Re: [Full-Disclosure] Email

[Damian Gerow <damian@sentex.net>]

(Re-formatted for clarity.  Please look into line wrapping.)

Thus spake Jos Osborne (Jos@meltemi.co.uk) [04/02/04 10:13]:
> Most ISP's wouldn't touch the concept of being responsible for their
> client's e-mail security with a 10' barge pole. Apart from the
> obvious technical issues - they'd need an AV scanner to check the
> mail that would have to be capable of dealing with serious volumes -
> there are also issues of liability if anything doesn't work (I'm
> thinking along the lines of the medical court cases that have come up
> where doctors have been sued for not using the most advanced equipment
> that existed regardless of whether they actually had that equipment
> available at the time).

Actually, most ISP's need to offer some sort of AV/Spam scanning these days
if they want to remain in business.  Think 'value-add services'.  There are
many software packages that can handle large volumes of mail.  And if one
server can't do it, there's a reason Round Robin RRs exist.

That's not to say that they're responsible for their client's e-mail
security, rather, they're offering a service to keep their client's e-mail
free of viruses.  So long as they follow due diligence -- update defs
frequently, don't run massively outdated software, try to set the system up
to be difficult to circumvent -- there's little to worry about.

> Add to this privacy issues - they have to open up the e-mail to scan it
> - and you end up with a fairly horrible problem.

Yeah, if you have a crack team of virus analyzing monkeys sitting in the
back, opening up and manually checking every single piece of mail coming
through your network, you might have some privacy -- and load -- problems.

But then again, you might have bigger problems.

  - Damian

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html