North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: antivirus in smtp, good or bad?

  • From: Suresh Ramasubramanian
  • Date: Tue Feb 03 10:34:34 2004

Joe Maimon  [2/3/2004 8:43 PM] :

What you are saying is that every mailhost on the Internet should run up to date and efficient virus scanning? Pattern matching and header filtering? Should the executable attachmant become outlawed on the Internet? Recognize when a "to be bounced email" is a spoof and discard the DSN?
You are going to an extreme there I'm afraid ... I do agree that exaggeration helps stress a point, but ...

That could significantly raises the bar on MTA costs. Pattern matching on headers/attachments, while not strictly speaking 100% accurate (are emails with subject line of "Hi!" permitted on the Internet anymore?) are usualy performance sensitive.
Not always - limit it to two or three things like

1. Deny attachments with known "bad" extensions

2. Check for the patterns of the "flavor of the month" virus

3. Apply as many other rules as possible to reject the mail (checks for fake / spoofed helo etc) _before_ the mail gets to the virus scanning / pattern matching stage

However there is the issue of manual intervention required to keep things up to date and as we know constant care and feeding of systems by admins is not cheap.
Cron does help, and so do a few other things ...

Full blown signature based virus scanning, while automated, is NOT performance sensitive. Any sufficiently large MX will see a big hit if they perform that. In many cases the virus scanning rate will become the practical bottleneck.
It is a tradeoff. Is that the bottleneck, or is your systems and bandwidth being choked with virus mails, and double bounces because of undeliverable virus mail (say in the case of .forward users) the bottleneck?

As I tell my customers, just delete the undeliverable notices if they do not apply to you. One day, Mozilla/Thunderbird or others might even run that though a "references a message I sent?" check for you.
Mozilla / Thunderbird is nice, but using it to fetch your mail when dialed in long distance from a hotel room is not nice, when almost all the mail is viruses, virus notifications or virus mail that gets sent on, but with the malware removed from it so that your scanner can't catch the email.

srs (postmaster|suresh) // gpg : EDEDEFB9
manager, security and antispam operations