North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Clueless anti-virus products/vendors (was Re: Sober)

  • From: Douglas Otis
  • Date: Mon Dec 05 20:39:16 2005

On Dec 4, 2005, at 8:04 PM, Steven M. Bellovin wrote:

 "Church, Chuck" writes:

The ideal solution would be for the scanning software to send a warning only if the virus detected is known to use real addresses, otherwise it won't warn.
A-V companies are in the business of analyzing viruses. They should *know* how a particular virus behaves.
It is common to find detailed descriptions offered by the company that indicates the behavior of the detected virus, which often includes spoofing the bounce-address. A less than elegant solution as an alternative to deleting the message, is to hold the data phase pending the scan. Another solution would be not returning message content within a DSN. This would mitigate the distribution of viruses, as well as forged bounce-addresses sent to a backup MTAs as a method for bypassing black-hole lists. Would changing what is returned within a DSN in all cases be a solution?