This is one that i've come across from time to time and often pondered myself -
Obviously virus traffic can fluctuate up and down and become an annoyingly high percentage of an ISPs total mail load. Thus AV filtering which drops these messages is beneficial and can be provided as a benefit to customers, etc...
So what happens to role accounts like, heaven forbid, abuse@ ?
And for that matter, if the messages are dropped, is there any logged trace of the fact the message was sent in the first place?
The reason I ask is that i've seen at least one ISP to whom i've reported viral infections to recently actually reject the report, because of the 'illegal file attatchment' (where the criteria used was the file extension... not even viral code within the attatchment)... So I had to manually copy/paste headers only to get my point across.
Sounds like some braindead "filter" such as MailMarshal, if it really did reject it just based on the extension of an attachment. A real email virus scanner wouldn't reject it or drop it unless there was an actual working virus body detected in the message. Personally, I'm sick of these MailMarshal type systems, I've lost count of how many times I've received a "notification" of an "illegal file attachment" that I've supposedly sent to somebody I've never heard of before, during an outbreak of a new virus. C'mon people running these kinds of systems, clean up your act... It is surprising to hear of an ISP doing this though, especially on an abuse@ contact address...at least people in the SOHO area running their own mail servers who are usually guilty of this have the "excuse" of ignorance, but an ISP doesn't..
The argument can be made that headers are all thats required, and that the actual payload isnt needed - but what if theres occaision where you want said payload? (To provide actual evidence of the infection, to identify what variant of the virus is infected, to help build filters ...?)
Personally I can't think of a legitimate reason to purposely send an email with a working virus body to an abuse@ contact address, you're just asking for the message to either be blocked, or potentially infect the recipient, if they don't have their act together. A copy of the message minus virus should be sufficient.
Do ISPs out there regularly exclude their security team or at least build in means for one-off exceptions on an as-required basis? Do ISPs that drop viral (or suspected viral) traffic do anything to report said infection, or do they just drop the virus and pretend it never happened? (Doesn't actually fix the problem, does it...)
The truth is that there are so many viruses going around out there, that upon detecting a confirmed virus body in an email (and a virus scanner has pretty close to zero false positives, unlike a spam filter) there is really no choice but to silently drop an infected message. (Perhaps logging an entry to a log file) Who are you going to report it to ? Return addresses are bogus with modern viruses, so virus scanners that reply automatically are just inflicting annoyance on innocent third parties, the only way to track down the sender is based on a complicated set of lookups based on ip address, whois records, contact addresses, and manual co-operation of the senders ISP, which can't be automated in any satisfactory way. Besides, does an ISP the size of Xtra (for example) really want to be receiving an automated "your customer at ip x.x.x.x is infected with a virus" at their abuse@ address from some clever clogs who thinks its a good idea to autoreport viruses, for EVERY virus every one of their customers sends ? Would they ever be able to process legitimate human sent abuse@ notifications with that amount of automated junk being fired at them ? I doubt it. Would it solve anything ? Not really. Would sure increase the amount of useless mail flowing around the place though.... If virus scanning was prone to the same level of false positives as spam filtering, then dropping virus infected messages might be cause for concern, but with extremely low FP's it isn't. Anyway, you can notify the attempted recipient of the virus and let them decide if it might be a real email or not. (Which is what our system does by default, but people can turn off the notifications, and a lot do) Trying to notify the "sender" using any automated system is out of the question though. Regards, Simon