[Mimedefang] Best method of dealing with automatic - propagat ionvirus mails

Tony Nugent tony at linuxworks.com.au
Wed Oct 30 07:40:00 EST 2002 

On Wed Oct 30 2002 at 10:56, "Clayton, Nik [IT]" wrote:

> > From: David F. Skoll [mailto:dfs at roaringpenguin.com]
> > There are basically four options for dealing with a virus:
> 
> [...]
> 
> You left out my preference.
> 
>   5.  Accept the message.  For every part that contains a virus, replace
>       the part with text akin to "A virus was found here.  Please contact
>       the original sender to arrange to receive the information through
>       other channels if it's important to you.", and adjust the MIME type
>       as necessary.

I can't agree (which is perfectly ok:)

> Avoids spamming the sender with notification messages (which is especially
> important if the sender is a mailing list, or may be forged), and lets the
> recipient decide what to do.

... although I totally agree with this sentiment.

  (Senders should not be notified about viruses, unless the real
  source can be confirmed by matching the source IP in a radius
  database or whatever).

In my experience[1], accepting viruses and allowing delivery[2]
usually results in total confusion for the recipients about what
they should or should not do[3].

 [1] with an ISP and several office networks with their own mail
     servers acting at MX hosts.
 [2] of course after infected attachments have been replaced with
     a warning message.
 [3] especially so now with their forged sender addresses (heh,
     hybris was bad enough to cope with its charactistic From:
     address).

In the end (and I would think for most situations), this approach
just doesn't work very well at all.  Especially for me, I was
continuously distracted with queries about what was going on and
what it all meant (ugh!:)

IMHO, what they don't know won't hurt them :) and most people
(actually, everyone concerned) appreciate the peace they have with
the resulting lack of "clutter" in their mailboxes.

In the office situation, I have spam and "dead" viruses (defanged
after quarantine) "diverted" into a general-access "spammer"
mailbox, where several people in these offices are then able to
review the spam (using imap), just in case something got caught that
shouldn't have (which is not very often once a whitelist has been
established and being maintained).  This seems to work very well,
everyone is happy.

  (BTW, any spam scoring over 15 or so I rejected outright with a
  55x, everything else is accepted and then sorted... under 7 gets
  delivered, under 9 gets a spam warning added to the subject line,
  over 9 gets put into the spammer mailbox for review.  Also works
  well).

For an ISP, viruses can be discarded as trash (after statistical or
examination purposes or whatever).  But someone needs to regularly
review the spam, and then "transparently inject" messages back into
the system should any prove to be false positives (quite rare, but
it happens).  Here is where I can see something like David's CanIt
would be very useful and effective for managing this :)

Cheers
Tony

More information about the MIMEDefang mailing list