[Mimedefang] Need help with virus notifications

Ronald Vazquez NLM vazquezr at nlm.nih.gov
Mon Dec 13 06:52:03 EST 2004


Ronald Vazquez NLM wrote:
> Hello:
>
> I have been tasked with configuring MIMEDefang to allow a virus to come
in thr
u the first instance, tag it with X-RrestrictedAttachment to allow our
virus sca
nner to process it.  The idea is that once Trend Micro drops the
attachment, we
can scan the body with the second instance of MD and drop the virus
notification
.
>
> Why?  There are some extensions that even though they are stripped, we
do noti
fy our users of the action so they can take appropriate action.  This
means that
 we only want to stop notifications for uncleanable attachments.
>
> Do anybody know a better way to accomplish this?  The goal is to avoid
notifyi
ng our users of every virus-infected email we drop while still notifying
them ab
out a VBA file they were waiting for.
>
> Thanks in advance,
> Ronald Vazquez
Ronald,

Answer from Alan Premselaar:

  It seems to me that because of the nature of most of today's viruses,
you don't want to send any notifications if they tested positive.  Since
often the sender is forged, it's generally a bad idea to notify the
sender.  Since it's a virus, it's not usually something expected by the
recipient anyways, so the notification only adds noise to the end-user's
mailbox.

in the case of a VBA file that gets quarantined or rejected, etc.  that
could be caught with the bad_filename routines (not necessarily a virus)
 and you could choose to make notifications seperate for those than your
virus handling.  ALthough I would still caution that rejected
bad_filenames will also hit potential virus attachments and still cause
noise down the line.

As a matter of policy, I reject (550 SMTP reject) any virus infected or
bad_filename emails.  if there's a legitimate user at the other end,
they'll get notification of the failure.  if there isn't, the noise
should be minimal.

hope this is helpful

alan
_______________________________________________
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang at lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang


New question:

Alan:

Thank you for the answer.  My problem is that I have to follow procedure
and and let the virus come in on port 25, tag it, hopefully Trend Micro
will do it's job by deleting the virus, we will then scan the body,
look for the tag and MD will suppress the tagged email notification at
10025 when.

I am looking for help in writting a filter that would allow this
action.  Now, how could I accomplish what I just described?


Thanks in advance
Ronald Vazquez




More information about the MIMEDefang mailing list