[unisog] Virus droppings and unresolvable domains - your input.

Eric Rostetter rostetter at mail.utexas.edu
Mon Mar 1 23:05:27 GMT 2004

Quoting Thomas DuVally <tduvally at brown.edu>:

> I am looking at a couple of issues regarding how we are handling email
> for our users.  We are doing two things that I personally believe are
> big mistakes.

I'd love to know why you think they are mistakes.

> 1) We deliver all those virus messages (cleaned, of course) that are
> generated by viruses themselves (mydoom, sobif, klez ...) to our users.

This is a double edged sword.  I find by delivering them, you:

   * let the powers that be know that virus/malwar is a problem (since they
     see all the virus/malware you disinfect for them)
   * encourage users to install/update anti-virus software (since they see
     all the virus/malware you disinfect for them, and those that get through)
   * annoy the heck out of the users (dealing with all the useless mail)

On the other hand, if you filter them:

   * the powers that be don't think it is important, isn't working, isn't
     needed, doesn't deserve budget money, etc (since they never see a virus
   * people don't install/update anti-virus software (they forget, or assume
     you are catching them all, etc).
   * you block false positives without the user ever knowing they lost mail

The very last point is why I deliver/notify instead of discard.  We only
see about 2-3 false positives a year, but that is 2-3 too many.

Personally, I don't think either solution is a good one.  I've grappled
with this several times, and all I ever come up with is "damn if you
do, damned if you don't" and dwell in indecision...

> 2) We are accepting mail from unqualified senders and unresolved
> domains.

If I didn't accept mail from unresolved domains, then I would block fully
10% of my faculty mail.  Sad, but true, I can't trust my faculty to type
their full domain name correctly in their pop3/imap clients.  They mispell
"physics" even though they are physics faculty.  They mispell "texas"
in "utexas" even though that is where they live.  They leave off the ".edu"

Then they get their DNS names wrong when they setup machines, configure
sendmail, etc.

I don't have the support staff to handle the complaints if I bounced all
that mail, and that is just the faculty.  Add in the students and staff,
and well, you get the idea...  (Of course, this isn't without problems;
often you can't reply to their mail as the reply address is wrong, but
what can you do...)

> The policy theory around this is that we merely process mail and are not
> in the business or creating additional "value add" to the service.

You need to define what "process the mail" (or more importantly "deliver
the mail" means, and what "value add" means.  In my case above, discarding
legit email due to a false positive is neither delivering the mail nor
adding value to it.

> The
> only "value add" we offer is virus detection and removal (for security),
> and spam tagging (users screamed).

That is a heck of a lot of value added, and more than many university sites
are currently supplying.

> The analogy made is to that of a postal service.

Well, it is partially true.  For example, they filter out mail suspected
of being bombs or other bad stuff.  They inspect them, and if they find
they were wrong they deliver them (unless they detinated it, in which case
they still notify you).  If you want to do this, that is fine.

But the USPS does not filter suspected mail, and just dump it.  I'd urge
you not to do that either, though I've seen many sites which do.

> I need help with: explaining why that is a (grossly) false analogy, and
> what you are doing regarding them.

It really isn't a bad analogy.  The USPS enforces policy (customs 
laws, etc) while trying their best to deliver the mail, even if it is
mis-addressed or has no return address.  So do I.  I enforce certain
policy (no spam, no virus/malware, etc) while trying my best to deliver mail
(even misaddressed, anonymous, etc. mail).

You're saying that isn't your goal?  What is your goal?

> Thanks in advance!
> --
> Thomas J. DuVally
> Lead Systems Prog.
> CIS, Brown Univ.
> GPG fingerprint = FB59 8265 0865 0CB8 94B5 FC26 F573 F09C 15F2 33F6

Eric Rostetter

More information about the unisog mailing list