On 12 Dec 2005, at 15:50, John Levine wrote:
And BATV will never be widely deployed because it breaks every single
system out there that keys off the return path. And there are a lot
of these systems.
I keep hearing that, but other than a few ezmlm lists and the
occasional tired fax gateway,
On 10 Dec 2005, at 16:54, Douglas Otis wrote:
The BATV is a few lines of code that adds a private tag with a time
limit set in days. BATV helps dramatically by eliminating the DATA
phase
and all that is involved in handling messages. In addition, once BATV
becomes more widely deployed, the DS
I agree with nearly all of your analysis, but want to add
a few small points of my own.
On Sun, Dec 11, 2005 at 04:53:03AM -0600, Micheal Patterson wrote:
> Can BATV correct this? Possibly.
After reading further and thinking about it: I believe the
answer isn't "possibly", but "almost certainly
On 12/11/05, Micheal Patterson <[EMAIL PROTECTED]> wrote:
> If malware detection systems would not generate a DSN to the originator
> upon detection in the first place, there would be no need to reduce
> those transactions as there would be no transactions to reduce. The
That is a big if.
No shor
- Original Message -
From: "Douglas Otis" <[EMAIL PROTECTED]>
To: "Andrew - Supernews" <[EMAIL PROTECTED]>
Cc:
Sent: Saturday, December 10, 2005 3:54 PM
Subject: Re: SMTP store and forward requires DSN for integrity
On Sat, 2005-12-10 at 17:37
> "Douglas" == Douglas Otis <[EMAIL PROTECTED]> writes:
>> BATV doesn't help you if the problem is SMTP transaction volume,
>> any more than a firewall will help you cope with a saturated
>> network link.
Douglas> Your statement regarding BATV is not correct however. There
Douglas> are
[snip Eicar signature]
You didn't attach it. If you had, I'm pretty sure Exim (running an ACL
plugged into ClamAV) would have caught it before it got to my Inbox. Clam
detects Eicar just fine. :>
:) I did receive two "your message contains a virus" replies. One was
a "Panda GateDefender"
mary wrote:
mta test anyone?
[snip Eicar signature]
You didn't attach it. If you had, I'm pretty sure Exim (running an ACL
plugged into ClamAV) would have caught it before it got to my Inbox. Clam
detects Eicar just fine. :>
What you did was include it inline in a text/plain MIME part in
On Sat, 2005-12-10 at 17:51 -0600, Robert Bonomi wrote:
> BATV has the risk of false-positive detection of an 'invalid' DSN.
> All it takes is a remote mail system that keeps 'trying' to deliver to
> a tempfailing address for _longer_ than the lifetime of that 'private
> tag'.
>
> Congratulation
mta test anyone?
[EMAIL PROTECTED](P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
> From [EMAIL PROTECTED] Sat Dec 10 16:56:38 2005
> Date: Sat, 10 Dec 2005 17:55:38 -0500 (Eastern Standard Time)
> From: Todd Vierling <[EMAIL PROTECTED]>
> To: nanog@merit.edu
> Subject: Re: SMTP store and forward requires DSN for integrity
>
>
> On Sat, 1
> From [EMAIL PROTECTED] Sat Dec 10 15:55:48 2005
> Subject: Re: SMTP store and forward requires DSN for integrity
> From: Douglas Otis <[EMAIL PROTECTED]>
> To: Andrew - Supernews <[EMAIL PROTECTED]>
> Cc: nanog@merit.edu
> Date: Sat, 10 Dec 2005 13:54:37 -0800
>
On Sat, 10 Dec 2005, Douglas Otis wrote:
> BATV will make forged DSNs a thing of the past, irrespective of where a
> recipient list is checked, an AV or SPAM filter is added, etc.
Stop plugging a recipient-side cost-shift scheme that you're directly
involved with as some sort of panacea. BATV h
On Sat, 2005-12-10 at 17:37 +, Andrew - Supernews wrote:
> BATV doesn't help you if the problem is SMTP transaction volume, any
> more than a firewall will help you cope with a saturated network link.
I agree with most of your statements. AV filters should be done within
the session when po
> "JP" == JP Velders <[EMAIL PROTECTED]> writes:
JP> Right now dumb AV filtering is akin to a Smurf amplifier.
Good analogy. I would extend it by pointing out that "dumb AV
filtering" is actually only a part of the general backscatter
problem. The existence of BATV isn't an excuse for mail
On Sat, 10 Dec 2005, Edward B. Dreger wrote:
> Let's use some hyperbole:
>
> Say that the latest megaworm chucks out spam at speeds resembling SQL
> Slammer. The return-path specified is your email address. Millions of
> MXes send _you_ bogus DSNs "in good faith".
That's not exactly hyperbole.
DO> Date: Fri, 9 Dec 2005 15:08:49 -0800
DO> From: Douglas Otis
DO> This is a third-party acting in good faith, albeit performing a check better
DO> done within the session. In your view, there is less concern about delivery
DO> integrity, and so related DSNs should be tossed. Being done within
MS> Date: Sat, 10 Dec 2005 22:54:24 +1100
MS> From: Matthew Sullivan
MS> RFC 2821 states explicitly that once the receiving server has issued a 250
MS> Ok to the end-of-data command, the receiving server has accepted
MS> responsibility for either delivering the message or notifying the sender
MS
On Fri, Dec 09, 2005 at 09:03:10AM -0800, Douglas Otis wrote:
> There is a solution you can implement now that gets rid of these tens of
> thousands of virus and abuse laden DSNs you see every day before the
> data phase.
BATV is not a solution.
It's a band-aid.
It fails to address the underlyi
On Sat, 10 Dec 2005, Douglas Otis wrote:
With the high prevalence of viruses having a forged return-path, the
concern is largely about _false_ detections. These are not actual
numbers, but perhaps more realistic than figures suggested previously.
Imagine the false positive error rate for an em
On Sat, 2005-12-10 at 15:40 +0100, JP Velders wrote:
> *any* anti-virus vendor has not only signatures of a specific virus
> but also a good understanding of what the virus does and how it
> spreads. If the vendor doesn't, well, they'd better retire from the AV
> business, because as a vendor
On Fri, 9 Dec 2005, Douglas Otis wrote:
> When there is some percentage of false-positive detection,
I'm *loving* your crack-induced comedy. Troll it up, bay-bee!
Show me the false positive rate. If you can prove any site with more than
0.1% FP on malware detection with any off the shelf
> From [EMAIL PROTECTED] Sat Dec 10 06:58:38 2005
> Date: Sat, 10 Dec 2005 12:57:34 + (GMT)
> From: "Stephen J. Wilcox" <[EMAIL PROTECTED]>
> Subject: Re: SMTP store and forward requires DSN for integrity (was
> Re:Clueless
> anti-virus )
>
>
>
> Date: Fri, 9 Dec 2005 15:08:49 -0800
> From: Douglas Otis <[EMAIL PROTECTED]>
> Subject: Re: SMTP store and forward requires DSN for integrity
> On Dec 9, 2005, at 1:12 PM, Todd Vierling wrote:
> > [ ... ]
> > I have not requested the virus "warnings&
On Sat, 10 Dec 2005, Matthew Sullivan wrote:
> Please remember people..
>
> RFC 2821 states explicitly that once the receiving server has issued a
> 250 Ok to the end-of-data command, the receiving server has accepted
> responsibility for either delivering the message or notifying the sender
Robert, sorry I missed the full conversation, and don't have time to
read the whole thread, but based on your mail alone a few words of
agreement...
Please remember people..
RFC 2821 states explicitly that once the receiving server has issued a
250 Ok to the end-of-data command, the receivi
This is pointless argument, please stop
There are those who think they are right in spamming people with reports
of a virus they didn't send and the rest of the planet who think they
are mad and wish they'd get a clue.
> As the recipient of the DSN is _always_ the best
> judge whether the DSN
On Dec 9, 2005, at 4:09 PM, Robert Bonomi wrote:
1) Malware detection has a 0% false positive.
If there is a 'false positive' detecting malware, it is a near
certainty that the "legitimate" message so classified does *NOT*
have a FORGED ADDRESS.
When there is some percentage of false
Douglas Otis wrote:
On Dec 9, 2005, at 1:12 PM, Todd Vierling wrote:
None of these are my problem. I am a non-involved third party to
the malware detection software, so I should not be a party to its
outgoing spew.
I have not requested the virus "warnings" (unsolicited), they are
being se
On Fri, 9 Dec 2005, Douglas Otis wrote:
> > None of these are my problem. I am a non-involved third party to the
> > malware detection software, so I should not be a party to its outgoing spew.
> This is a third-party acting in good faith,
Wow, you're one twisted individual.
Can I have a hit
> From [EMAIL PROTECTED] Fri Dec 9 17:10:00 2005
> Cc: "Steven J. Sobol" <[EMAIL PROTECTED]>, "Geo." <[EMAIL PROTECTED]>,
> nanog@merit.edu
> From: Douglas Otis <[EMAIL PROTECTED]>
> Subject: Re: SMTP store and forward requires DSN
> From [EMAIL PROTECTED] Fri Dec 9 13:59:30 2005
> nanog@merit.edu
> From: Douglas Otis <[EMAIL PROTECTED]>
> Subject: Re: SMTP store and forward requires DSN for integrity (was
> Re:Clueless anti-virus )
> Date: Fri, 9 Dec 2005 11:58:15 -0800
> To: Todd
On Fri, 9 Dec 2005, Douglas Otis wrote:
> [AV notifications are] a third-party acting in good faith
Perhaps in your world. Definitely not in mine.
--
Steve Sobol, Professional Geek 888-480-4638 PGP: 0xE3AE35ED
Company website: http://JustThe.net/
Personal blog, resume, portfolio: http://St
On Dec 9, 2005, at 1:12 PM, Todd Vierling wrote:
None of these are my problem. I am a non-involved third party to
the malware detection software, so I should not be a party to its
outgoing spew.
I have not requested the virus "warnings" (unsolicited), they are
being sent via an automa
c: "Steven J. Sobol" <[EMAIL PROTECTED]>; "Geo."
<[EMAIL PROTECTED]>;
Sent: Friday, December 09, 2005 1:58 PM
Subject: Re: SMTP store and forward requires DSN for integrity (was
Re:Clueless anti-virus )
On Dec 9, 2005, at 10:15 AM, Todd Vierling wrote:
Leaving aside from the question of if virus-infected DSNs are UBE and
thus "spam" or not...
Todd Vierling wrote:
If you want to notify someone about a filtered malware instance, notify the
intended *recipient*, and provide that user with the email address of the
alleged sender. If it's a fa
- Original Message -
From: "Douglas Otis" <[EMAIL PROTECTED]>
To: "Todd Vierling" <[EMAIL PROTECTED]>
Cc: "Steven J. Sobol" <[EMAIL PROTECTED]>; "Geo." <[EMAIL PROTECTED]>;
Sent: Friday, December 09, 2005 1:58 PM
Sub
- Original Message -
From: "Douglas Otis" <[EMAIL PROTECTED]>
To: "Todd Vierling" <[EMAIL PROTECTED]>
Cc: "Steven J. Sobol" <[EMAIL PROTECTED]>; "Geo." <[EMAIL PROTECTED]>;
Sent: Friday, December 09, 2005 1:58 PM
Sub
On Fri, 9 Dec 2005, Douglas Otis wrote:
> > 1. Virus "warnings" to forged addresses are UBE, by definition.
>
> This definition would be making at least two of the following assumptions:
>
> 1) Malware detection has a 0% false positive.
> 2) Lack of DSN for email falsely detected containing mal
Douglas Otis wrote:
On Dec 9, 2005, at 10:15 AM, Todd Vierling wrote:
1. Virus "warnings" to forged addresses are UBE, by definition.
This definition would be making at least two of the following assumptions:
1) Malware detection has a 0% false positive.
Near enough so that rej
- Original Message -
From: "Matt Ghali" <[EMAIL PROTECTED]>
To: "Micheal Patterson" <[EMAIL PROTECTED]>
Cc:
Sent: Friday, December 09, 2005 1:49 PM
Subject: Re: SMTP store and forward requires DSN for integrity (was
Re:Clueless anti-virus )
On Fr
On Dec 9, 2005, at 10:15 AM, Todd Vierling wrote:
1. Virus "warnings" to forged addresses are UBE, by definition.
This definition would be making at least two of the following
assumptions:
1) Malware detection has a 0% false positive.
2) Lack of DSN for email falsely detected containi
On Fri, 9 Dec 2005, Micheal Patterson wrote:
They may not a choice if those that are being hammered with their
auto-generated DSN's deem it unusually high traffic rate and
simply black list the domains using these devices. AOL.com comes
to mind and a few others in the recent weeks that
- Original Message -
From: "Douglas Otis" <[EMAIL PROTECTED]>
To: "Todd Vierling" <[EMAIL PROTECTED]>
Cc: "Geo." <[EMAIL PROTECTED]>;
Sent: Friday, December 09, 2005 11:03 AM
Subject: RE: SMTP store and forward requires DSN for int
- Original Message -
From: "Geo." <[EMAIL PROTECTED]>
To:
Sent: Friday, December 09, 2005 10:59 AM
Subject: RE: SMTP store and forward requires DSN for integrity (was
Re:Clueless anti-virus )
It doesn't matter what the notifications look like. There
- Original Message -
From: "Geo." <[EMAIL PROTECTED]>
To:
Sent: Friday, December 09, 2005 9:57 AM
Subject: RE: SMTP store and forward requires DSN for integrity (was
Re:Clueless anti-virus )
While AV scanning may be done during the session, it would also req
On Fri, 9 Dec 2005, Douglas Otis wrote:
> > Actually, I get about ten to twenty times as much virus blowback as I get
> > spam from trojan-zombie boxes.
> I am having difficulty understanding why a one time investment in
> Bounce-Address Tag Validation which can be in operation immediately and o
On Dec 9, 2005, at 9:59 AM, Steven J. Sobol wrote:
On Fri, 9 Dec 2005, Todd Vierling wrote:
I'd like someone UNBIASED to take up his side of the discussion,
please. I'm really not inclined to listen to an AV employee explain
why they should be spamming us.
I am not aware of any of our
On Dec 9, 2005, at 9:22 AM, Todd Vierling wrote:
Actually, I get about ten to twenty times as much virus blowback as
I get spam from trojan-zombie boxes.
That's because the virus blowback comes from otherwise "reputable"
MTAs, whereas the spam comes form zombies that are often already
b
On Fri, 9 Dec 2005, Todd Vierling wrote:
>
> On Fri, 9 Dec 2005, Douglas Otis wrote:
>
> > There is a solution you can implement now that gets rid of these tens of
> > thousands of virus and abuse laden DSNs you see every day before the
> > data phase.
>
> And it is *my* responsibility to reje
On Fri, 9 Dec 2005, Geo. wrote:
> I hear you but you and I both know AV companies are not going to give up the
> automated spamming feature that easily.
I don't doubt that. Their generated UBE is often commercial in nature, too,
because they usually carry an advertising link along with the spew
On Fri, 9 Dec 2005, Douglas Otis wrote:
> There is a solution you can implement now that gets rid of these tens of
> thousands of virus and abuse laden DSNs you see every day before the
> data phase.
And it is *my* responsibility to reject UBE that shouldn't have been
generated in the first plac
On Fri, 9 Dec 2005, Douglas Otis wrote:
> There is a solution you can implement now that gets rid of these tens of
> thousands of virus and abuse laden DSNs you see every day before the
> data phase.
Why should the burden/cost/hassle be placed on me to do this? In many
cases, it isn't even on
On Fri, 9 Dec 2005, Geo. wrote:
> I hear you but you and I both know AV companies are not going to give up the
> automated spamming feature that easily.
Then maybe we should bring market pressure to bear on them. Personally, I
run Exim and ClamAV and don't have that problem. If they're going to
On Fri, 2005-12-09 at 11:16 -0500, Todd Vierling wrote:
> On Fri, 9 Dec 2005, Geo. wrote:
>
> > If everyone would just standardize on at least the first part of every virus
> > notification being the same thing, say:
> >
> > XXX VIRUS NOTIFICATION: blah blah blah
> >
> > where XXX is some error
>>It doesn't matter what the notifications look like. There is no reason
that
my SMTP server should be subject to more than TEN THOUSAND of these damned
things every day, <<
I hear you but you and I both know AV companies are not going to give up the
automated spamming feature that easily. A sta
On Fri, 9 Dec 2005, Geo. wrote:
> If everyone would just standardize on at least the first part of every virus
> notification being the same thing, say:
>
> XXX VIRUS NOTIFICATION: blah blah blah
>
> where XXX is some error number, we could all easily control virus
> notifications at the receivi
>>While AV scanning may be done during the session, it would also require
additional steps to also contain _all_ upstream activity within the same
session as well, when attempting to achieve an apparent point-to-point
operation. If SMTP were point-to-point, this would be evolving into the
IM mode
On Fri, 2005-12-09 at 09:25 +, Simon Waters wrote:
> But the point of this discussion is that SMTP will have to evolve to be a
> point to point system (or functional equivalent). The days of store and
> forward in intermediate MTAs should die as quickly as possible (which as our
> forwardi
59 matches
Mail list logo
