North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: antivirus in smtp, good or bad?

  • From: Joe Maimon
  • Date: Tue Feb 03 10:17:56 2004

Daniel Senie wrote:

At 08:58 AM 2/3/2004, you wrote:

Why must systems accept mail that's virus laden or otherwise not desired at a site?

The "bounce" you refer to invariably ends up going to the wrong person(s), so that's an exceptionally BAD idea. Many viruses (most of the recent ones) forge the sender information. So either accepting and silently dropping, or rejecting the SMTP session with a 55x are the only viable choices.
What you are saying is that every mailhost on the Internet should run up to date and efficient virus scanning? Pattern matching and header filtering? Should the executable attachmant become outlawed on the Internet? Recognize when a "to be bounced email" is a spoof and discard the DSN?

Will the concept of SMTP relaying die? Should the "bounce" become archaic?

Perhaps SPF/RMX or the "mail from" smtp callbacks would help eliminate the spoofed sender problem?

That could significantly raises the bar on MTA costs. Pattern matching on headers/attachments, while not strictly speaking 100% accurate (are emails with subject line of "Hi!" permitted on the Internet anymore?) are usualy performance sensitive.
However there is the issue of manual intervention required to keep things up to date and as we know constant care and feeding of systems by admins is not cheap.

Full blown signature based virus scanning, while automated, is NOT performance sensitive. Any sufficiently large MX will see a big hit if they perform that. In many cases the virus scanning rate will become the practical bottleneck.

And we all know that SPF is on public trial now. We can watch and see. However, until you reject non-SPF email, it is unlikely to eliminate the spoofed email from hitting your spools.

SMTP call backs? Wasnt there some b*tching about that here recently?

Besides, even with signature based virus scanning, updates can occur slowly enough to allow a virus enough time to spread. Being that the case with many installed anti virus systems is updates maybe daily, it should not be a surprise how all these supposedely protected edge sites managed to get some infections. The alternative is to DOS the AV vendor.

As I tell my customers, just delete the undeliverable notices if they do not apply to you. One day, Mozilla/Thunderbird or others might even run that though a "references a message I sent?" check for you.

I do not think it is so simple.

On a positive note, I believe that MTA's are standardizing the feature of seperate timeouts for DSN emails. That should lower spool sizes.