[unisog] Virus droppings and unresolvable domains - your input.

Chris Edwards chris at eng.gla.ac.uk
Mon Mar 1 22:37:06 GMT 2004

On Mon, 1 Mar 2004, Christopher E. Cramer wrote:

| in today's environment, the from: line in a virus message is almost
| certain to be forged.


| * a default discard policy is likely to lose data.


| * since we don't want to lose data, we will only discard viruses where a
| person has looked at the specifications on the anti-virus sites and
| decided that no real information will be lost if we discard the virus
| out of hand.
| the only problem with this is that we face an hour or two period for
| each new mass-email worm where we clean and send which annoys the
| users.


Much better is to scan during the SMTP dialog and reject the junk at the
DATA stage.  This way:

- Any bona-fide sender gets a bounce from their local MTA.

- Wormspew with counterfeit headers disappears into the ether.  No sender
  is spammed and no recipient is disturbed.

We run Exim + exiscan to do this - beats the traditional approaches hands



Chris Edwards, Glasgow University Computing Service

More information about the unisog mailing list