Re: [Exim] Re: the Klez virus

Top Page
Delete this message
Reply to this message
Author: Matthew Byng-Maddick
Date:  
To: exim-users
Subject: Re: [Exim] Re: the Klez virus
On Fri, May 10, 2002 at 12:48:12PM +0200, Tom Kistner wrote:
> On Fri, May 10, 2002 at 11:36:45AM +0100, Matthew Byng-Maddick
>     (exim@???) wrote:

[>> Tom Kistner wrote:]
> > Well, indeed. That wasn't the point. The point is that I can crash your
> > mailserver with something like that.
> Yes, maybe you can. I said I agree on that. You even quoted me:
> > > I agree that there may be the possibility of DoS with such files, but that
> > > will depend on the scanner used, not on exiscan. Most
> > > scanners (like uvscan) have no problems with such ill-formatted files.


Yes, and crashing your mailserver is a serious problem.

> > It's not "ill-formatted". That's kind of the point. And anyway, you were
> > kind of missing the entire point of my post.
> Nope. I even said that I understand your point, however I
> do not necessarily agree with your conclusion.


Except that you are showing quite clearly that you're missing it by some
farily large distance.

Since you haven't yet searched the archives for what I'm talking about,
have a look at my discussion with Marc from VA software on his original
SpamAssassin local_scan function. You may note the problem of duplicate
mail, and the discussion on timeouts and not wasting time needlessly at
that point.

> > > For me, SMTP dialogue time AV scanning works perfectly, and it does
> > > so for a lot of other people.
> > Well, I hope that you understand the risk you're taking, and I hope you
> > never have either (a) a heavily loaded mail server, (b) a heavily loaded
> > link to the internet or (c) a link that's having packet dropping problems,
> > because if you get any of these, then you are highly likely to get
> > duplicate mail.
> (b) and (c) are non-issues. Connection speed is not the problem. CPU and
> I/O speed is, however.


Since you seem NOT to understand the problem I'm discussing, I'd claim
you haven't the first clue what you're talking about, and have missed
my entire point.

My point is *ABSOLUTELY* to do with the time it takes to deliver mail,
nothing more, nothing less.

> (a) is legit, but when I get load problems AND want to do AV scanning,
> I just throw more hardware at it.


Useful.

> > I keep being scared at the general lack of understanding of SMTP by
> > supposed mail admins on this list.
> I understand both SMTP and your concerns, but in my environment, my AV
> scanning approach has been working perfectly on several servers for 1 1/2
> years, so why should I care ?


I'm not convinced you do. "Why should I care?" is a very silly argument in
the modern world? after all, "Why should I care that my mail server is
relaying for anyone who asks it to?" "Why should I care that I've got
addresses from people's webpages, and am using it to send my announcements
to?" "Why should I care that my email server is dropping bounces, after all
bounces are spam and noone reads them anyway?" "Why should I care that my
server has an '_' in its HELO name, it works for me, you must be broken?"

None of these arguments stand up at all, IMO, so "it works for me, there's
a case where it breaks but just because I haven't seen it yet, I'm now
convinced it can't happen" seems to me to be pretty foolish from anyone
who has even the remotest idea of what they're talking about. Since you
claim to understand SMTP, you obviously understand about the points of the
protocol where weirdnesses can happen, except that your emails have failed
to make it clear that you have even the remotest knowledge of the problems
to which I am referring.

> Just because someone has a syntacically correct, but completely useless ZIP
> file ? Come on.


*                                                                         *
Point                                                           Tom Kistner


MBM

--
Matthew Byng-Maddick         <mbm@???>           http://colondot.net/