Charles Gregory wrote: > On Fri, 8 Aug 2008 [EMAIL PROTECTED] wrote: >>> telnet isps-server 25 ... HELO bogus ... MAIL FROM:<[EMAIL PROTECTED]> >>> telnet victims-server 25 ... HELO isps-server ... MAIL FROM.... >>> If victim's SMTP server fails the DATA with a 5xx code, then >>> backscatter goes [EMAIL PROTECTED] >> .... it is not my problem what the ISP's mail server >> does with it after I send a 5xx. > > Well, first of all, yes it IS. It's *everyone's* problem. That forged > address could be on *your* server, and *you* get the backscatter from some > other victim system that also "doesn't care what the ISP does with it"... > > That being said, I agree that the number of viruses that still try to find > and use an infected PC's SMTP server is very small... In which case the > odds of hitting a false positive via a mail relay are greater than hitting > a virus via a mail relay. Now that you make me think about it, the only > time I ever see backscatter from a virus is when someone uses a virus > checker that generates its own DSN rather than issue SMTP 5xx rejections. > I am so *very* glad that ClamAV is just a *reporting* tool! :) > >> If anything it encourages the ISP to virus filter their users and take >> care of abuse problems rather then silently sweeping them under the >> rug. > > Begging pardon, but just because someone uses a standard postfix config > and follows the standard 'recommended' practice of listing dial-up IP's as > 'trusted clients' does not mean they are 'sweeping' anything under their > 'rug'. It is just a choice made to minimize the performance hit of > scanning and filtering mail that is 99.99+% valid. > > BUT this practice of not scanning mail from trusted clients is only > 'safe' if virus checking is done post-SMTP, in procmail. Otherwise, there > is the risk that mail from one user of a system to another will not be > virus checked at *all*, permitting the spread of viruses within a given > user base. > > So my closing thought is that I will want to do two things with my new > "Mail Avenger" setup: > 1) I will want to run clamav on *all* messages, regardless of source. > This will prevent intra-system viruses and also cut down on > backscatter by preventing my server from relaying an outgoing virus. > 2) I will want to check in procmail to see whether an intra-system > message passed through my SMTP or was directly delivered via LDA, and > in the latter case I will need to run clamav from procmail. > > So thank you all, for stirring up some good serious thoughts! > > - Charles, HWCN > > _______________________________________________ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml > >
_______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml