[Esa-l] Outgoing Mail

Brent Wallis brent.w at infosynergy.com.au
Tue Aug 14 01:37:42 PDT 2001

There is also a point here being missed.
Management! (that's management from the "suits" angle)
Having a scanner in there for in and outgoing mail enables a "policy" to be
In a large system of users...1000 plus (or even small numbers like 15),
expecting each and every one to update their AV would have to be
"optimistic".....I have yet to see an organisation that is able to place
theior hands on their heart and swear that they KNOW that every users AV is
up to date.

The days of the "Nazi" Sysadmin are slowly fading....being able to direct a
secure policy at one point like the scanner has major advantages....

In my own experience, every place that John's scanner has been enabled
experiences a drop in unexpected Winblows errors.....more than likely due to
the fact that most "joke" email is blocked(...yes I poison exe's cos no one
yet has given a reason why an executable would need to be attached to a
busness email)....blocking the "jokes" from going out is just a part of
being a good netizen...;-)

Now to go and clear 100s of access_logs of Code Red GET
Brent Wallis

-----Original Message-----
From: esa-l-admin at spconnect.com [mailto:esa-l-admin at spconnect.com]On
Behalf Of Hisashi T Fujinaka
Sent: Tuesday, August 14, 2001 6:17 PM
To: Lee Howard
Cc: Floyd Pierce; esa-l at spconnect.com
Subject: RE: [Esa-l] Outgoing Mail

If you're calling other people wrong for being careful, you're being naive
if not stupid.

Consider a certain large chip manufacturer who had the same feeling you
do. They can download patches to their users when the users log on. They
thought their filtering rules on their internet firewall were good
enough to keep the users from getting infected.

Many of the users are called "road warriors" who carry laptops home or,
more usually, or on their many business trips. All a user has to do is to
plug the laptop into a network that isn't quite filtered to get hit by a
virus like Code Red. And so it happened. This chip manufacturer had to
shut down all their web access, and for a time all their internet access,
because they were hit by Code Red.

Now I can think of ways to get email to someone that has a laptop. Also,
remember viruses that propogated through floppy disks? What about a combo
virus that uses floppies and email?

Remember, a clever virus writer can bypass the antivirus program long
enough to hit all your sites. If you happen to be on the head end of
an outbreak, you could be the one everyone is pointing at.

And don't tell me your outbound mail server is so weak that it can't
handle the extra load.

On Mon, 13 Aug 2001, Lee Howard wrote:

> At 04:50 PM 8/13/01 -0500, Floyd Pierce wrote:
> >-----Original Message-----
> >From: Lee Howard [mailto:faxguy at deanox.com]
> >>And if we cannot assume that our users are clean, then wouldn't it be
> >>better to nip the problem in the bud rather than somewhere downstream?
> >
> >Good idea. How?
> Any desktop system with any internet connectivity should be running and
> updating antivirus software.  True, that doesn't give us 100% certainty
> against being infected because we may get infected via downloads or
> (for example) before the signature is added to the definitions, but it's
> pretty darn close.
> To utilize an outbound mail filter in lieu of an antivirus program running
> on the desktop is absurd.  And, my orignial comments were to say that IMHO
> to run an outbound mail filter in addition to an antivirus program running
> on the desktop is obsessive and wasteful in exchange for the very small
> degree of added security it gives us.
> Filtering incoming mail is a whole different issue, yet there's still a
> small degree of insecurity, because an attachment may arrive, not being
> poisoned, the recipient may defang it and may still get infected.
> I seem to get the impression that people believe this degree of insecurity
> to be less than the insecurity posed by very new viruses in webmail or
> wherever.  Filtering outgoing mail is not so much wrong as it is
> guarding users against their own stupidity.

Hisashi T Fujinaka - htodd at twofifty.com
BSEE (6/86) + BSChem (3/95) + BAEnglish (8/95) + $2.50 = mocha latte
E-mail Security Announce list mailing list
E-mail Security Announce list at spconnect.com

More information about the esd-l mailing list