Re: RFC: virus handling

[Pavel Kankovsky <peak () argo troja mff cuni cz>]

On Wed, 28 Jan 2004, Thomas Zehetbauer wrote:

> 1.2.1.) Standardization
> To allow filtering of these messages they should always carry the text
> 'possible virus found' in the subject optionally extended by the name of
> the virus or the test conducted (eg. heuristics).

Delivery Status Notification (RFC 1894) has many disadvantages but IMHO it
is still better than Yet Another Idiosyncratic Ad-hoc Format.

> 1.1.2.) Original Message
> The notification should never include the original message sent as
> otherwise it may send the worm/virus to a previously unaffected third
> party or re-infect a system that has already been cleaned.

Notifications, if they are sent at all, should always include at least the
headers of the original message.

(Anyway, people removing a piece of malware from their computer without
taking any steps to prevent future infections (at least reinfections by
the same kind of malware) *deserve* to be reinfected.)

> 3.2.) Disconnect
> Providers should grant their customers some grace period to clean their
> infection and should thereafter be disconnected entirely or filtered
> based on protocol (eg. outgoing SMTP) or content (eg. transparent
> smarthost with virus scanner) until they testify that they have cleaned
> their system.

Infected hosts should be blocked/disconnected immediately. A filter set up
several hours after the fact (I suppose any reasonable "grace period"
would have to be at least several hours long) is pointless because a
typical 21st century fast spreading worm has already had enough time to
attack everyone in its vicinity.

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."