[Mimedefang] ClamAV's Worm/Trojan/Joke/W97M classifications
Matthew Schumacher
matt.s at aptalaska.net
Wed Jun 29 11:56:29 EDT 2005
WBrown at e1b.org wrote:
>
> For me it was a toss up to silently drop, or 550 reject. The later won
> out in the rare case of a legit message having a word macro virus. They
> would get notified. In most other cases the mail will die, but in any
> case, I'm not generating bounce/virus notifications.
>
I think the 550 reject is the far better policy for the following reasons:
1. While the rfc doesn't explicitly state that returning a 250 status
and then dropping the message is illegal, it does infer that you would
only do that if you where accepting the message. I really dislike
incorrect error reporting, and telling the remote mta that the message
is accepted but then dropping it only adds confusion to the process.
2. Rejecting with 550 doesn't cause a double bounce problem. If a user
relays off of a server (say server A) that tries to pass a virus to your
MD/Sendmail server, then that server (server A) is responsible for
generating the error message back to the user causing the double bounce
messages to go back to it.
3. Returning a 550 status forces the worm/virus/whatever to run outside
of the users mail client. If the user had a virus that uses outlook to
send the message then they may notice it if their email was being rejected.
I agree that getting virus notifications is completely worthless, so I
don't send them out, but I don't tell the remote MTA that the message
was accepted either.
More information about the MIMEDefang
mailing list