[Mimedefang] ClamAV's Worm/Trojan/Joke/W97M classifications

Alan Premselaar alien at 12inch.com
Fri Jul 1 04:10:13 EDT 2005


Kelson wrote:
> WBrown at e1b.org wrote:
> 
>> My address would have to be forged by a virus that uses a relay, and 
>> most of the current viruses are direct to MX with their own SMTP 
>> engines.  In these cases this is moot.  The message just dies with 550.
> 
> 
> Expect this to change as more ISPs start filtering outgoing SMTP 
> connections.  All a virus (or spam zombie) has to do is extract the 
> settings from the user's mail config and send via the ISP's relay.
> 
> Depending on how the app stores the password, it may even be possible to 
> use SMTP AUTH.
> 

One of the reasons I use 550 rejects for viruses is that I also scan 
outgoing mail... so if by some chance one of my users gets infected with 
a virus (regardless of the fact that we have desktop antivirus software 
installed on all our machines as well as ClamAV on the MX server) and it 
tries to send out using our mail gateway, the mail gateway will reject 
that mail with a 550 and throw an error back to the client machine.

if the virus is in an attachment that they're legitimately trying to 
send, they'll get an error message and then they'll undoubtedly come 
crying to the helpdesk which will then kick them and tell them to run 
the latest antivirus software/signatures.

if we just dumped viruses into /dev/null, the user would assume their 
mail was sent and just "never got to the recipient" ... considering that 
a lot of our business is conducted via email (internationally) and can 
often be time sensitive... by the time we figured out that the intended 
recipient never received the mail (at this point probably x times), and 
why, it may be too late.

there are pros and cons to both solutions.  choosing the solution in 
which the pros outweigh the cons for your situation is the important part.

alan




More information about the MIMEDefang mailing list