Clueless anti-virus products/vendors (was Re: Sober)

Fri Dec 9 09:25:58 UTC 2005

On Thursday 08 Dec 2005 18:08, Douglas Otis wrote:
>
> When accepting messages from anonymous sources, seldom does one know
> the source.

On the contrary, short of the tricks played on AOL to defeat their original 
antispam system, TCP means you always know the source.

We manage to filter out ~98% of the unwanted email here with very nearly 100% 
accuracy at the SMTP transaction stage with low processor overhead on our new 
email servers. At which point any backscatter from what gets through is 
trivial, although alas there still is a little due to evil practices of the 
past in then forwarding email elsewhere.

But the point of this discussion is that SMTP will have to evolve to be a 
point to point system (or functional equivalent). The days of store and 
forward in intermediate MTAs should die as quickly as possible (which as our 
forwarding demonstrates may be quite slowly alas). The problem is that many 
of the antivirus gateways behave like new intermediate MTAs, especially when 
for many of the organisations involved it could easily be done during SMTP 
transactions.

The remaining issue is how much resource it costs to do your spam/malware 
detection, but I believe trying to do anything beyond policy enforcement ("no 
EXE/PIF/SCR here please") in terms of malware detection in the MTA is a 
mistake, especially when you only really need to protect the thick(!) 
clients, and they still need to be protected when the content is 
zipped/encrypted/novel/zipped+encrypted+novel etc.

This thread on the other hand should move to Spam-L.