AW: [Mimedefang] Best method of dealing with automatic - propagationvirus mails

[Martin Bene]

Hi Edward,

> I really think that the only thing worth doing with Viruses 
> these days is to reject, ie DROP the SMTP connection before 
> accepting the message (if possible).  Otherwise accept the 
> message, then drop it into quarantine and ONLY notify the recipient.

At the mimedefang level, this would equate to action_reject, i.e refuse
accepting the message with a permanent smtp error code.

I also thought this to be great idea until I read the previous mail: 
	* sender address is false
	* envelope sender address is false as well

If we're not talking to the original infected machine but to a relaying
mailserver (without virus scanner), bad things happen if we reject the mail:

the relaying server will return the message including the virus to the faked
from address, thus possibly infecting someone else (instead of the intended
recipient).

This means that the only safe thing to do is to actually accept the message. 

Depending on virus / type of virus, further actions are possible:
	automatic propagation: silent drop.
	infected "real" file: notify recipient and sender

even if we're talking to the original infected machine, an SMTP bounce
possibly won't do any good: if the virus uses its own SMTP implementation,
the user won't ever see the SMTP error messages, and the virus might go on to
another mailserver.

> Also, by dropping the SMTP level connection you force the 
> problem slowly up the tree and possibly eventually to the 
> sending machine itself (if ISP's start to do this).  This 
> should also hopefully make it easier for the user to spot the 
> virus problem in the first place!

As written above, I don't think this actually works- accepting on the smtp
level and silently droping these mails seems to be the safest way of dealing
with them.

Bye, Martin