On Tuesday 03 February 2004 13:45, Fred wrote: > This concept was done before (welchia?) but they made a bad choice. My > intent is not to infect them with a copy of said evil program but only to > close the infection and inform the user, no harm done. > > I'm thinking this would be just as bad as creating a virus, but at least > someone was fighting for the people!
The problem is, what if your 'benign' fix doesn't account for something it has never seen before, and (at a long stretch) formats the drive of the machine it is trying to fix? Which is worse, the fix or the problem? It's a nice idea, but really and truly, the fix should be made in other ways, including but not limited to: * ISPs disabling port 25 outbound from client IP pools unless the client can prove a reason to have that access. Everyone else either gets blocked, or use transparent proxying to force port 25 to the ISP mail server. * ISPs running AV engines on inbound and outbound queues. This has the effect of slowing mail down a bit, but it's worth it. * Companies setting their firewalls to not allow 25 outbound from anything but a registered mail server. * Companies running combination gateway + server + desktop AV engines None of those options are cheap, but they are doable. If you can, run the outbound SMTP checker before the 200 status code returned on the DATA segment. Deliveries will take a bit longer from the client point of view, but viruses can be rejected before they have a chance to be passed into the net.
