[Mimedefang] Best method of dealing with automatic - propagationvirus mails

[David F. Skoll]

There are basically four options for dealing with a virus:

1) Silently discard the mail.  I think everyone agrees this is wrong;
it violates RFC's and hides the problem.

2) Drop the mail, but notify the sender (and possibly recipient.)  I
think we all see that this is pointless; the sender address is probably
fake, and the recipient really doesn't want or need the notification.
Also, sending notifications (as in action_notify_sender) loses information,
like the Received: headers and original sending IP address.  In fact,
I find notifications so annoying that my MIMEDefang rule set bounces
those which it can recognize (including MIMEDefang notifications. :-))

3) Accept the mail, but generate a Sendmail bounce message, omitting the
original message body (but including the headers.)  Some would argue that
this is the "kindest" approach, preserving important information while
not risking infecting someone else.  The downside is that it adds extra
load to your mail server, and your bounce message is likely to bounce too.

4) Reject the mail with a 5xx code.  This essentially relieve you of any
responsibility; it's up to the sending relay to handle the bounce.  The
sending relay is likely to include the entire original message in the body,
possibly infecting the so-called sender.

My preference is for option 4.  It limits your server's load and places
responsibility squarely on the sending relay, who (after all) is in
a much better position than you to identify the real sender and take
action.

As far as unwittingly infecting third-parties, I have no sympathy.  Everyone
knows that Windows and Outlook are horribly insecure.  There are other more
secure mail readers, even for Windows, and anyone running Outlook deserves
what he/she gets.  Sorry, but if people are serious about chipping away
at the Monopoly, then we mustn't try to hide the Monopoly's flaws.

--
David.