[unisog] VIRUS AND NDR SOLUTIONS

Michael Sofka sofkam at rpi.edu
Tue Feb 3 18:57:53 GMT 2004


On Tuesday 03 February 2004 10:22, Brent League wrote:
> We are considering the following 2 actions in the near term:
> 1) Instead of cleaning the virus from the email and forwarding the cleaned
> message on to our end-user, we are considering deleting any message that
> contains a virus.
>
> 2) Ceasing sending out any NDRs (we can filter these out with a third party
> tool).  This will eliminate a large load, but will also cause legitimate
> NDRs to not be sent.

On our central mail server (not the Exchange server) we have been dropping
viruses, and not sending NDRs since almost the beginning (Dec 2001).  At
first, I tried sendind NDRs, but all bounced.  We do, however,
issue 500 errors to the connecting relay.

Most active viruses forge the sender, so the NDRs are almost always bogus,
and add to the confusion, and the severity of an outbreak.  There is also,
usually, nothing to delivery except a message saying `The message that
nobody sent to you and which you do not want has been removed, but we'll
still tell you this---along with the email address of the person who did
not send you the virus---so you can be worried and/or confused.'

Not much point to delivering such a message, is there?  As pointless as
the NDR message `The email you did not send to somebody you do no know
contained a virus we did not delivery, here's a copy of the virus.'

Even when there is a deliverable message, it is usually not something the
purported sender wanted to send.  It may be a random attachment, which
even after removing the virus, should not be delivered.  (SirCam, IIRC,
did this.  It was an effective stategy too, since most people cannot
resist opening attachments called "payroll.doc" and "Quarterly report,
draft 1.doc.")

In short, a virus infected computer cannot be trusted. Anti-virus
programs that deliver the original message, and/or generate NDRs are
broken.  Better is silently dropping the virus, and check the relays
in your domain that you can do something about.  (E.g., look in POP
logs to see if you can identify who has read email from that machine.
Or, contact administrators in departments, if the machines have static
IP addresses.  And so on.)

An anti-virus program that made smart decisions depending on the type of
virus is better.  We would do that, except 99% of the viruses we see
do not include a deliverable message that the user sent.  (And, even
then, how do we know this isn't a new strain that picks a random
attachment.)

With the MyDoom outbreak our Exchange server was also configured to not
forward the virus messages.

Reasonable people may offer different opinions (and some do). But, my
opinion is: "Don't add to the problem by sending incorrect messages to
the wrong people."  Instead, default to a safe mode, and then do what
you can for machines you can influence.

Mike

-- 
Michael D. Sofka              sofkam at rpi.edu
C&CT Sr. Systems Programmer    Email, TeX, epistemology.
Rensselaer Polytechnic Institute, Troy, NY.  http://www.rpi.edu/~sofkam/



More information about the unisog mailing list