[Mimedefang] Virus Handling
David Potterveld
POTTERVELD at ANLMEP.PHY.ANL.GOV
Wed Nov 27 17:41:01 EST 2002
Rick Mallett wrote:
>I'm looking for advice on handling messages that contain a virus,
>specifically whether to use action_discard or action_bounce in
>mimedefang-filter.
This is a matter of personal preference, and opinions scatter (strongly) on
both sides of the question. As far as I can tell, MD works perfectly well if
you simply comment out the "action_bounce" line.
The argument for bouncing the mail is that informing a possibly unsuspecting
user that they have a virus is a responsible thing to do.
Although I understand this intent, my opinion is that simply returning the
entire message to the apparent sender is a bad idea. There are several
reasons:
1. You shouldn't trust the "From" address because it can and is forged in
some viruses. The bounced message may wind up going to some innocent third
party. Worse yet,imagine an email virus crafted with a specific "From"
address targeting a specific site. All those bounced messages going back
to the single victim could be a problem...
2. The bounced message still contains the virus. If the bounce-recipient also
has a bouncing MD/virus scanner, it could re-bounce again in a mail loop.
I also wonder if mail bouncing with forged headers could be used as a kind
of obfuscating mail relay for spam, or as a mechanism for virus propagation.
In short, although I agree with the goal of alerting a virus sender about
their infection, I think it really takes out-of-band human intervention on
the part of the recipient.
David Potterveld
Argonne National Laboratory
More information about the MIMEDefang
mailing list