[Mimedefang] Problem with virus bounces
Joseph Brennan
brennan at columbia.edu
Mon Dec 20 10:22:54 EST 2004
--On Monday, December 20, 2004 8:56 AM -0500 Ronald Vazquez NLM
<vazquezr at nlm.nih.gov> wrote:
> Am I right with my suspicion that MD only handles the attachments
> to antivir to scan them? Has anybody experienced this behavior? Is
> there anything I could do?
Sure, we have been bombarded with bogus bounces for a long time.
Something called Erkez is currently active in Europe and is sending
us about 1,500 bogus bounces a day.
You can have Mimedefang or Spamassassin look at bounces and reject
some of the bogus bounces. A bounce should be from <> but common
nonstandard alternatives come from postmaster, mailer-daemon, and
administrator.
If you don't allow your users to send attachments with the customary
list of executable file extensions, then a bounce must be fake if the
bounce contains a line with "name=" and one of those same extensions.
We have a endlessly changing list of other strings to look for in
bounces, including "Declude", "Antigen for Exchange removed",
"Our virus detector has just been triggered by a message you sent",
"X-Mirapoint-Virus: VIRUSDELETED", and "Virus Name: W32.Erkez".
I *think* no clients are broken enough to try to interpret mime inside
a part labelled text/plain. If you control what is on the staff
desktops you only need to test that software.
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York
More information about the MIMEDefang
mailing list