RE: To send or not to send 'virus in email' notifications?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The right answer for the original question is probably "Buy an email server package with virus scanning hooks" or "Get a virus scanner with sendmail milter hooks" rather than specific details of how to set it... The suggestion to do virus filtering during the message transfer stage rather than the delivery stage is good. It looks like sendmail milters can be tweaked to do this, though unless they can recognize the virus from the mail headers, they have to wait until the end-of-message hook to do it, i.e. after the whole virus has been transferred but before the message acceptance codes get transferred. It's too bad that it's difficult to send a reject code and continue a teergrube at the same time. For virus scanners that run at other stages in the delivery process, the right decision about whether to do a notification or not is virus-dependent, if your anti-virus package supports it. Sobig almost always forges sender addresses, so it shouldn't get a reply, but some other viruses don't forge the sender, and should get the reply. Limiting the responses to once a week per sender or whatever may help, but only if the same sender gets forged a lot. Yet another reason to cryptographically sign your outgoing mail, not that I usually do so or that most people or mail clients check. Thanks; Bill Stewart -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> Comment: PGP Freeware 703 iQA/AwUBP0QHO7JBeu7P+eyUEQK4xACgwIEKFP47bIyOZ3ABzm5fxm8AsyQAoI8L mnmDP9h63r+REIlTzTBdltSM =8pMy -----END PGP SIGNATURE-----
For virus scanners that run at other stages in the delivery process, the right decision about whether to do a notification or not is virus-dependent, if your anti-virus package supports it. Sobig almost always forges sender addresses, so it shouldn't get a reply, but some other viruses don't forge the sender, and should get the reply. Limiting the responses to once a week per sender or whatever may help, but only if the same sender gets forged a lot.
One of my pet peeves is anti-virus programs that detect a virus by name, so they should know that it always spoofs the sender address, still sending messages referring to the "message you sent". I wonder if people receive those, scan for viruses, and then when they don't find one, do one of the following: 1) Take their computer to a computer store and pay for needless 'repairs', or 2) Reinstall/reformat rather than take chances. At a very minimum, guys, adjust your messages to say "an email that appears to have been sent by you" or similar language to indicate that you don't know for sure who sent the message. DS
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 21 August 2003 12:08 am, David Schwartz wrote:
One of my pet peeves is anti-virus programs that detect a virus by name, so they should know that it always spoofs the sender address, still sending messages referring to the "message you sent". I wonder if people receive those, scan for viruses, and then when they don't find one, do one of the following:
1) Take their computer to a computer store and pay for needless 'repairs', or
2) Reinstall/reformat rather than take chances.
3)Call up their Geeky son and panic... <rant> On this subject, my major pet peeve would be that at least 85% of the bounce messages that I have seen coming back here, don't contain enough information to figure out where the Original Message came from. How very nice of you to tell me that my FreeBSD laptop is sending on A Windows Virus. Maybe if you gave back the headers of the message, I could have a chance of guessing which of the unlucky people that has my e-mail in their address book might be infected. Or when previously mentioned panicing Dad calls up, we can figure out which one of his friends has it. But my vote is still a flag in the avscanner that says virus forges from/ don't e-mail ... </rant> - -Patrick - -- Patrick Muldoon Network/Software Engineer INOC (http://www.inoc.net) PGPKEY (http://www.inoc.net/~doon) Key fingerprint = 8F70 6306 F0A7 B8DA BA95 76C4 606A 7DC1 370D 752C Me no internet, only janitor, me just wax floors. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE/RMFiYGp9wTcNdSwRAlmvAJ0RqhZqli8gK1EfNTocxYi3ZDxlxQCgna/Q x7eBHZri+v7RqACQC5gV6l4= =n1/Q -----END PGP SIGNATURE-----
Patrick Muldoon wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thursday 21 August 2003 12:08 am, David Schwartz wrote:
One of my pet peeves is anti-virus programs that detect a virus by name, so they should know that it always spoofs the sender address, still sending messages referring to the "message you sent". I wonder if people receive those, scan for viruses, and then when they don't find one, do one of the following:
1) Take their computer to a computer store and pay for needless 'repairs', or
2) Reinstall/reformat rather than take chances.
3)Call up their Geeky son and panic... <rant> On this subject, my major pet peeve would be that at least 85% of the bounce messages that I have seen coming back here, don't contain enough information to figure out where the Original Message
<snip> Amavis sends back in the notification message the original message's headers (plus more if you wish). amavis-new has templates and such. You would think other people who pay their developers nice sums of money could do the same.
I attest to Amavis on this one. Message headers, virus found, and also if you quarentine the message it sends the quarentined file name. Gerardo Joe Maimon writes:
Patrick Muldoon wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thursday 21 August 2003 12:08 am, David Schwartz wrote:
One of my pet peeves is anti-virus programs that detect a virus by name, so they should know that it always spoofs the sender address, still sending messages referring to the "message you sent". I wonder if people receive those, scan for viruses, and then when they don't find one, do one of the following:
1) Take their computer to a computer store and pay for needless 'repairs', or
2) Reinstall/reformat rather than take chances.
3)Call up their Geeky son and panic... <rant> On this subject, my major pet peeve would be that at least 85% of the bounce messages that I have seen coming back here, don't contain enough information to figure out where the Original Message
<snip> Amavis sends back in the notification message the original message's headers (plus more if you wish). amavis-new has templates and such.
You would think other people who pay their developers nice sums of money could do the same.
participants (5)
-
David Schwartz
-
Gerardo A. Gregory
-
Joe Maimon
-
Patrick Muldoon
-
Stewart, William C (Bill), RTSLS