antivirus in smtp, good or bad?
Suresh Ramasubramanian
suresh at outblaze.com
Tue Feb 3 15:30:06 UTC 2004
Joe Maimon [2/3/2004 8:43 PM] :
> What you are saying is that every mailhost on the Internet should run up
> to date and efficient virus scanning? Pattern matching and header
> filtering? Should the executable attachmant become outlawed on the
> Internet? Recognize when a "to be bounced email" is a spoof and discard
> the DSN?
You are going to an extreme there I'm afraid ... I do agree that
exaggeration helps stress a point, but ...
> That could significantly raises the bar on MTA costs. Pattern matching
> on headers/attachments, while not strictly speaking 100% accurate (are
> emails with subject line of "Hi!" permitted on the Internet anymore?)
> are usualy performance sensitive.
Not always - limit it to two or three things like
1. Deny attachments with known "bad" extensions
2. Check for the patterns of the "flavor of the month" virus
3. Apply as many other rules as possible to reject the mail (checks for
fake / spoofed helo etc) _before_ the mail gets to the virus scanning /
pattern matching stage
> However there is the issue of manual intervention required to keep
> things up to date and as we know constant care and feeding of systems by
> admins is not cheap.
Cron does help, and so do a few other things ...
> Full blown signature based virus scanning, while automated, is NOT
> performance sensitive. Any sufficiently large MX will see a big hit if
> they perform that. In many cases the virus scanning rate will become the
> practical bottleneck.
It is a tradeoff. Is that the bottleneck, or is your systems and
bandwidth being choked with virus mails, and double bounces because of
undeliverable virus mail (say in the case of .forward users) the
bottleneck?
> As I tell my customers, just delete the undeliverable notices if they do
> not apply to you. One day, Mozilla/Thunderbird or others might even run
> that though a "references a message I sent?" check for you.
Mozilla / Thunderbird is nice, but using it to fetch your mail when
dialed in long distance from a hotel room is not nice, when almost all
the mail is viruses, virus notifications or virus mail that gets sent
on, but with the malware removed from it so that your scanner can't
catch the email.
--
srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9
manager, outblaze.com security and antispam operations
More information about the NANOG
mailing list