RE: Worm.SCO.A (W32/Mydoom@MM)

["Shawn Jackson" <sjackson () horizonusa com>]

> No, NDR = Non Delivery Report. That has nothing to do with anti-virus,
it is a normal function of 
> RFC compliant email systems.

If you read my pervious email I was conceding to your point. Further
email on this point in fruitless.

> Anti-virus notification means an email it believes you sent was
infected. Most anti-virus software 
> delivers the email anyway with the attachment stripped off and replaced
by a notice. So NDR does not
> even remotely come in to the picture with most anti-virus because the
email is still delivered.

Though I conceded that last point I have to stand ground here. In the
early days of email borne virii
this was true. In those cases it just tagged itself onto a outbound
email and the message itself could have
been useful. But with the fast spreading worms and Trojans today the
email message itself is useless and 
thus dropped. I know no admin personally that keeps the virus email
message and passes it onto the recipient.
Which is unnecessary and causes more traffic that the end user doesn't
have to see. If you believe in that point
you might as well as pass all the spam on to them as well. This goes the
same for notifications of spam and 
virus blocking, the recipient doesn't need to be notified that the
action occurred unless they can do something
about it, most of the time you just notify the sender.

> Turning off NDR on SMTP is contrary to RFC if I'm not mistaken, at the
very least not considered 
> a properly configured email system.

It would. Turning off *e-mail* NDR's violates RFC-2524 and SMTP NDR's
violates RFC-2821.

> While annoying in this case, it is not the proper action to turn off
all NDR, which is what you would 
> be doing by turning it off at the SMTP or MTA.

Agreed but while the virus uses a spoofed email address the
indiscriminate use anti-virus notifications is 
counterproductive to the whole. While I received 600 virus, I received
well over twice that in NDR's 
and anti-virus notifications. Unless systems can compare the sending
address (@ domain definition) to 
the actual sending MX the NDR's both AV and MTA are counterproductive
during a virus outbreak.

> Anti-virus software is not the SMTP or MTA, it is usually a gateway
software in front of or behind your 
> transport system. Some are also a mail store scanner. They are 2
completely separate pieces of software 
> and functions. NDR applies to SMTP, notification applies to anti-virus.

Agreed, it was a indiscriminate use of incorrect terminology, but again
I conceded this point. AV NDR's = Anti-Virus Notifications. This was a
correction of terminology I wasn't arguing with you.

In this day-n-age NDR's *are* useful but anti-virus *notifications* are
becoming superfluous. Unless they start comparing the senders
information with the sending MX.

Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521

www.horizonusa.com
Email: sjackson () horizonusa com
Phone: (775) 858-2338
             (800) 325-1199 x338

---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
course! All of our class sizes are guaranteed to be 10 students or less.
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
and many other technical hands on courses.
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
any course!
----------------------------------------------------------------------------