Date
21 - 29 of 29
moderated Virus scanning
|
Jim Higgins
Received from Mark Fletcher at 8/23/2018 05:09 AM UTC:
Ok, so new group option for dealing with spam: either moderate or reject, with reject being the default. Rejected messages will be logged in the activity log. If I reject a message, should it bounce back to the sender, or should I blackhole it? Don't bounce! REJECT during the SMTP transaction if possible. And if not possible, then just blackhole it. If a message in the archives is flagged as having a virus or phishing attack, should I put a banner on the page saying so? (and should I go back through the archives doing scans)? For viruses I'd prefer deletion. Given a settable option I'd choose deletion and take the tiny chance it's a false positive rather then set myself up to second guess the scanner. Scans for phishing based on keywords in message bodies are less reliable so a banner might be the thing for that. Yes on scanning existing files/images (binaries) for viruses. Not sure scanning archived message text would provide much added benefit, but if you have the CPU horsepower, it can't hurt. The fact that many/most groups don't accept messages from non-subscribers acts as a natural prevention for a lot of this crap. That and also some groups don't accept attachments... and are plain text only. I've NEVER seen spam or viruses - or even phishing attempts - in plain text email with no attachments. I don't accept smtp connections from IP addresses that don't have reverse DNS records. I use a few blocklists as well, for all connections to the site, not just email. I haven't done anything with SPF and DKIM data yet. This is very good to know. Jim H
|
|
|
|
On Wed, Aug 22, 2018 at 11:08 PM, Shal Farley <shals2nd@...> wrote:
Honestly not sure what, if anything, to do with SPF and DKIM. Seeing plenty of valid emails with bad DKIM sigs, for example. Mark
|
|
|
It might be worth talking to the folk at FastMail. They are pretty active in the mail security standards. I use them for my mail.
|
|
|
|
Mark,
Honestly not sure what, if anything, to do with SPF and DKIM. SeeingI have two goals: 1) Prevent abuse posted to a group such as that I reported to support 8/11. This is where a malcontent or crook uses credentials at an otherwise legit mailbox provider to spoof a group member's address, resulting in junk posted to the group. 2) Eliminate the need for a confirmation email and response for email commands in most cases. Case (1) is the more important, but I think (2) is easier. Mostly because there is no adverse consequence of a failed authentication in case (2) - you just send the confirmation email as you do now. You could accept the OR of two tests: a valid DKIM, signed by the header-from domain as one test; or a passing SPF but only if the the header-from domain is aligned with the envelope-from domain as the other test. This happens to be the same as the DMARC criteria, I think. So in the case of a "pass" you send a notification of the command's acceptance and effect rather than a request for confirmation. In case (1) the difficulty arises if both tests fail. That's sure to be true in the case I want to weed out, but I don't know how many legit messages might be affected. I think the case you cited to me on 8/13 would be one such; unless we (you) can figure out something he could tell you by way of account information that would let you make a third test that would pass his messages. My inclination is to say that it is "good enough" if you force messages that fail both tests into the pending queue, as if sent by a non-subscriber (but with a different marking, of course). That would have allowed the group mod in my support case to discard the abuse before it hit the group. Yes, that would be a pain for the second fellow, and his group mods. But he's already committed to switching Thunderbird to use the correct SMTP server, so that should solve his case. One down... Shal
|
|
|
|
HI All, I've just enabled the new virus scanning option for groups. Under Message Policies, there's a dropdown labeled Viruses. It defaults to Blocked, but can be set to Moderated. I disabled scanning for phishing schemes, because the false positive rate was just way too high. So it only scans for viruses. Emails from non-members that contain viruses are blocked regardless of the group setting. When a message is blocked or moderated, an entry is added to the activity log (there are 3 new actions: non-member blocked, member blocked, member moderated). When viewing a moderated message for approval, a red badge is displayed with the name of the virus detected. I'm not currently retroactively scanning the archives and I'm not currently displaying anything when viewing moderated and then approved messages in the archives. In my testing, very few viruses are actually sent through the system. So, hopefully, this is something you won't encounter. Please let me know if you have any questions. Thanks, Mark
|
|
|
|
Chris Jones
On Tue, Aug 21, 2018 at 04:25 AM, Mark Fletcher wrote:
My default implementation would be to turn it on so that it blocks all emails, files and photos that it finds has a virus or phishing attempt.Mark; this thread has been referenced on GMF following someone reporting that a group member (actual group not reported) had had their email spoofed and a zipped attachment sent to the group. Does your virus scanning detect problems in a zipped attachment? Chris
|
|
|
|
On Thu, Feb 21, 2019 at 10:06 AM Chris Jones via Groups.Io <chrisjones12=btinternet.com@groups.io> wrote:
Yes it does. I would like to know if a virus-infected file did get through the virus scanning. Someone recently contacted support about one such incident, but I haven't been able to verify it yet. From the logs, we don't actually see many virus infected files. Thanks, Mark
|
|
|
|
Sandra Pickens-Gmail
Mark, I was the group owner that approved an email from a member that had a zip file attached. I do not know if the zip file was a virus because I did not open the zip file. The group is FriedbergFriends. Anything you need from me to investigate? I removed the email from the group, but still have a copy in my personal email.
Sandra Pickens
From: main@beta.groups.io <main@beta.groups.io> On Behalf Of Mark Fletcher
On Thu, Feb 21, 2019 at 10:06 AM Chris Jones via Groups.Io <chrisjones12=btinternet.com@groups.io> wrote:
Yes it does.
I would like to know if a virus-infected file did get through the virus scanning. Someone recently contacted support about one such incident, but I haven't been able to verify it yet. From the logs, we don't actually see many virus infected files.
Thanks,
|
|
|
|
Chris Jones
On Thu, Feb 21, 2019 at 06:59 PM, Mark Fletcher wrote:
Mark; thanks for the prompt reply! :) Chris
|
|
|