[Mimedefang] Best method of dealing with automatic - propagation virus mails

[jmiller at purifieddata.net]

On Sun, 27 Oct 2002, Martin Bene wrote:

> Hi,
>
> I'm wondering a) what the best way to treat mail generated by automatic virus
> propagation is and b) how to detect it.
>
> possibilities for a):
> 	- standard behaviour: strip the virus/executable, let the remaining
> message trough with annotations
> 	- bounce at smtp level

This might be ok on viruses known NOT to forge the from address. However,
klez, bugbear, yaha, magistr, and others forge the from address randomly
from the address books they pull off the infected machine.
This means your bounces could be propogating the virus.

> 	- silently drop it, possibly with an admin notification.

Personally, I use action_notify_sender and send them an informative
message telling them what virus was found, etc.
But I don't do this if a virus is found that is known to forge from
addresses (people who know they're not infected who get warnings saying
they're infected tend to get pissed from time to time, and it's useless to
notify some other random entry on the infected users address book)

> Harder is the 2nd problem, namely how to detect these mails; couple of
> possibles here: when using a virus scanner, using $VirusName is the obvious
> aproach. Using a list of currently known viri (klez, sircam, Bugbear/Tanatos,
> Lentin) should work. Also, some scanners use a naming scheme that can be used
> for detection (Kaspersky classes all of these as I-Worm.<something-or-other>,
> so using /^I-Worm/ as a trigger should work fine.

$VirusName works very nicely. Just check your virus dat to see what it'll
call them.

--
Josh I.