[Mimedefang] Best method of dealing with automatic - propagation virus mails
David F. Skoll
dfs at roaringpenguin.com
Mon Oct 28 11:03:01 EST 2002
I agree with Edward: The appropriate way to handle a virus
is with an SMTP "554 5.7.1 Administratively Prohibited" reply code
after the end of the DATA command.
If the upstream ISP bounces the entire message, thereby infecting
someone else---too bad. It's not your problem.
Silently dropping viruses is no good, because it reduces the motivation
for upstream ISP's (and end-users, for that matter) to do something
about them. Generating a notification from within MIMEDefang is no good,
because the sender address is very likely faked. Better to push the problem
onto someone else.
> The best way to treat a virus is to simply refuse to accept it (and
> then let the remote box deal with the bounce problem). However it
> is (usually) impossible to discover if a message is infected until
> it has been accepted and the filtering started, during which your
> filter might have decided to quarantine it - again, an
> administrative hassle since in the end they will need to be deleted
> to prevent disk clutter :)
I quarantine .exe's just for fun, but I have a cron job which cleans
out the spool directory regularly. The only reason I even bother
quarantining is to have some "specimens" to look at when (not if) the
next big outbreak happens. Otherwise, don't even bother with quarantining.
In fact, I'm such a big proponent of making unwanted mail "someone
else's problem" that CanIt tempfails suspected spam unless/until it is
OK'd by the administrator. (If it's not OK'd, it's bounced on the
next attempt.) Yes, it wastes bandwidth, but on all but the largest
sites, that's not a problem. If even 10-15% of recipients tempfailed
suspect spam, that would clog an awful lot of open-relay queues, use
up a lot of open-relay bandwidth, and perhaps prod those lazy admins
to fix their systems.
--
David.
More information about the MIMEDefang
mailing list