[Mimedefang] ClamAV's Worm/Trojan/Joke/W97M classifications

[alan premselaar]

Chris Gauch wrote:
> Alan wrote:
> 
> 
>>One of the reasons I use 550 rejects for viruses is that I also scan
>>outgoing mail... so if by some chance one of my users gets infected with
>>a virus (regardless of the fact that we have desktop antivirus software
>>installed on all our machines as well as ClamAV on the MX server) and it
>>tries to send out using our mail gateway, the mail gateway will reject
>>that mail with a 550 and throw an error back to the client machine.
>>
>>if the virus is in an attachment that they're legitimately trying to
>>send, they'll get an error message and then they'll undoubtedly come
>>crying to the helpdesk which will then kick them and tell them to run
>>the latest antivirus software/signatures.
>>
> 
> 
> While it certainly makes sense to reject viruses when scanning outgoing mail
> from your own network, it's best to make sure that virus attachment is
> removed prior to rejecting and generating the bounce.  We also used to do
> the same thing (rejecting viruses) when it came to outbound mail from our
> own mail server (which is completely separate from our MD/ClamAV (CanIt-PRO)
> gateway cluster), where we run a commercial AV scanner.  In at least a dozen
> or so situations early last year, we were basically rejecting viruses from
> client PCs, but the ignorant users (who WERE NOT infected prior to receiving
> the bounce), would open the attachments in the bounce and infect their PCs,
> spreading the virus like wild fire. Let me explain... 

I'm not generating bounces... i'm merely 550 rejecting ... which is fine 
in my situation because it's the SMTP outgoing gateway machine that is 
rejecting the contect coming directly from the client machine. (which is 
on our local network) ... so, what happens is, the user (on said client 
machine) writes email, attaches a file, hits send, gets a popup windows 
that says "ERROR 550 YOUR MESSAGE CONTAINS A VIRUS" and doesn't go 
beyond that point until they either a) figure it out themselves and run 
their anti-virus scanner or (more likely) b) contact our helpdesk and 
admit that they don't know enough to really be allowed to touch a 
computer even indirectly connected to the internet.  then our help desk 
eraddicates the virus or tells the user they're SOL.

no bounces (aka DSN or NDN) involved.

we have instituted a no MS internet software policy, but it doesn't 
necessarily mean that someone's not going to open OE or IE out of habit 
or just cuz they think they know what they're doing.

Also, one point that has been glazed over in this entire thread is that 
email is not the only way for these machines to be infected with 
viruses, and the user doesn't even have to be a complete moron to become 
infected any longer. Especially with exploits in which all you have to 
do is open the wrong URL, without knowing it or any indication on the 
site itself, just that one little act can infect your machine. nothing 
to do with mail.

right or wrong, i don't think either solution really adds any more to 
the problem, nor does it really remove anything from the problem. I 
think what these solutions do is change the way the problem is perceived 
by the people that are directly affected by the implementation of these 
solutions.


if AV scanners were absolutely, without a doubt 100% reliable, that 
would be a different story.  if there were NO OTHER WAYS to contract 
these viruses, it would be a different story.  if there weren't other 
legitimate causes for DSNs, NDN, or whathave you, then the argument 
would hold more weight.

As it stands, obviously, my solution isn't appropriate for everyone, but 
it is most appropriate for me. my solution is rejection (not bouncing). 
my solution can have some adverse effects on other people as a result of 
someone else's malicious software, true. so does yours. just in a 
different way.

I take the stand (as others on the list also have) that I am not, and 
can not be responsible for everyone I come into contact with either 
directly or indirectly.  As much as I would like to help everyone, i'm 
neither qualified, nor is it entirely appropriate.  At a certain point, 
people need to take responsibility for themselves.  That includes being 
responsible for what they do and/or do not tolerate, how they deal with 
those things that they find they are unable to tolerate, and how to 
alter their environment so that they can protect themselves from those 
things they are unable to tolerate.

The argument that i've seen here has been two-in-one.  the first is that 
discarding is better than rejecting.  for some, that is true and 
appropriate.  the second, parallel argument is that the reason to 
discard is because people other than [insert admin/implementing 
authority/etc. here] are unable to accept or even understand 
responsibility for themselves and that we (the mail admin community) 
must accept responsibility for them and every other netizen instead of 
educating them as necessary for them to accept responsibility.  This is 
the role of an enabler and I personally don't buy into it.

It's not always *easy* to do what's truely "right", but in the long run 
it's usually worth the extra effort.

anyways, i think i'm done ranting now. I think the point has been driven 
pretty hard into the ground and the horse may actually be dead now.

alan

[snip]