[Mimedefang] Best method of dealing with automatic - propagation virus mails

[David F. Skoll]

I agree with Edward:  The appropriate way to handle a virus
is with an SMTP "554 5.7.1 Administratively Prohibited" reply code
after the end of the DATA command.

If the upstream ISP bounces the entire message, thereby infecting
someone else---too bad.  It's not your problem.

Silently dropping viruses is no good, because it reduces the motivation
for upstream ISP's (and end-users, for that matter) to do something
about them.  Generating a notification from within MIMEDefang is no good,
because the sender address is very likely faked.  Better to push the problem
onto someone else.

> The best way to treat a virus is to simply refuse to accept it (and
> then let the remote box deal with the bounce problem).  However it
> is (usually) impossible to discover if a message is infected until
> it has been accepted and the filtering started, during which your
> filter might have decided to quarantine it - again, an
> administrative hassle since in the end they will need to be deleted
> to prevent disk clutter :)

I quarantine .exe's just for fun, but I have a cron job which cleans
out the spool directory regularly.  The only reason I even bother
quarantining is to have some "specimens" to look at when (not if) the
next big outbreak happens.  Otherwise, don't even bother with quarantining.

In fact, I'm such a big proponent of making unwanted mail "someone
else's problem" that CanIt tempfails suspected spam unless/until it is
OK'd by the administrator.  (If it's not OK'd, it's bounced on the
next attempt.)  Yes, it wastes bandwidth, but on all but the largest
sites, that's not a problem.  If even 10-15% of recipients tempfailed
suspect spam, that would clog an awful lot of open-relay queues, use
up a lot of open-relay bandwidth, and perhaps prod those lazy admins
to fix their systems.

--
David.