On 26 September 2003 at 10:08 AM, Bennett Todd <bet@rahul.net> wrote: <snip other issues with canonicalization> > Also, in this sort of setting at least, you need very different > handling of inbound -vs- outbound messages. Inbound messages get > repaired --- or broken, in the case of digital sigs --- and then > sent on to their intended internal recipient. Outbound traffic gets > canonicalized if necessary, with commentary, gets malware replaced > with "evil badness used to be here, I yanked it", then gets bounced > back to the internal sender. If there is malware in the message, why are you delivering it to the end user? Either discard it or reject it from real sender, so they know their machine is doing something bad. I think it's as - maybe more - important for hosts to be responsible senders than a responsible receivers. At the moment, for instance, one of my mailboxes is inundated with Swen/Gibe. My virus scanners are easily keeping up with and discarding the copies which arrive intact. This irritates me because of the extra time and bandwidth, but is a manageable issue. Swen/Gibe dies there, harmlessly. However, some idiot ISP is filtering just the bad attachment, and delivering the rest. So, instead of getting nothing, or getting something my system can easily detect as unwanted, I get semi-random, difficult to predict or filter junk, hundreds of them a day, swamping my mailbox. (I have to figure out how to get procmail to filter on zero-byte attachments. Haven't had the time.) Other idiot ISPs are letting me know that someone sent me Swen/Gibe and that they blocked the message. I have yet to make the postmaster at one of these sites understand how worthless that notification is on viruses which forge everything and send in such great quantity. With the sender disinfecting, it can't infect my machine any more - Swen/Gibe won't be bothering my Linux machine anyway - but they're making my mailbox just as difficult to use as if they were doing nothing. In another life I run an ISP. I run virus scanners on all incoming and outgoing messages. Viruses are rejected at SMTP time, and the messages are not delivered. If a real user is trying to send something which triggers a false positive, their mail client will show "550 Message appears to contain a virus" or something like that. I used to send notifications to the sender, and maintain a list of viruses which forge the "From" address to skip sending to those. However, pretty much every virus does that now, and I found I was unable to keep up with marinating that list, so I've disabled all the notifications. I think it's important that the messages containing junk be blocked as soon as possible, and generate no more traffic, or they are able to cause DoS and other mischief as collateral damage. While I've felt this for a while, I think it's even more important now with some of these new viruses able to generate such incredible quantities of mail so quickly.
