[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] antivirus s/w

To: full-disclosure@lists.netsys.com
Subject: Re: [Full-Disclosure] antivirus s/w
From: Damian Gerow <damian@sentex.net>
Date: Tue, 27 Jan 2004 16:03:59 -0500

Thus spake Bryan K. Watson (bwatson@nettracers.com) [27/01/04 15:57]:
> >Especially with virii spoofing the "From" field now. It just ends up with
> >somebody at random getting the response, which is likely to cause more
> >confusion.
> 
> The problem is not just antivirus software...the SMTP RFC states that mail
> servers must be polite as well....so all the sysadmins have to deal with
> purging all those double bounces from faked headers and invalid
> destinations. 

~postmaster/.procmailrc:

    :0:
    * ^Subject: (Postmaster (notify|warning)|Could not send message 
for|Returned mail)
    double-bounce              

(Note that this will need to change if you send mail from postmaster@.)

Not terribly difficult.  IMHO, dealing with false virus notifications -- and
servers that 'politely' strip the worm code before it gets to you -- is a
bigger pain.  I actually get more 'disinfected' viruses than viruses
themselves.  Until we see a virus that attaches itself to valid messages
(which I bet will be Real Soon Now), there's no need to just disinfect an
e-mail.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- RE: [Full-Disclosure] antivirus s/w
  - From: "Jos Osborne" <Jos@meltemi.co.uk>
- RE: [Full-Disclosure] antivirus s/w
  - From: "Bryan K. Watson" <bwatson@nettracers.com>

Prev by Date: RE: [Full-Disclosure] antivirus s/w
Next by Date: [Full-Disclosure] procmail
Previous by thread: RE: [Full-Disclosure] antivirus s/w
Next by thread: RE: [Full-Disclosure] antivirus s/w
Index(es):
- Date
- Thread