rant about anti-virus and spam, MS flamed

Martin Sapsed m.sapsed at BANGOR.AC.UK
Tue Feb 3 17:56:49 GMT 2004

(Catching up with a backlog again - can't let this one go)

Matt Kettler wrote:
> At 06:09 PM 1/28/2004, Leonard Hermens wrote:
>> >Can you cite an example of when, at the present time, it is a good
>> idea to
>> >have a mailserver configured to auto respond to a sender and notify them
>> >that a message sent contained a live virus infection?
>> Any virus or macro virus that is sent manually by the sender.
> I'll agree that is a particular email where it is good for a server to
> autorespond.
> However, that's not an answer to the question.
> A mailserver can't be configured to tell the difference between a manual
> send and an automated one, so your example is a single isolated email
> example. I'm asking for a situation where it's a good idea to configure
> your mailserver in such a manner, not a single message case.
> Real world, real mailserver, present time, realistic situation where it
> would be a good idea to have a server do this. (ie: how can you do it on an
> automated basis without inflicting casualties, and still reap some useful
> benefit.)

I'll give you several examples where it's worth notifying the sender of
a virus.

2784 instances of Gibe-F we had in December - the From: address is
forged but the sender address isn't.

a dozen or so people with no or very old a-v resulting in them having
word macro viruses. They attach an infected document and mail it here,
they get a wake-up call.

People e-mailing so called "Joke" programs to their mates - they're not
welcome here.

By my reckoning there are just over a dozen families of viruses that
fake the sender address. I don't see managing a list of that size to be
an issue. I would like to do my bit to reduce the quantity of malware
out there where I can.

I do agree though that too many people have run with the old default and
applaud Julian's move to change the default. I would, however, strongly
object to the removal of the code altogether just because some people
don't use it properly.

I am also mildly fascincated that outfits of the size of messagelabs
were sending virus reports to the "senders" of MyDoom....



Martin Sapsed
Information Services               "Who do you say I am?"
University of Wales, Bangor             Jesus of Nazareth

More information about the MailScanner mailing list