[Mimedefang] ClamAV's Worm/Trojan/Joke/W97M classifications

[Matthew Schumacher]

Chris Gauch wrote:
> I tend to avoid outright rejecting viruses because it just generates more
> unnecessary traffic and we don't particularly like dealing with the numerous
> rejections ourselves, and do our best to outright block/reject all of the
> "bogus virus warnings" sent from other MX hosts (thanks to all of the
> spoofing that goes on with virus-generated emails on infected, zombie PCs
> external to any of our networks). 


Rejecting does not generate more unnecessary traffic:

"554 5.7.1 Message contains Eicar-Test-Signature virus, rejected"

is only 9 chars longer than

"250 2.0.0 j5TFveMB027444 Message accepted for delivery"

Don't get me wrong, I'm not talking about sending a virus notification,
I'm talking about rejecting the message in smtp.

> 
> During the SOBER outbreak about a month ago, the mail volume on our gateway
> cluster sky-rocketed because of the number of bounces sent to clients behind
> our MIMEDefang (CanIt-PRO) mail gateway.  Zombie PCs were sending out virus
> attachments all over the place spoofing domains that we host, resulting in
> all the bounces coming back to us.  It was a real thorn in our side, so
> that's basically my $0.02 on rejecting virus-infected mail messages.  We
> just discard the messages and don't bother with them (as 90% or more of the
> infected emails were sent from zombie PCs, and not MX hosts anyway).
> 

When you reject the message in smtp, the remote mta currently sending
the virus gets the reject message.  It has nothing to do with the domain
of the sender since no message is generated to that person.

It looks to me that your gateway was sending notifications to the
senders, that is not what I'm talking about, I'm talking about your
gateway resulting in a "554 Message rejected status" which in your
example above would have been sent to the zombies.

schu