Security Basics mailing list archives
RE: Worm.SCO.A (W32/Mydoom@MM)
From: "Shawn Jackson" <sjackson () horizonusa com>
Date: Wed, 28 Jan 2004 10:24:31 -0800
No, NDR = Non Delivery Report. That has nothing to do with anti-virus,
it is a normal function of
RFC compliant email systems.
If you read my pervious email I was conceding to your point. Further email on this point in fruitless.
Anti-virus notification means an email it believes you sent was
infected. Most anti-virus software
delivers the email anyway with the attachment stripped off and replaced
by a notice. So NDR does not
even remotely come in to the picture with most anti-virus because the
email is still delivered. Though I conceded that last point I have to stand ground here. In the early days of email borne virii this was true. In those cases it just tagged itself onto a outbound email and the message itself could have been useful. But with the fast spreading worms and Trojans today the email message itself is useless and thus dropped. I know no admin personally that keeps the virus email message and passes it onto the recipient. Which is unnecessary and causes more traffic that the end user doesn't have to see. If you believe in that point you might as well as pass all the spam on to them as well. This goes the same for notifications of spam and virus blocking, the recipient doesn't need to be notified that the action occurred unless they can do something about it, most of the time you just notify the sender.
Turning off NDR on SMTP is contrary to RFC if I'm not mistaken, at the
very least not considered
a properly configured email system.
It would. Turning off *e-mail* NDR's violates RFC-2524 and SMTP NDR's violates RFC-2821.
While annoying in this case, it is not the proper action to turn off
all NDR, which is what you would
be doing by turning it off at the SMTP or MTA.
Agreed but while the virus uses a spoofed email address the indiscriminate use anti-virus notifications is counterproductive to the whole. While I received 600 virus, I received well over twice that in NDR's and anti-virus notifications. Unless systems can compare the sending address (@ domain definition) to the actual sending MX the NDR's both AV and MTA are counterproductive during a virus outbreak.
Anti-virus software is not the SMTP or MTA, it is usually a gateway
software in front of or behind your
transport system. Some are also a mail store scanner. They are 2
completely separate pieces of software
and functions. NDR applies to SMTP, notification applies to anti-virus.
Agreed, it was a indiscriminate use of incorrect terminology, but again I conceded this point. AV NDR's = Anti-Virus Notifications. This was a correction of terminology I wasn't arguing with you. In this day-n-age NDR's *are* useful but anti-virus *notifications* are becoming superfluous. Unless they start comparing the senders information with the sending MX. Shawn Jackson Systems Administrator Horizon USA 1190 Trademark Dr #107 Reno NV 89521 www.horizonusa.com Email: sjackson () horizonusa com Phone: (775) 858-2338 (800) 325-1199 x338 --------------------------------------------------------------------------- Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off any course! ----------------------------------------------------------------------------
Current thread:
- RE: Worm.SCO.A (W32/Mydoom@MM) Shawn Jackson (Jan 27)
- <Possible follow-ups>
- RE: Worm.SCO.A (W32/Mydoom@MM) Shawn Jackson (Jan 27)
- RE: Worm.SCO.A (W32/Mydoom@MM) Shawn Jackson (Jan 28)
- RE: Worm.SCO.A (W32/Mydoom@MM) Dan Bartley (Jan 28)
- RE: Worm.SCO.A (W32/Mydoom@MM) Dan Bartley (Jan 28)
- RE: Worm.SCO.A (W32/Mydoom@MM) Shawn Jackson (Jan 28)
- RE: Worm.SCO.A (W32/Mydoom@MM) Shawn Jackson (Jan 29)
- RE: Worm.SCO.A (W32/Mydoom@MM) & NDR Sean Kelly (Jan 30)