[Mimedefang] ClamAV's Worm/Trojan/Joke/W97M classifications

WBrown at e1b.org WBrown at e1b.org
Wed Jun 29 14:09:22 EDT 2005


mimedefang-bounces at lists.roaringpenguin.com wrote on 06/29/2005 01:32:55 
PM:

> Well, you have to accept the message data to scan it in the first place.
> Since I already wasted my time scanning it with the virus scanner, I 
might
> as well take the nanosecond involved in accepting the message and then 
just
> throw it out.  We scan for viruses before any spam scanning is 
performed. 

I think we're getting into a matter of definition.  You have to receive 
the message to scan it.  We scan it before we tell the sending host 
"Thanks, I'll take it from here" (technically:  250 message accepted for 
delivery).  If we don't like it (spam or virus or whatever), we refuse 
delivery with a temporary or permanent failure code.

> In my opinion, the virus has to meet its doom somewhere, that way I know
> it's gone and not floating around on the net causing problems for 
someone
> else (perhaps being a thorn in our side again).  I think it's safe to 
say
> that don't use too many additional resources by throwing virus-infected 
mail
> into the bit bucket after it has already been identified as "infected" 
by
> our virus scanner. ;-)

Discarding a suspected virus does reduce utilization all around, but if it 
is a false positive, no one knows that it didn't get through.  Hell, 
that's why I like MD/CanIt.  It uses the SMTP error codes to block the 
messages instead of dumping it into a holding tank of some sort to never 
be seen again, or requiring human action to know that it ended up there. 
By failing the delivery, it bounces back it if was a false positive for 
spam or virus.



More information about the MIMEDefang mailing list