Date: Thu, 12 Jun 2003 22:47:10 -0400 From: Bill Moran <wmoran@potentialtech.com> To: chat@FreeBSD.org Subject: Re: Antivirus for (mailservers on) FreeBSD Message-ID: <3EE93B2E.4020309@potentialtech.com> In-Reply-To: <a0600120bbb0ee73f012c@[10.0.1.2]> References: <5.2.1.1.2.20030612202321.02e28008@194.184.65.4> <20030612193524.GA31199@grumpy.dyndns.org> <3EE8DB83.4040609@potentialtech.com> <200306122006.55906.dkelly@HiWAAY.net> <3EE933E1.9080503@potentialtech.com> <a0600120bbb0ee73f012c@[10.0.1.2]>
next in thread | previous in thread | raw e-mail | index | archive | help
Brad Knowles wrote: > At 10:16 PM -0400 2003/06/12, Bill Moran wrote: > >> Additionally, you want to scan ALL emails for malware, so if something >> sneaks in off a floppy or something it doesn't run rampant throughout >> the company email system, > > True. > >> while scanning outgoing emails for spam is >> simply a waste of CPU cycles. > > False. You can be held liable (including criminal liability) if you > could have reasonably prevented something like this, and chose not to. > Moreover, the damage to your reputation for being known as someone > infecting other people with viruses/worms/Trojan Horses/etc... could be > incalculable. Huh? Here you are saying that spam filtering is the same as malware filtering. Or, at least, that's the best I can understand what you've written. > What is different about outgoing vs. incoming e-mail, with respect > to viruses, is that you always want to inform the internal person that a > message with a suspected virus was found, and you may (or may not) want > to inform the outside people. In one case, the insiders are the > recipients, in the other case, they are the sender(s). Notifying senders is spam. Most newer malware sends emails with random "From" addresses, lifted from the users address book or elsewhere. If you send notifications to the "From" email, you're simply contributing to the spam problem. Unfortunate, but true. The only reliable way to notify the correct person is to parse the received headers for the originating server's IP and look up the abuse address for that machine and report to it. I use spamcop for that. Hell ... notifying recipients is usually spam. Most people don't care that the server blocked an infected email. Your boss might be impressed to get lots of emails showing what a good job your malware filter is doing, but if you need to do that for your boss to appreciate you, look for other work. > Also, if you catch all outbound e-mail, then you stop virus floods > before they start (assuming they're recognized). True. That's why you scan _every_ email for malware. -- Bill Moran Potential Technologies http://www.potentialtech.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3EE93B2E.4020309>