[Mimedefang] ClamAV's Worm/Trojan/Joke/W97M classifications
Chris Gauch
cgauch at digicon.net
Wed Jun 29 12:20:12 EDT 2005
I tend to avoid outright rejecting viruses because it just generates more
unnecessary traffic and we don't particularly like dealing with the numerous
rejections ourselves, and do our best to outright block/reject all of the
"bogus virus warnings" sent from other MX hosts (thanks to all of the
spoofing that goes on with virus-generated emails on infected, zombie PCs
external to any of our networks).
During the SOBER outbreak about a month ago, the mail volume on our gateway
cluster sky-rocketed because of the number of bounces sent to clients behind
our MIMEDefang (CanIt-PRO) mail gateway. Zombie PCs were sending out virus
attachments all over the place spoofing domains that we host, resulting in
all the bounces coming back to us. It was a real thorn in our side, so
that's basically my $0.02 on rejecting virus-infected mail messages. We
just discard the messages and don't bother with them (as 90% or more of the
infected emails were sent from zombie PCs, and not MX hosts anyway).
- Chris
> -----Original Message-----
> From: mimedefang-bounces at lists.roaringpenguin.com [mailto:mimedefang-
> bounces at lists.roaringpenguin.com] On Behalf Of WBrown at e1b.org
> Sent: Wednesday, June 29, 2005 11:53 AM
>
> > Where it really makes a difference is false-positives. Silent drop
> > is lost data (the sender thinks it was delivered, the recipient
> > doesn't get it.) 550 reject at least lets the sender know that the
> > receiving MTA is under the impression that the mail is a virus.
>
> That was one other consideration when I went with 550 reject for viruses.
> But in a year and a half of running MIMEDefang (CanIt Pro) with ClamAV, I
> have not had one complaint of a false positive virus. I've only had two
> questions about blocking unsafe extensions, one of which the sender
> thought he was sending a Word DOC file when it turned out to be a URL
> extension.
------------------------------------------
Chris Gauch
Systems Administrator
Digicon Communications, Inc.
http://www.digiconcommunications.com
cgauch at digicon.net
(716) 583-1254
More information about the MIMEDefang
mailing list