[Dshield] e-mail ettiquette
Jon R. Kibler
Jon.Kibler at aset.com
Wed Aug 20 20:51:28 GMT 2003
"Johannes B. Ullrich" wrote:
> > Usually, programs like MIMEDefang and AMaViS give at least four options on how to handle viruses:
> > 1) Strip viruses and deliver to recipient (we NEVER do this).
> > 2) Strip viruses and deliver to recipient; send notice to envelope-sender (we NEVER do this either).
> > 3) Bounce the message (we do this)
> > 4) Discard the message (we do this if it is to a role account)
> yes. actually I am saying 'Dont do 3'. It will go to the wrong person
> for Sobig. Some AV scanners will allow exceptions for some viruses.
> Unless the 'bounce' will go to someone else then the 'From' address.
I presume that you mean "don't do 2's send notice to envelope-sender" as well -- since it would go to the same person as would '3'.
> > By your comment, do you mean don't do "2" or don't do either "2" or "3"?
> > (I think I would have a problem with "don't do 3.")
> The usual argument is that you will not catch false positives. Can you
> send a note to the recipient telling them that a virus was detected and
> the e-mail was quarantined?
With SOBIG, does it forge both the 'From' and the 'envelope-sender'? I thought that most viruses only forged the 'From'. If they were forging the envelope-sender, and the MTA was sendmail, and they were not root, a properly configured sendmail should gag -- it may still send it, but the originator would be clearly labeled as 'forged'. I think most other MTAs would do the same.
Jon R. Kibler
Charleston, SC USA
More information about the list