[Dshield] e-mail ettiquette

Jon R. Kibler Jon.Kibler at aset.com
Wed Aug 20 20:51:28 GMT 2003


"Johannes B. Ullrich" wrote:
> 
> > Usually, programs like MIMEDefang and AMaViS give at least four options on how to handle viruses:
> >    1) Strip viruses and deliver to recipient (we NEVER do this).
> >    2) Strip viruses and deliver to recipient; send notice to envelope-sender (we NEVER do this either).
> >    3) Bounce the message (we do this)
> >    4) Discard the message (we do this if it is to a role account)
> 
> yes. actually I am saying 'Dont do 3'. It will go to the wrong person
> for Sobig. Some AV scanners will allow exceptions for some viruses.
> Unless the 'bounce' will go to someone else then the 'From' address.

I presume that you mean "don't do 2's send notice to envelope-sender" as well -- since it would go to the same person as would '3'.
> 
> >
> > By your comment, do you mean don't do "2" or don't do either "2" or "3"?
> >  (I think I would have a problem with "don't do 3.")
> 
> The usual argument is that you will not catch false positives. Can you
> send a note to the recipient telling them that a virus was detected and
> the e-mail was quarantined?

With SOBIG, does it forge both the 'From' and the 'envelope-sender'? I thought that most viruses only forged the 'From'. If they were forging the envelope-sender, and the MTA was sendmail, and they were not root, a properly configured sendmail should gag -- it may still send it, but the originator would be clearly labeled as 'forged'. I think most other MTAs would do the same.


Jon R. Kibler
A.S.E.T., Inc.
Charleston, SC  USA




More information about the list mailing list