From owner-freebsd-chat@FreeBSD.ORG Thu Jun 12 19:47:13 2003 Return-Path: Delivered-To: freebsd-chat@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D9DA837B401 for ; Thu, 12 Jun 2003 19:47:13 -0700 (PDT) Received: from pa-plum1b-166.pit.adelphia.net (pa-plum1b-217.pit.adelphia.net [24.53.161.217]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3492E43FAF for ; Thu, 12 Jun 2003 19:47:11 -0700 (PDT) (envelope-from wmoran@potentialtech.com) Received: from potentialtech.com (working [172.16.0.95]) h5D2lAOg002530 for ; Thu, 12 Jun 2003 22:47:10 -0400 (EDT) (envelope-from wmoran@potentialtech.com) Message-ID: <3EE93B2E.4020309@potentialtech.com> Date: Thu, 12 Jun 2003 22:47:10 -0400 From: Bill Moran User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.3) Gecko/20030429 X-Accept-Language: en-us, en MIME-Version: 1.0 To: chat@FreeBSD.org References: <5.2.1.1.2.20030612202321.02e28008@194.184.65.4> <20030612193524.GA31199@grumpy.dyndns.org> <3EE8DB83.4040609@potentialtech.com> <200306122006.55906.dkelly@HiWAAY.net> <3EE933E1.9080503@potentialtech.com> In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Antivirus for (mailservers on) FreeBSD X-BeenThere: freebsd-chat@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Non technical items related to the community List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jun 2003 02:47:14 -0000 Brad Knowles wrote: > At 10:16 PM -0400 2003/06/12, Bill Moran wrote: > >> Additionally, you want to scan ALL emails for malware, so if something >> sneaks in off a floppy or something it doesn't run rampant throughout >> the company email system, > > True. > >> while scanning outgoing emails for spam is >> simply a waste of CPU cycles. > > False. You can be held liable (including criminal liability) if you > could have reasonably prevented something like this, and chose not to. > Moreover, the damage to your reputation for being known as someone > infecting other people with viruses/worms/Trojan Horses/etc... could be > incalculable. Huh? Here you are saying that spam filtering is the same as malware filtering. Or, at least, that's the best I can understand what you've written. > What is different about outgoing vs. incoming e-mail, with respect > to viruses, is that you always want to inform the internal person that a > message with a suspected virus was found, and you may (or may not) want > to inform the outside people. In one case, the insiders are the > recipients, in the other case, they are the sender(s). Notifying senders is spam. Most newer malware sends emails with random "From" addresses, lifted from the users address book or elsewhere. If you send notifications to the "From" email, you're simply contributing to the spam problem. Unfortunate, but true. The only reliable way to notify the correct person is to parse the received headers for the originating server's IP and look up the abuse address for that machine and report to it. I use spamcop for that. Hell ... notifying recipients is usually spam. Most people don't care that the server blocked an infected email. Your boss might be impressed to get lots of emails showing what a good job your malware filter is doing, but if you need to do that for your boss to appreciate you, look for other work. > Also, if you catch all outbound e-mail, then you stop virus floods > before they start (assuming they're recognized). True. That's why you scan _every_ email for malware. -- Bill Moran Potential Technologies http://www.potentialtech.com