[Mimedefang] Need help with virus notifications
Ian Mitchell
trash at aftermagic.com
Mon Dec 13 12:32:00 EST 2004
> Date: Mon, 13 Dec 2004 08:26:25 -0600
> From: "Chris Myers" <chris at by-design.net>
> Subject: Re: [Mimedefang] Need help with virus notifications
>
> Take the time to identify whether the message is a mass-mailer that
> falsifies the sender's address. This is simple to do, and it avoids
> attacking an innocent (remember, the bounce might include the infected
> attachment ... and the bounce is going to the one person in the world who
> DID NOT send the virus in the first place).
>
> The exact strings to look for in the virus name vary somewhat by vendor,
> but
> I use:
>
> return action_discard if ( $VirusName =~ /(^Worm\.|\@MM|^HTML\.)/i );
>
> @MM means "Mass Mailer" in McAfee and Symantec engines.
> Worm. means the same thing with ClamAV
> HTML. means a Phishing message with ClamAV
The issue I can see with this approach is that by relying on the naming
standards of a third party organization is a bit risky. What if they
decide to name it differently, or if the worm isn't detected properly? It
would be more appropriate to rejected it with a action_bounce giving the
550 denied error with an appropriate message that lets the sender know why
it wasn't sent. That way if they send a manual word document that just
happened to have a funky auto_start macro (ek!) that tripped a virus scan,
they would know. If it was a mindless drone on grandma's PC, then no harm
would be done.
And as for phishing messages detected by clamav, who the heck cares if
they get bounced. Less noise in the long run! If you bounce a message,
just make sure the justification reason given to the end user is
sufficient for them to correct the issue and resend.
More information about the MIMEDefang
mailing list