On Fri, 2005-01-21 at 21:37 +1300, Mark Foster wrote:
Obviously virus traffic can fluctuate up and down and become an annoyingly high percentage of an ISPs total mail load. Thus AV filtering which drops these messages is beneficial and can be provided as a benefit to customers, etc...
So what happens to role accounts like, heaven forbid, abuse@ ?
At the UoA we virus scan *all* mail, including internal email for viruses, no exceptions, all mail is treated the same.
And for that matter, if the messages are dropped, is there any logged trace of the fact the message was sent in the first place?
The reason I ask is that i've seen at least one ISP to whom i've reported viral infections to recently actually reject the report, because of the 'illegal file attatchment' (where the criteria used was the file extension... not even viral code within the attatchment)... So I had to manually copy/paste headers only to get my point across.
We do not rely on Mime Types or file extensions. We examine actual file contents to determine type. If someone were stupid enough to send a live virus (or any executable file) to abuse/security(a)auckland.ac.nz then, if the attachment matched virus signatures the mail would be silently deleted. OTOH if the file was executable but not obviously malicious then it would be quarantined and a notice sent to abuse. This is *exactly* the same as for any other address. Under no circumstances should anyone send email containing live malware anywhere except to the notification address of AV vendors and these should be sent in a password protected zip file (usual password used is "infected") along with the password in the body of the email. As Simon points out there are real problems with many brain dead AV scanners which A. bounce/drop messages based on inadequate evidence and B. send erroneous bounce messages to whatever address happens to be in the From: field Sigh.... Cheers, Russell
The argument can be made that headers are all thats required, and that the actual payload isnt needed - but what if theres occaision where you want said payload? (To provide actual evidence of the infection, to identify what variant of the virus is infected, to help build filters ...?)
Do ISPs out there regularly exclude their security team or at least build in means for one-off exceptions on an as-required basis? Do ISPs that drop viral (or suspected viral) traffic do anything to report said infection, or do they just drop the virus and pretend it never happened? (Doesn't actually fix the problem, does it...)
Appreciate your thoughts.
Mark.
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog