[Mimedefang] Need help with virus notifications
Chris Myers
chris at by-design.net
Mon Dec 13 14:03:52 EST 2004
----- Original Message -----
From: "Ian Mitchell" <trash at aftermagic.com>
To: <mimedefang at lists.roaringpenguin.com>
Sent: Monday, December 13, 2004 11:32 AM
Subject: Re: [Mimedefang] Need help with virus notifications
> > I use:
> >
> > return action_discard if ( $VirusName =~ /(^Worm\.|\@MM|^HTML\.)/i );
> >
> > @MM means "Mass Mailer" in McAfee and Symantec engines.
> > Worm. means the same thing with ClamAV
> > HTML. means a Phishing message with ClamAV
>
> The issue I can see with this approach is that by relying on the naming
> standards of a third party organization is a bit risky. What if they
> decide to name it differently, or if the worm isn't detected properly?
If you detect a mass-mailer, it's only right and proper to drop it quietly.
If the naming convention changes (which it periodically will; the
HTML.Phishing stuff is new to ClamAV) then the worst that happens is that
you bounce something you should have dropped.
My default policy is:
1) drop mass-mailers and other known forged sender viruses
2) bounce all other viruses, just in case someone really is infected and
would like to know about it.
And I don't assume that all other folks have poorly configured firewalls
that will let viruses go straight out without passing through some form of
SMTP relay. Remember that the viruses have access to the infected PC's
settings and can pull their SMTP relay from their mail client rather easily
... it's GOING to happen if it isn't already.
Chris Myers
Networks By Design
More information about the MIMEDefang
mailing list