[unisog] Virus droppings and unresolvable domains - your input.

Christopher E. Cramer chris.cramer at duke.edu
Mon Mar 1 21:04:04 GMT 2004

i'm not going to touch 2), but some thoughts on 1)

at Duke, our default policy with viruses is to clean (which may entail
deleting the attachment) and send the message, but not to notify the
sender of the virus.  certain viruses can be specified by hand as being
things to discard without notifying sender or recipient.    

the thinking behind this is:

* notifying senders (or more likely from: addresses) about viruses used
to be a good idea when the majority of viruses were macro viruses and
the from: line was a generally good indicator of the source.  in today's
environment, the from: line in a virus message is almost certain to be

* a default discard policy is likely to lose data.  while no longer the
majority, there are still a sizable number of macro viruses out there
and if the default policy were to discard, we might silently drop
someone's spreadsheet or word document which was intentionally sent.  

* since we don't want to lose data, we will only discard viruses where a
person has looked at the specifications on the anti-virus sites and
decided that no real information will be lost if we discard the virus
out of hand.

the only problem with this is that we face an hour or two period for
each new mass-email worm where we clean and send which annoys the
users.  but that's not such a huge problem and it's worth the
aggravation so as not to silently flush data that was intentionally

as to the postal service analogy, i wouldn't say that it's false, so
much as it's overly simplistic.  i think that what people are striving
for with the analogy is that, as much as possible, we want to be a
simple transmission service, getting information from point a to point
b.  however, what the analogy fails to address is that there are real
world constraints (material costs, postage costs, etc.) which minimize
certain problems.  since these constraints don't exist electronically,
we face issues (such as short term, radically increased load) that the
postal service doesn't face and so our approach will not always map to
that of the usps.


On Mon, 2004-03-01 at 13:47, Thomas DuVally wrote:
> I am looking at a couple of issues regarding how we are handling email
> for our users.  We are doing two things that I personally believe are
> big mistakes.  I'll just lay them out:
> 1) We deliver all those virus messages (cleaned, of course) that are
> generated by viruses themselves (mydoom, sobif, klez ...) to our users.
> 2) We are accepting mail from unqualified senders and unresolved
> domains.
> The policy theory around this is that we merely process mail and are not
> in the business or creating additional "value add" to the service.  The
> only "value add" we offer is virus detection and removal (for security),
> and spam tagging (users screamed).
> The analogy made is to that of a postal service.  
> I need help with: explaining why that is a (grossly) false analogy, and
> what you are doing regarding them.
> Thanks in advance!

More information about the unisog mailing list