Clueless anti-virus products/vendors (was Re: Sober)
Simon Waters
simonw at zynet.net
Fri Dec 9 09:25:58 UTC 2005
On Thursday 08 Dec 2005 18:08, Douglas Otis wrote:
>
> When accepting messages from anonymous sources, seldom does one know
> the source.
On the contrary, short of the tricks played on AOL to defeat their original
antispam system, TCP means you always know the source.
We manage to filter out ~98% of the unwanted email here with very nearly 100%
accuracy at the SMTP transaction stage with low processor overhead on our new
email servers. At which point any backscatter from what gets through is
trivial, although alas there still is a little due to evil practices of the
past in then forwarding email elsewhere.
But the point of this discussion is that SMTP will have to evolve to be a
point to point system (or functional equivalent). The days of store and
forward in intermediate MTAs should die as quickly as possible (which as our
forwarding demonstrates may be quite slowly alas). The problem is that many
of the antivirus gateways behave like new intermediate MTAs, especially when
for many of the organisations involved it could easily be done during SMTP
transactions.
The remaining issue is how much resource it costs to do your spam/malware
detection, but I believe trying to do anything beyond policy enforcement ("no
EXE/PIF/SCR here please") in terms of malware detection in the MTA is a
mistake, especially when you only really need to protect the thick(!)
clients, and they still need to be protected when the content is
zipped/encrypted/novel/zipped+encrypted+novel etc.
This thread on the other hand should move to Spam-L.
More information about the NANOG
mailing list