[Mimedefang] Best method of dealing with automatic - propagation virus mails

[Martin Bene]

Hi,

I'm wondering a) what the best way to treat mail generated by automatic virus
propagation is and b) how to detect it.

possibilities for a):
	- standard behaviour: strip the virus/executable, let the remaining
message trough with annotations
	- bounce at smtp level
	- silently drop it, possibly with an admin notification.

My personal favourite is b) as it doesn't spam the user with totaly useless
information (who cares that someone tried to send them a virus, there's no
usable information in those mails, not even the fact that it was sent. Also
it doesn't break mail delivery rules too badly (as the silet drop does), so
the sender should get a reasonable error back in case of a false positive.

Harder is the 2nd problem, namely how to detect these mails; couple of
possibles here: when using a virus scanner, using $VirusName is the obvious
aproach. Using a list of currently known viri (klez, sircam, Bugbear/Tanatos,
Lentin) should work. Also, some scanners use a naming scheme that can be used
for detection (Kaspersky classes all of these as I-Worm.<something-or-other>,
so using /^I-Worm/ as a trigger should work fine.

Even without a scanner, there's some fairly reliable things it's possible to
use:
	- use of audio/x-wav etc mimetype for files in the "bad extension"
list
	- use of multiple extension files, with the last extension being in
the "bad extension" list.
	- others?

Given the amount of this junk it's probably a good idea to drop or at least
reject these without littering the users inboxes. comments?

Bye, Martin