Charles Gregory wrote:
> On Fri, 8 Aug 2008 [EMAIL PROTECTED] wrote:
>>> telnet isps-server 25 ... HELO bogus ... MAIL FROM:<[EMAIL PROTECTED]>
>>> telnet victims-server 25 ... HELO isps-server ... MAIL FROM....
>>> If victim's SMTP server fails the DATA with a 5xx code, then
>>> backscatter goes [EMAIL PROTECTED]
>> .... it is not my problem what the ISP's mail server
>> does with it after I send a 5xx.
> 
> Well, first of all, yes it IS. It's *everyone's* problem. That forged
> address could be on *your* server, and *you* get the backscatter from some
> other victim system that also "doesn't care what the ISP does with it"...
> 
> That being said, I agree that the number of viruses that still try to find
> and use an infected PC's SMTP server is very small... In which case the
> odds of hitting a false positive via a mail relay are greater than hitting
> a virus via a mail relay. Now that you make me think about it, the only
> time I ever see backscatter from a virus is when someone uses a virus
> checker that generates its own DSN rather than issue SMTP 5xx rejections.
> I am so *very* glad that ClamAV is just a *reporting* tool! :)
> 
>> If anything it encourages the ISP to virus filter their users and take
>> care of abuse problems rather then silently sweeping them under the
>> rug.
> 
> Begging pardon, but just because someone uses a standard postfix config
> and follows the standard 'recommended' practice of listing dial-up IP's as
> 'trusted clients' does not mean they are 'sweeping' anything under their
> 'rug'. It is just a choice made to minimize the performance hit of
> scanning and filtering mail that is 99.99+% valid.
> 
> BUT this practice of not scanning mail from trusted clients is only
> 'safe' if virus checking is done post-SMTP, in procmail. Otherwise, there
> is the risk that mail from one user of a system to another will not be
> virus checked at *all*, permitting the spread of viruses within a given
> user base. 
> 
> So my closing thought is that I will want to do two things with my new
> "Mail Avenger" setup:
>   1) I will want to run clamav on *all* messages, regardless of source.
>      This will prevent intra-system viruses and also cut down on
>      backscatter by preventing my server from relaying an outgoing virus.
>   2) I will want to check in procmail to see whether an intra-system 
>      message passed through my SMTP or was directly delivered via LDA, and
>      in the latter case I will need to run clamav from procmail.
> 
> So thank you all, for stirring up some good serious thoughts!
> 
> - Charles, HWCN
> 
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
> 
> 

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Reply via email to