[Mimedefang] ClamAV's Worm/Trojan/Joke/W97M classifications

[Chris Gauch]

Les Mikesell wrote:

> I think you'll change your mind about this the day some virus spews
> thousands of emails with *your* address forged as the sender through
> a relay that doesn't block it, a very likely event if you've sent
> email to a lot of people.  Your smtp rejection forces the sending
> relay to construct a bounce message which is almost certain to be
> to a forged return address - I don't think any viruses in the past
> several years have sent with the real user name.  When it's your return
> address involved, you might wish everyone just dropped viruses quietly.
> 

Les,

I couldn't agree with you more.  An SMTP rejection is an inexpensive way to
deal with viruses, but it can add to the problem and certainly leaves the
virus in-tact; and it may wind up being sent to some poor, unsuspecting user
that never sent the thing in the first place. 

You also have to consider that if you have multiple MX hosts (as we do) on
your network that a rejection from one of your MX servers just means that
sending SMTP server *may* try a lower-priority MX (I'm going out on a limb
and assuming the spammer or exploit software/virus is smart enough to even
pay attention to MX records). So, not ONLY does 1 mail server have to reject
the message, but you potentially generate more unnecessary traffic on your
other MX/SMTP servers as they also may have to deal with the same infected
message.

- Chris

------------------------------------------
Chris Gauch
Systems Administrator
Digicon Communications, Inc.
http://www.digiconcommunications.com
cgauch at digicon.net
(716) 583-1254