On Jan 15, 2009, at 9:12 AM, David Wilson wrote:
On Wed, 2009-01-14 at 13:58 -0500, Chris Lewis wrote:
I think you have an overly narrow definition of viruses -
specifically, emails that carry malicious executables _directly_.
The trap demonstrates that, at times, you'll see up to 50% of its
entire flow is viral in the sense of, for example, links to
malicious files.
What I am talking about is messages for which the content is
reported by AV software as being infected. The probability that such
a message is not harmful is likely to be very, very small. A system
should behave responsibly with such a message, and not risk sending
it in a bounce message anywhere. Rejecting it might result in the
generation of such a bounce, if you have received the message from
an intermediate MTA.
Chris Lewis made excellent points about low detection rates with
today's highly polymorphic threats. Some providers in emerging
markets are transparently intercepting traffic in a store and forward
mode, and then bounce rejections. Those bouncing the message should
adhere to RFC 3464, use the top level content type of multipart/
report, and then minimize the amount of original content. This makes
NDNs less inviting as a method to distribute spam, creates less danger
with respect to malware, and lowers the chances of being identified as
a source of spam. False positives can still be determined by the
sender, but better MUA automation for locating original messages would
be helpful.
-Doug
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg