On Wed, 2004-05-12 at 07:07, Jesse Guardiani wrote: > Yes, let's look at my actual issue: > > 4. I am a business customer, and I rely on email to do business. I send > a word doc or a zipped binary attachment that just happens to contain > a signature that looks an awful lot like a virus to a business associate's > ISP. The remote mail server silently drops the email and because my email > looks like it contains a virus. I am NOT a customer of this remote ISP, so > they do NOT send me any kind of notification whatsoever. The email is lost > and I don't realize that it didn't reach it's destination until it is too > late. Is this the sort of thing that law suites are made of? I don't know. > > And here is the proposed solution: > > 5.) I am a business customer, and I rely on email to do business. I send > a word doc or a zipped binary attachment that just happens to contain > a signature that looks an awful lot like a virus to a business associate's > ISP. The remote mail server kills my SMTP connection with a 5xx error code > and my mail client displays an error notifying me of the problem. Even if > the returned error message is cryptic, like "qq error", I at least know > that my message did not make it to the intended recipient. I can now contact > the intended recipient via other means, or contact the ISP directly.
Yes. If people receive an e-mail error they don't understand, they usually call someone. Usually, it's the recipient. "Hey, I tried to send you this, but your e-mail is messed up, etc." The recipient, if he (or she) isn't a mail administrator, will usually get in touch with someone who is, and ask why someone tried to send them something but got an error. The situation will eventually get resolved. But if we're silently dropping/quarantining e-mails that contain viruses... no one ever knows that the message wasn't delivered. The sender thinks the recipient is just slow at replying, and the recipient thinks the sender never sent the message. We have to wait for a "timeout", where one of the two people calls the other and says "where is it?" or "why didn't you reply?" Which is followed by the scenario I outlined above, and then the parties involved finally realizes that either the sender has a virus, or the mail server's AV is generating false positives. -- snip -- > > Seriously, Q-S defaults to not sending alerts for messages that an AV > > says are infected. If you use quantine-attachments.txt to do "Policy > > blocks", those WILL GENERATE ALERTS. So if you block "*.doc" > > attachments, the sender of a clean *.doc file will get an e-mail telling > > them their message was blocked. As they are not a virus, the email will > > reach the actual sender. Everyone is happy. > > I don't see how the above paragraph is pertinent to the discussion at hand. > It's pertinent, sort of, because it covers the case of policy violations. Policy violations are handled by psender, which is the correct way of doing things. But psender doesn't work for viruses because the sender is spoofed. Since we can't determine who to send a notification for when we receive a virus, we shouldn't accept the message *at all*. It's a violation of the SMTP protocol to return OK and then silently drop the message. > > If your AV is blocking clean files as being viral, complain or change AV. That's just it - if we accept the message and silently quarantine it without notifying anyone... no one ever knows if their AV is blocking clean files or not. If we notify the recipient, our users will have 100's of q-s notification e-mails saying "You got an e-mail but it was infected so we didn't deliver it"... not very desirable. And as I mentioned above, we can't determine the sender so we can't notify him (or her), either. So the best course of action is not to accept the message at all. What we *should* do is include a qmail patch to allow q-s to return "550 message rejected because it contains a virus" when it detects a virus. Then if the virus is using its own SMTP engine (most do) it will be unable to send mails to our servers. No bounces are generated; virus can't propagate. We can still keep a copy of the incoming virus in the quarantine (I don't believe SMTP protocol forbids keeping a copy of messages after sending a 550... does anyone else know?) for analysis. -- snip -- > 1. I am an infected Windows PC. I use SMTP to send the virus to my > > default SMTP gateway, it rejects the message (due to virus) at the SMTP -- snip -- If viruses start using ISP mail servers (detect settings in Outlook, etc.) as Jason suggests, the issue gets slightly more complicated. If the ISP mail server detects viruses and rejects messages (the behavior that is being proposed for q-s right now), then the virus never makes it out. If the ISP mail server doesn't detect viruses and accepts the message, when it does run into q-s (assuming that q-s rejects viruses), it will generate a bounce, which is undesirable because some people will receive messages claiming they have a virus when they don't, blah blah blah. We've been through that before... that's why psender was introduced. But at least the bounce will originate from an ISP mail server that doesn't detect viruses - if that ISP gets enough calls, they'll eventually install an AV. *Please* consider adding the option of rejecting viruses to q-s. - Jon -- [EMAIL PROTECTED] Administrator, tgpsolutions http://www.tgpsolutions.com
signature.asc
Description: This is a digitally signed message part
