[unisog] Virus droppings and unresolvable domains - your input.
chris at eng.gla.ac.uk
Mon Mar 1 22:37:06 GMT 2004
On Mon, 1 Mar 2004, Christopher E. Cramer wrote:
| in today's environment, the from: line in a virus message is almost
| certain to be forged.
| * a default discard policy is likely to lose data.
| * since we don't want to lose data, we will only discard viruses where a
| person has looked at the specifications on the anti-virus sites and
| decided that no real information will be lost if we discard the virus
| out of hand.
| the only problem with this is that we face an hour or two period for
| each new mass-email worm where we clean and send which annoys the
Much better is to scan during the SMTP dialog and reject the junk at the
DATA stage. This way:
- Any bona-fide sender gets a bounce from their local MTA.
- Wormspew with counterfeit headers disappears into the ether. No sender
is spammed and no recipient is disturbed.
We run Exim + exiscan to do this - beats the traditional approaches hands
Chris Edwards, Glasgow University Computing Service
More information about the unisog