are unaware they are infected. > > 3. I am an infected Windows PC. I use SMTP to send the virus to my > default SMTP gateway, it doesn't do virus scanning so it just passes it > on to the next SMTP gateway. Eventually it meets Qmail-Scanner (set to > send alerts always) that accepts the message, scans it and then sends an > alert that goes to the "MAIL FROM" address - which isn't the infected > user - so they are unaware they are infected (i.e identical to "2." > except it has a much better error message). No, the q-s error message is still confusing and unwanted. Before q-s introduced the psender functionality I was sending two or three explanations to various individuals across the internet each day. People hated the q-s message because it claimed that they had a virus when they didn't. #3 is much worse than #2 because a notification is ALWAYS sent. I think the vast majority of viruses are sent directly to the recipient's mail server, so #2 would be much less of an issue. Most mail servers are configured to NOT be open relays these days. > 4. I am an infected Windows PC. I use SMTP to send the virus to my > default SMTP gateway, it doesn't do virus scanning so it just passes it > on to the next SMTP gateway. Eventually it meets Qmail-Scanner (set to > default of not notifying sender) that accepts the message, scans it and > then exits. Real sender still unaware they are infected. > > > Which one is best? > > Now let's look at your actual issue. False Positives. Apparently you > have some broken AV that is claiming clean files are infected. > Apparently you still want to use that AV! You think Q-S should be > rewritten to compensate for your broken AV system... Yes, let's look at my actual issue: 4. I am a business customer, and I rely on email to do business. I send a word doc or a zipped binary attachment that just happens to contain a signature that looks an awful lot like a virus to a business associate's ISP. The remote mail server silently drops the email and because my email looks like it contains a virus. I am NOT a customer of this remote ISP, so they do NOT send me any kind of notification whatsoever. The email is lost and I don't realize that it didn't reach it's destination until it is too late. Is this the sort of thing that law suites are made of? I don't know. And here is the proposed solution: 5.) I am a business customer, and I rely on email to do business. I send a word doc or a zipped binary attachment that just happens to contain a signature that looks an awful lot like a virus to a business associate's ISP. The remote mail server kills my SMTP connection with a 5xx error code and my mail client displays an error notifying me of the problem. Even if the returned error message is cryptic, like "qq error", I at least know that my message did not make it to the intended recipient. I can now contact the intended recipient via other means, or contact the ISP directly. CONS? Yes, there are some that you've described already. If the computer on the other end of qmail-scanner's SMTP session is NOT equiped with a virus scanner AND is relaying the virus for someone else then someone will receive a very cryptic bounce message. Maybe this will happen more often than I anticipate. So what? That remote mail server should be running AV software anyway. At least we don't have to worry about false positives anymore. Also, I think the sting of this can be lessened if we include a qmail patch in the contrib directory that will allow us to return more informative bounce messages. > Seriously, Q-S defaults to not sending alerts for messages that an AV > says are infected. If you use quantine-attachments.txt to do "Policy > blocks", those WILL GENERATE ALERTS. So if you block "*.doc" > attachments, the sender of a clean *.doc file will get an e-mail telling > them their message was blocked. As they are not a virus, the email will > reach the actual sender. Everyone is happy. I don't see how the above paragraph is pertinent to the discussion at hand. > If your AV is blocking clean files as being viral, complain or change AV. I use ClamAV, and as far as I can tell it hasn't blocked any false positives. But I watch the virus database changelogs, and false positives are submitted all the time. The possibility is real, and if you think your particular AV software is immune then you're not being honest with yourself. I'm not suggesting that we make this change the default behavior. I'm simply suggesting that we make it an option. -- Jesse Guardiani, Systems Administrator WingNET Internet Services, P.O. Box 2605 // Cleveland, TN 37320-2605 423-559-LINK (v) 423-559-5145 (f) http://www.wingnet.net ------------------------------------------------------- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 _______________________________________________ Qmail-scanner-general mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
