[Mimedefang] ClamAV's Worm/Trojan/Joke/W97M classifications

[Chris Gauch]

Alan wrote:

> One of the reasons I use 550 rejects for viruses is that I also scan
> outgoing mail... so if by some chance one of my users gets infected with
> a virus (regardless of the fact that we have desktop antivirus software
> installed on all our machines as well as ClamAV on the MX server) and it
> tries to send out using our mail gateway, the mail gateway will reject
> that mail with a 550 and throw an error back to the client machine.
> 
> if the virus is in an attachment that they're legitimately trying to
> send, they'll get an error message and then they'll undoubtedly come
> crying to the helpdesk which will then kick them and tell them to run
> the latest antivirus software/signatures.
> 

While it certainly makes sense to reject viruses when scanning outgoing mail
from your own network, it's best to make sure that virus attachment is
removed prior to rejecting and generating the bounce.  We also used to do
the same thing (rejecting viruses) when it came to outbound mail from our
own mail server (which is completely separate from our MD/ClamAV (CanIt-PRO)
gateway cluster), where we run a commercial AV scanner.  In at least a dozen
or so situations early last year, we were basically rejecting viruses from
client PCs, but the ignorant users (who WERE NOT infected prior to receiving
the bounce), would open the attachments in the bounce and infect their PCs,
spreading the virus like wild fire. Let me explain... 

So, user-x at digicon.net would be infected (where a virus, such as W32.Bagle,
would be auto-generating email from their PC and sending out copies of
itself), sending out the virus using a forged FROM address from
user-y at digicon.net, and our mail server would reject and generate a bounce
to user-y, containing the virus attachment in the NDN.  This raised hell for
us.  After spending all-nighters several days in a row getting rid of the
virus last year, we changed the policy on our mail server so that viruses
were removed, so that the reject only contained the 5xx code and headers,
hoping that we could, perhaps, trace the source based on the NDN -- not the
case.  Recent viruses make our lives even more difficult because they fake
the source IP, so now we can't even trace the thing back to the infected PC,
at least not via the NDN.  We have to rely on logging to trace viruses. 

You could easily argue my position by stating "well, if you reject at the
SMTP connection phase, the client PC sending the virus receives the
rejection no matter what".  Ok, that's true, but the NDN/reject still
confuses the user, but yes, it does help to narrow down where the virus is
coming from, but logging is even easier and wastes less of our time.

So, now we discard outbound viruses sent from users on our own network, and
rely solely on our virus logging utilities to figure out where the virus
originated from.  We have found that rejections are absolutely USELESS to
end users, they don't understand them and it just generates unnecessary and
wasteful helpdesk calls.  When you're trying to maximize and use your IT
staff's time most efficiently, discarding viruses is the ONLY resolution
that makes sense; and I imagine this scenario applies to a majority, and not
just a few of you.

- Chris   

------------------------------------------
Chris Gauch
Systems Administrator
Digicon Communications, Inc.
http://www.digiconcommunications.com
cgauch at digicon.net