|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: kill incoming mail connection as soon as virus recognized?
From: Stephen Satchell (list
fluent2.pyramid.net)
Date: Tue Sep 02 2003 - 12:00:12 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
At 12:03 PM 9/2/2003 -0400, Rob Hutton wrote:
>This is acheivable using the proxy feature in the current snapshot. Read
>the Filter readme for a discussion.
What he wants is to interrupt the mail stream while it's in progress, and
reject the mail with a 5xx errorcode.
Nope. SMTP is *too* simple in that you aren't supposed to send a result
code until the final period, or an end-of-file indication from the sending
party. A valid implementation will see the broken pipe as a communication
failure, and reschedule the transmission for later, eating up even MORE
bandwidth.
Nope, you gotta listen to the whole thing, and let the bandwidth get eaten,
before sending back your 5xx status code to kill the mail off.
On the bright side, most virus payload is under 100 kB , and the point
where you can reliability sense a virus (as opposed to benign) payload is
pretty far down the message. If you are blocking all pif, scr, &c, though,
you do waste quite a bit of bandwidth, but MIME encoding is still one huge
message to the SMTP engine so you suck it up and then send the kiss-off.
Satch
--
"Using these toolkits is like trying to make a bookshelf out of mashed
potatoes." -- Jamie Zawinski, on X-Windows toolkits
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]