[Mimedefang] Need help with virus notifications
Chris Myers
chris at by-design.net
Mon Dec 13 09:26:25 EST 2004
----- Original Message -----
From: <WBrown at e1b.org>
To: <mimedefang at lists.roaringpenguin.com>
Sent: Monday, December 13, 2004 7:16 AM
Subject: Re: [Mimedefang] Need help with virus notifications
> mimedefang-bounces at lists.roaringpenguin.com wrote on 12/10/2004 09:54:47
> PM:
>
> > As a matter of policy, I reject (550 SMTP reject) any virus infected or
> > bad_filename emails. if there's a legitimate user at the other end,
> > they'll get notification of the failure. if there isn't, the noise
> > should be minimal.
Take the time to identify whether the message is a mass-mailer that
falsifies the sender's address. This is simple to do, and it avoids
attacking an innocent (remember, the bounce might include the infected
attachment ... and the bounce is going to the one person in the world who
DID NOT send the virus in the first place).
The exact strings to look for in the virus name vary somewhat by vendor, but
I use:
return action_discard if ( $VirusName =~ /(^Worm\.|\@MM|^HTML\.)/i );
@MM means "Mass Mailer" in McAfee and Symantec engines.
Worm. means the same thing with ClamAV
HTML. means a Phishing message with ClamAV
If the virus doesn't match one of those strings, then you can
action_bounce(...) without being "part of the problem" like many of the
commercial A/V e-mail scanners.
Chris Myers
Networks By Design
More information about the MIMEDefang
mailing list