[Mimedefang] ClamAV's Worm/Trojan/Joke/W97M classifications
WBrown at e1b.org
WBrown at e1b.org
Wed Jun 29 14:09:22 EDT 2005
mimedefang-bounces at lists.roaringpenguin.com wrote on 06/29/2005 01:32:55
PM:
> Well, you have to accept the message data to scan it in the first place.
> Since I already wasted my time scanning it with the virus scanner, I
might
> as well take the nanosecond involved in accepting the message and then
just
> throw it out. We scan for viruses before any spam scanning is
performed.
I think we're getting into a matter of definition. You have to receive
the message to scan it. We scan it before we tell the sending host
"Thanks, I'll take it from here" (technically: 250 message accepted for
delivery). If we don't like it (spam or virus or whatever), we refuse
delivery with a temporary or permanent failure code.
> In my opinion, the virus has to meet its doom somewhere, that way I know
> it's gone and not floating around on the net causing problems for
someone
> else (perhaps being a thorn in our side again). I think it's safe to
say
> that don't use too many additional resources by throwing virus-infected
mail
> into the bit bucket after it has already been identified as "infected"
by
> our virus scanner. ;-)
Discarding a suspected virus does reduce utilization all around, but if it
is a false positive, no one knows that it didn't get through. Hell,
that's why I like MD/CanIt. It uses the SMTP error codes to block the
messages instead of dumping it into a holding tank of some sort to never
be seen again, or requiring human action to know that it ended up there.
By failing the delivery, it bounces back it if was a false positive for
spam or virus.
More information about the MIMEDefang
mailing list