Rich Kulawiec wrote:
On Sat, Jan 17, 2009 at 12:40:48AM +1200, Franck Martin wrote:
It is standard to do that at the end of DATA. And it is best to do it there
than later.
Well, you can also do it much earlier. I reject the overwhelming majority
of mail (>95% of all rejections) before DATA, based on connecting IP,
connecting IP's rDNS, putative sender, recipient, and so on. "Reject
early, reject often" is one way I've jokingly put it -- after all,
once something has demonstrated that it's actively malicious, there's no
point in even bothering to stick around for the data: 5XX it, hang up,
and move on.
Well, you _could_ reject earlier, but not via a content-based filter,
such as ClamAV.
Secondly, there is occasionally point of sticking around for data, even
if you've already decided you're not going to pass it through to the
recipient. Your filter could be wrong, and allowing thru to end of DATA
permits you to quarantine, allow the user to see if if they wish via
per-user quarantine, and forward later if required. Secondly, you can
derive useful information from the body (eg: for other filtering, virus
forensics, samples for virustotal etc)
The first "point" was mandated upon us - the "no lost email" rule. We
could reject earlier, or even by firewall rule for some situations.
There are tricks with MXes that we've used to completely eliminate some
BOTs managing to connect to us at all.
But at present, we swallow everything thru to end-of-data.
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg