Antivirus for (mailservers on) FreeBSD

Brad Knowles brad.knowles at skynet.be
Fri Jun 13 11:23:40 PDT 2003 

At 10:47 PM -0400 2003/06/12, Bill Moran wrote:

>  Here you are saying that spam filtering is the same as malware filtering.
>  Or, at least, that's the best I can understand what you've written.

	Actually, I was thinking about doing anti-malware scanning on 
outgoing e-mail as opposed to anti-spam scanning, but now that I 
think about it some more, I think the statement still holds true.

	If one of your users spams a whole bunch of people on the 'net, 
what with the net anti-spam laws coming out that allow the recipients 
to file lawsuits for $1000 damages per spam (or whatever), and the 
fact that they're much more likely to get their money from a company 
(i.e., you) as opposed to a single individual, you are highly likely 
to be named as a co-defendant in their suit, if nothing else.

	So, yes.  You need to do anti-malware *AND* anti-spam scanning on 
all incoming and outgoing e-mail.

>  Notifying senders is spam.  Most newer malware sends emails with random
>  "From" addresses, lifted from the users address book or elsewhere.  If you
>  send notifications to the "From" email, you're simply contributing to the
>  spam problem.

	Some does, some doesn't.  This is why you need to have 
intelligent scanning tools that not only detect whether this is 
incoming versus outgoing e-mail, but also check to see if the claimed 
sender address is internal or not.

>  Unfortunate, but true.  The only reliable way to notify the correct person
>  is to parse the received headers for the originating server's IP and look up
>  the abuse address for that machine and report to it.  I use spamcop for that.

	You can't trust the headers.  The only thing you can trust is the 
information you collect yourself, namely the machine that sent the 
spam to you.  That needs to be your ultimate guide for what you do 
with the machine, if all else fails.

>  Hell ... notifying recipients is usually spam.  Most people don't care that
>  the server blocked an infected email.  Your boss might be impressed to get
>  lots of emails showing what a good job your malware filter is doing, but if
>  you need to do that for your boss to appreciate you, look for other work.

	Most people want to get periodic reports, if not notified for 
every blocked message.  They might also want to have the messages 
held in a queue for a period of time, long enough for them to see the 
reports and go take some action to cause a message to get un-stuck, 
in case it was accidentally flagged and stopped.

-- 
Brad Knowles, <brad.knowles at skynet.be>

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
     -Benjamin Franklin, Historical Review of Pennsylvania.

GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+
!w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)

More information about the freebsd-chat mailing list