[Mimedefang] Need help with virus notifications

[alan premselaar]

Ronald Vazquez NLM wrote:
> Hello:
> 
> I have been tasked with configuring MIMEDefang to allow a virus to come in thru the first instance, tag it with X-RrestrictedAttachment to allow our virus scanner to process it.  The idea is that once Trend Micro drops the attachment, we can scan the body with the second instance of MD and drop the virus notification.
> 
> Why?  There are some extensions that even though they are stripped, we do notify our users of the action so they can take appropriate action.  This means that we only want to stop notifications for uncleanable attachments.
> 
> Do anybody know a better way to accomplish this?  The goal is to avoid notifying our users of every virus-infected email we drop while still notifying them about a VBA file they were waiting for.
> 
> Thanks in advance,
> Ronald Vazquez
Ronald,

  It seems to me that because of the nature of most of today's viruses,
you don't want to send any notifications if they tested positive.  Since
often the sender is forged, it's generally a bad idea to notify the
sender.  Since it's a virus, it's not usually something expected by the
recipient anyways, so the notification only adds noise to the end-user's
mailbox.

in the case of a VBA file that gets quarantined or rejected, etc.  that
could be caught with the bad_filename routines (not necessarily a virus)
 and you could choose to make notifications seperate for those than your
virus handling.  ALthough I would still caution that rejected
bad_filenames will also hit potential virus attachments and still cause
noise down the line.

As a matter of policy, I reject (550 SMTP reject) any virus infected or
bad_filename emails.  if there's a legitimate user at the other end,
they'll get notification of the failure.  if there isn't, the noise
should be minimal.

hope this is helpful

alan