[Mimedefang] ClamAV's Worm/Trojan/Joke/W97M classifications

Chris Gauch cgauch at digicon.net
Fri Jul 1 16:27:38 EDT 2005



 
Alan Premselaar wrote:
> I'm not generating bounces... i'm merely 550 rejecting ... which is fine
> in my situation because it's the SMTP outgoing gateway machine that is
<snip>

Well, you may not be generating the bounces, but someone else is.  The next
step in a standards-conforming MTA after a reject is to wrap the message in
an NDN and return it to the sender. Maybe you're not doing it, but the
remote SMTP server (if it is a LEGIT server) is certainly bouncing.  I see
your point though, in a virus using its own SMTP engine, the reject stops
the message in its tracks since the virus SMTP engine is not capable of
handling the rejection properly.

> 
> we have instituted a no MS internet software policy, but it doesn't
> necessarily mean that someone's not going to open OE or IE out of habit
> or just cuz they think they know what they're doing.

Consider yourself lucky...if I could get the bosses at my place to agree to
a "no MS software", or better yet, "no Windoze", I'd be in paradise compared
to where I am now.

> if AV scanners were absolutely, without a doubt 100% reliable, that
> would be a different story.  if there were NO OTHER WAYS to contract
> these viruses, it would be a different story.  if there weren't other
> legitimate causes for DSNs, NDN, or whathave you, then the argument
> would hold more weight.

You won't get an argument out of me that AV scanners are 100% reliable; even
in my situation viruses have gotten through (although VERY rarely because of
our sendmail config, greylisting, greet delays, connection rate throttles,
SMTP user existence checking, and everything else we have going on to stop
crap mail from getting through to business clients), but I will confidently
say that if an AV scanner FLAGS a message as a virus, chances are about 100%
that it IS, IN DEED, a virus -- no ifs, ands, or buts.  

- Chris


------------------------------------------
Chris Gauch
Systems Administrator
Digicon Communications, Inc.
http://www.digiconcommunications.com
cgauch at digicon.net




More information about the MIMEDefang mailing list