[EMAIL PROTECTED] wrote: > Charles Gregory wrote: >> On Fri, 8 Aug 2008 [EMAIL PROTECTED] wrote: >>>> telnet isps-server 25 ... HELO bogus ... MAIL FROM:<[EMAIL PROTECTED]> >>>> telnet victims-server 25 ... HELO isps-server ... MAIL FROM.... >>>> If victim's SMTP server fails the DATA with a 5xx code, then >>>> backscatter goes [EMAIL PROTECTED] >>> .... it is not my problem what the ISP's mail server >>> does with it after I send a 5xx. >> Well, first of all, yes it IS. It's *everyone's* problem. That forged >> address could be on *your* server, and *you* get the backscatter from some >> other victim system that also "doesn't care what the ISP does with it"... >> >> That being said, I agree that the number of viruses that still try to find >> and use an infected PC's SMTP server is very small... In which case the >> odds of hitting a false positive via a mail relay are greater than hitting >> a virus via a mail relay. Now that you make me think about it, the only >> time I ever see backscatter from a virus is when someone uses a virus >> checker that generates its own DSN rather than issue SMTP 5xx rejections. >> I am so *very* glad that ClamAV is just a *reporting* tool! :) >> >>> If anything it encourages the ISP to virus filter their users and take >>> care of abuse problems rather then silently sweeping them under the >>> rug. >> Begging pardon, but just because someone uses a standard postfix config >> and follows the standard 'recommended' practice of listing dial-up IP's as >> 'trusted clients' does not mean they are 'sweeping' anything under their >> 'rug'. It is just a choice made to minimize the performance hit of >> scanning and filtering mail that is 99.99+% valid. >> >> BUT this practice of not scanning mail from trusted clients is only >> 'safe' if virus checking is done post-SMTP, in procmail. Otherwise, there >> is the risk that mail from one user of a system to another will not be >> virus checked at *all*, permitting the spread of viruses within a given >> user base. >> >> So my closing thought is that I will want to do two things with my new >> "Mail Avenger" setup: >> 1) I will want to run clamav on *all* messages, regardless of source. >> This will prevent intra-system viruses and also cut down on >> backscatter by preventing my server from relaying an outgoing virus. >> 2) I will want to check in procmail to see whether an intra-system >> message passed through my SMTP or was directly delivered via LDA, and >> in the latter case I will need to run clamav from procmail. >> >> So thank you all, for stirring up some good serious thoughts! >> >> - Charles, HWCN
Doh, sorry about this. To many windows open at the same time... Steven _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml