Chris Gauch wrote:
Alan wrote:
One of the reasons I use 550 rejects for viruses is that I also scan
outgoing mail... so if by some chance one of my users gets infected with
a virus (regardless of the fact that we have desktop antivirus software
installed on all our machines as well as ClamAV on the MX server) and it
tries to send out using our mail gateway, the mail gateway will reject
that mail with a 550 and throw an error back to the client machine.
if the virus is in an attachment that they're legitimately trying to
send, they'll get an error message and then they'll undoubtedly come
crying to the helpdesk which will then kick them and tell them to run
the latest antivirus software/signatures.
While it certainly makes sense to reject viruses when scanning outgoing mail
from your own network, it's best to make sure that virus attachment is
removed prior to rejecting and generating the bounce. We also used to do
the same thing (rejecting viruses) when it came to outbound mail from our
own mail server (which is completely separate from our MD/ClamAV (CanIt-PRO)
gateway cluster), where we run a commercial AV scanner. In at least a dozen
or so situations early last year, we were basically rejecting viruses from
client PCs, but the ignorant users (who WERE NOT infected prior to receiving
the bounce), would open the attachments in the bounce and infect their PCs,
spreading the virus like wild fire. Let me explain...
I'm not generating bounces... i'm merely 550 rejecting ... which is fine
in my situation because it's the SMTP outgoing gateway machine that is
rejecting the contect coming directly from the client machine. (which is
on our local network) ... so, what happens is, the user (on said client
machine) writes email, attaches a file, hits send, gets a popup windows
that says "ERROR 550 YOUR MESSAGE CONTAINS A VIRUS" and doesn't go
beyond that point until they either a) figure it out themselves and run
their anti-virus scanner or (more likely) b) contact our helpdesk and
admit that they don't know enough to really be allowed to touch a
computer even indirectly connected to the internet. then our help desk
eraddicates the virus or tells the user they're SOL.
no bounces (aka DSN or NDN) involved.
we have instituted a no MS internet software policy, but it doesn't
necessarily mean that someone's not going to open OE or IE out of habit
or just cuz they think they know what they're doing.
Also, one point that has been glazed over in this entire thread is that
email is not the only way for these machines to be infected with
viruses, and the user doesn't even have to be a complete moron to become
infected any longer. Especially with exploits in which all you have to
do is open the wrong URL, without knowing it or any indication on the
site itself, just that one little act can infect your machine. nothing
to do with mail.
right or wrong, i don't think either solution really adds any more to
the problem, nor does it really remove anything from the problem. I
think what these solutions do is change the way the problem is perceived
by the people that are directly affected by the implementation of these
solutions.
if AV scanners were absolutely, without a doubt 100% reliable, that
would be a different story. if there were NO OTHER WAYS to contract
these viruses, it would be a different story. if there weren't other
legitimate causes for DSNs, NDN, or whathave you, then the argument
would hold more weight.
As it stands, obviously, my solution isn't appropriate for everyone, but
it is most appropriate for me. my solution is rejection (not bouncing).
my solution can have some adverse effects on other people as a result of
someone else's malicious software, true. so does yours. just in a
different way.
I take the stand (as others on the list also have) that I am not, and
can not be responsible for everyone I come into contact with either
directly or indirectly. As much as I would like to help everyone, i'm
neither qualified, nor is it entirely appropriate. At a certain point,
people need to take responsibility for themselves. That includes being
responsible for what they do and/or do not tolerate, how they deal with
those things that they find they are unable to tolerate, and how to
alter their environment so that they can protect themselves from those
things they are unable to tolerate.
The argument that i've seen here has been two-in-one. the first is that
discarding is better than rejecting. for some, that is true and
appropriate. the second, parallel argument is that the reason to
discard is because people other than [insert admin/implementing
authority/etc. here] are unable to accept or even understand
responsibility for themselves and that we (the mail admin community)
must accept responsibility for them and every other netizen instead of
educating them as necessary for them to accept responsibility. This is
the role of an enabler and I personally don't buy into it.
It's not always *easy* to do what's truely "right", but in the long run
it's usually worth the extra effort.
anyways, i think i'm done ranting now. I think the point has been driven
pretty hard into the ground and the horse may actually be dead now.
alan
[snip]
_______________________________________________
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
