WOOT! - Virus Scanning

If they send you an infected word file, be glad you don't get it, to open it, and infect yourself. Thus the infection stops. And for the .0001% of virus emails that will actually to a person who knowingly sent an email, its not worth the traffic.

[logic404]

It was the ".0001%" number I was looking for - I just wasn't sure whether it was something that was likely to happen or very unlikely to happen. Thanks!

[Silverbug]

I think what we need is to be at least told that we were going to receive an email from that person. That way we can get them to try and send it again, instead of the email just "disapearing into cyber space". that would be my biggest concern, having a client send me an email, only to get deleted, and i never know about them sending me it. And then them getting angry cause I havent replyed/actioned it.

However then you run into the mydoom problem again. :/ hmmm Maybe we could be given the option to receive an email or not. Like the delete or tag as spam option in spam assasin?

[logic404]

Quote:

Originally Posted by Silverbug

I think what we need is to be at least told that we were going to receive an email from that person. That way we can get them to check again, instead of the email just "disapearing into cyber space"

However then you run into the mydoom problem again. :/ hmmm

What about having an option, that was off by default, for notification? So you'd only turn it on if you were actually interested, and thought you might miss something important. I guess the assumption being that if you're going to turn it on, you're then not going to get all freaked out about all the bounce emails during a virus peak. Dunno. Just a thought. I will, as always, place my faith in the decision makers at Matrix!!

[Brangwyn]

Quote:

And about bounces, quartine, etc. Think about it... How many bounce message did YOU get from MyDoom ... 100% from your email address being spoofed by the virus sender.

We are talking potentially legitimate emails here not some crap with spoofed headers, if only 0.0001% of legitimate emails contain a virus are stopped then the added traffic caused by bouncing (just) them is also going to be pretty inconsequential (I realise the script won't be able to differentiate between legitimate and non-legitimate though with the RBL's added it should help). Of course the total impact depends on just what the % of non-legitimate emails your seeing processed and blocked becuase they contained a virus .. personally I'm seeing almost zero spam nowadays that contains a virus anyway.

I'm still suggesting the original email get dropped, but a message sent in return sort of like the waffle SA sends attached to a spam message (just without the original message attached). Just a one liner is heaps "email to xxxx was not delivered as a virus was detected".

Maybe its not all that practicle and thats fine, its hard to really say for sure without seeing all the numbers hence just offering some suggestions.

[jtaugher]

Quote:

Originally Posted by Brangwyn

I'm still suggesting the original email get dropped, but a message sent in return sort of like the waffle SA sends attached to a spam message (just without the original message attached). Just a one liner is heaps "email to xxxx was not delivered as a virus was detected".

I agree -- it's nice to see these features from Matrix/Vortech -- but again not everyone agrees that just dropping the email into oblivion makes sense for those who operate businesses by email. If Vortech is messing with my emails, then we need to know.

[lubred]

Good initiative. But I do not agree with dropping the mails without any notification whatsoever.

I will suggest you remove the attachement and notify the recipient that "A mail with Subject PRICE QUOTE was infected with a virus & quarantined. Mail origin: me@virus.com". With this the recipient will know what to do.

With my recent experience with {SPAM}, I have decided not to let computers take permanent actions on my behalf.
I set my {SPAM} filter to delete spam messages. I used the default of other settings. When I booked a flight from EasyJet Online, the PAX advice and the ticket info was sent by email & I never got it!!! Actually it came but was deleted by SpamAssasin. It was a legit mail but full of promotional features too.
I have since changed the setting back to just Tagging.

So, the same scenario can apply to your terminal action against suspected "viruses".

My only comment on this, however unproductive it might be, would be for Matt:

"Damned if you do, damned if you don't".

No if's, and's, or but's about it.......Good job Matt

[Brangwyn]

Quote:

"Damned if you do, damned if you don't".

Aint that the truth!

Probably an unproductive comment too but speaking as someone whos managed and been in a team of commercial programmers for about 15 years I can tell you thats where the importance of methodologies and development life cycles really hits home, things like determining customer requirements before writing code are vital to ensuring you don't strike that "damned if you do" feeling too often.

My comments are not to detract against the hard work Matts done either.. as I said before someone give that man a raise, I just know from first hand experience theres nothing worse than doing a bunch of great work if its not what the user actually wanted and you have to scrap it all

Trying to get slighty back on topic are there any MTA RFC rules which govern whether a bounce should be sent to the initiator on non-delivery of an email?

Quote:

Originally Posted by Brangwyn

........theres nothing worse than doing a bunch of great work if its not what the user actually wanted

What Matt did was in response to overwhelming demand, but not a necessity in terms of systems stability. Trying to poll and write in every client's individual preferences though, is not an option.

"You can please some of the people all of the time, all of the people some of the time.........ya-da, ya-da, ya-da"

Here's the RFC if you want to review it.......
http://rfc.sunsite.dk/rfc/rfc2821.html

[resell01]

Great job!!!

[logic404]

Quote:

Originally Posted by johnk

What Matt did was in response to overwhelming demand...

I guess the problem there was the the "overwhelming demand" was just for "virus scanning on the server" - no-one ever suggested what should be done if a virus was found, I guess because everyone just assumed it would work the way that they were used to virus scanners working!! For me that meant dropping the attachment, but still delivering the message, for others it meant having the entire message bounce back to the originator.

But, agree with Brangwyn - our minor grumbles shouldn't detract from the fact that Matt has done a great job!

[Brangwyn]

Quote:

to overwhelming demand, but not a necessity in terms of systems stability.

Still not wanting to take anything away from the work thats been done, just wondering when this "overwhelming demand" occurred, I haven't seen any one here really screaming and shouting saying we must have virus scanning.... I don't know about the others here but it came a bit out of the blue reading Matt had spent the time putting it together.

Quote:

Trying to poll and write in every client's individual preferences though, is not an option.

You have a fairly respectable quorum of users here on the forums though, to avoid the same issues we had with SA it would be prudent to perhaps post hey heres out intentions what do guys think about it before actually doing it. Conversely like logic404 says I guess those demanding it should have been more precise in their demands.

The RFC seems to say if the receiving MTA accepts the message and sends an OK status to the sending MTA then if for any reason the message does not actually get delivered to a mailbox a non-delivery report should be sent to the sender of the original message.

I won't say any more on this, I already feel like a heal saying what I have after Matt spent all this time putting it together.

"Overwhelming demand" would be the hundreds of phone calls we received from people who:

1) Received the actual virus hundreds of times in their mailbox

2) Received bounces saying they were infected when in fact they were not

3) Were told they were infected by people who received the virus from them

You multiply each of these three things by the millions of messages and that is an incredibly large amount of email going back n' forth. In this past MyDoom blast, the primary cause of the issue was the virus, but the bounces it created also contributed signifcantly to the issues many had. We were lucky in the fact that only one server started stumbling at the large numbers of emails.

Either way, if you try to send a virus, you will receive a:
"554 mail server permanently rejected virus infected message (#5.7.0)"

This isn't a bounce being generated. Its the server rejected it. Same as if you weren't authenticated. So basically, its dropped at SMTP. Now, if the sending MTA generates the bounce, well thats a different story.

... And Don't come complaining to me the next virus outbreak when you receive thousands of bounces message

[Brangwyn]

Quote:

... And Don't come complaining to me the next virus outbreak when you receive thousands of bounces message

Never have, never will Matt

Theres a virus outbreak today actually

http://securityresponse.symantec.com...tsky.b@mm.html

Ok so the MTA isn't strictly just blackholing the email its sending a permanent error message, personally I'm happy with that. Is this active on all mail servers and do you know if what your using supports EICAR test messages ?