Date: Fri, 13 Jun 2003 20:19:53 +0200 From: Brad Knowles <brad.knowles@skynet.be> To: Bill Moran <wmoran@potentialtech.com> Cc: chat@FreeBSD.org Subject: Re: Antivirus for (mailservers on) FreeBSD Message-ID: <a0600120ebb0fc472d93c@[10.0.1.2]> In-Reply-To: <3EE93B2E.4020309@potentialtech.com> References: <5.2.1.1.2.20030612202321.02e28008@194.184.65.4> <20030612193524.GA31199@grumpy.dyndns.org> <3EE8DB83.4040609@potentialtech.com> <200306122006.55906.dkelly@HiWAAY.net> <3EE933E1.9080503@potentialtech.com> <a0600120bbb0ee73f012c@[10.0.1.2]> <3EE93B2E.4020309@potentialtech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 10:47 PM -0400 2003/06/12, Bill Moran wrote:
> Here you are saying that spam filtering is the same as malware filtering.
> Or, at least, that's the best I can understand what you've written.
Actually, I was thinking about doing anti-malware scanning on
outgoing e-mail as opposed to anti-spam scanning, but now that I
think about it some more, I think the statement still holds true.
If one of your users spams a whole bunch of people on the 'net,
what with the net anti-spam laws coming out that allow the recipients
to file lawsuits for $1000 damages per spam (or whatever), and the
fact that they're much more likely to get their money from a company
(i.e., you) as opposed to a single individual, you are highly likely
to be named as a co-defendant in their suit, if nothing else.
So, yes. You need to do anti-malware *AND* anti-spam scanning on
all incoming and outgoing e-mail.
> Notifying senders is spam. Most newer malware sends emails with random
> "From" addresses, lifted from the users address book or elsewhere. If you
> send notifications to the "From" email, you're simply contributing to the
> spam problem.
Some does, some doesn't. This is why you need to have
intelligent scanning tools that not only detect whether this is
incoming versus outgoing e-mail, but also check to see if the claimed
sender address is internal or not.
> Unfortunate, but true. The only reliable way to notify the correct person
> is to parse the received headers for the originating server's IP and look up
> the abuse address for that machine and report to it. I use spamcop for that.
You can't trust the headers. The only thing you can trust is the
information you collect yourself, namely the machine that sent the
spam to you. That needs to be your ultimate guide for what you do
with the machine, if all else fails.
> Hell ... notifying recipients is usually spam. Most people don't care that
> the server blocked an infected email. Your boss might be impressed to get
> lots of emails showing what a good job your malware filter is doing, but if
> you need to do that for your boss to appreciate you, look for other work.
Most people want to get periodic reports, if not notified for
every blocked message. They might also want to have the messages
held in a queue for a period of time, long enough for them to see the
reports and go take some action to cause a message to get un-stuck,
in case it was accidentally flagged and stopped.
--
Brad Knowles, <brad.knowles@skynet.be>
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-Benjamin Franklin, Historical Review of Pennsylvania.
GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+
!w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?a0600120ebb0fc472d93c>