[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <401808A4.9010301@orlandi.com>
Date: Wed, 28 Jan 2004 20:08:20 +0100
From: Daniele Orlandi <daniele@...andi.com>
To: bugtraq@...urityfocus.com
Subject: Re: RFC: virus handling
Thomas Zehetbauer wrote:
>
> 1.1.) Configuration
> Unless the virus scanner provides special handling for worms and virii
> which knowingly use a faked sender address
I think that virus scanners SHOULD provide some sort of information on
the reliability of headers and SMTP envelope of the virus e-mail and act
accordingly.
I use amavisd-new which has support for listing viruses/worms that fake
the sender's email address. Unfortunatelly the list is external to the
actual virus scanner and has to be updated manually.
This is a major problem, since the administrators are often (an with
good reason) not responsive enought with the rapid floods like the one
we saw recently.
> it should not send out notification messages unless the administrator has
> been warned that these notification messages may not reach the intended
> recipient and has still enabled this feature.
I would say that a virus scanner SHOULD NOT send notifications unless it
has informations on the reliability of the sender's e-mail address.
> 1.2.) Format
> These messages cannot be easily filtered because they come in many
> different formats and do often not contain any useful information at
> all.
They could be formatted with a message/delivery-status part but the
problem wouldn't exist at all if all the notifications are sent to the
real infected recipient.
Bye.
--
Daniele Orlandi
Powered by blists - more mailing lists