On Wed, 28 Jan 2004, Thomas Zehetbauer wrote: > 1.2.1.) Standardization > To allow filtering of these messages they should always carry the text > 'possible virus found' in the subject optionally extended by the name of > the virus or the test conducted (eg. heuristics). Delivery Status Notification (RFC 1894) has many disadvantages but IMHO it is still better than Yet Another Idiosyncratic Ad-hoc Format. > 1.1.2.) Original Message > The notification should never include the original message sent as > otherwise it may send the worm/virus to a previously unaffected third > party or re-infect a system that has already been cleaned. Notifications, if they are sent at all, should always include at least the headers of the original message. (Anyway, people removing a piece of malware from their computer without taking any steps to prevent future infections (at least reinfections by the same kind of malware) *deserve* to be reinfected.) > 3.2.) Disconnect > Providers should grant their customers some grace period to clean their > infection and should thereafter be disconnected entirely or filtered > based on protocol (eg. outgoing SMTP) or content (eg. transparent > smarthost with virus scanner) until they testify that they have cleaned > their system. Infected hosts should be blocked/disconnected immediately. A filter set up several hours after the fact (I suppose any reasonable "grace period" would have to be at least several hours long) is pointless because a typical 21st century fast spreading worm has already had enough time to attack everyone in its vicinity. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation."
