[Top] [All Lists]

Re: per user post-data rejects, Processing after the end of DATA

2010-08-12 23:53:49

John Levine wrote:
"Spam" filters might include virus scanning, too, and the false
positive rates on virus scanning have gotten totally out of hand in
the past year or so.

I believe you, but what kind of AV is going to decide it's a virus for
one recipient but not for the other?

An AV that's configured with different rules for different recipients. Unlikely in firewall/appliance or in a departmental MTA; painfully common in hosted / cloud computing.

For example, a hosted security suite might use multiple AV engines, some of which work in real time and others that require offline processing. The real time filter is more prone to false positives, but can reject at the SMTP layer. The offline one is more accurate, but is noticeably slower, has lower privacy guaranties, and must deliver to quarantine (cannot reject, must not NDN).

So: the customer decides that for those users that require strict privacy or that are stupid enough to hurt themselves by delivering a live virus from quarantine, get the real-time filter. The more sophisticated users get the better filter, particularly if they've been incentivized to use it because it generates signatures that can improve the accuracy of the real-time filter.

If I could have coded the above, I would have. But I couldn't figure out a way to make it work. Compromise: put everything in quarantine, but only allow users with administrative privileges the ability to deliver from quarantine.

Actually, cloud computing is going to be weighing more and more on these issues.

IMHO, users stupid enough to download and run a self-extracting zip that was flagged in Large, Unfriendly Letters as malware deserve what they get. But I get paid to not think that way. ;-)


<Prev in Thread] Current Thread [Next in Thread>