[Mimedefang] ClamAV's Worm/Trojan/Joke/W97M classifications

Chris Gauch cgauch at digicon.net
Wed Jun 29 15:00:19 EDT 2005 

Matthew Schumacher wrote:

> Actually, you don't, you get a copy of it and can look at it before you
> decide, but you don't have to accept it.

Ok, technically yes, I am receiving a "copy", but what difference does that
make?  The MTA still has to accept some degree of data (probably the full
message no matter how you slice it); then my virus scanner has to deal with
the message and it costs CPU cycles to scan the message (just as it would if
I fully accepted the message through SMTP).  Either way, the message is
being "accepted", I guess "copied" is technically correct, but this is all
just word play.

> 
> It's not an issue of processing time, or if the message should die, it's
> an issue of correctly reporting what happened.  While some other MTA
> sending bounce notification emails may be causing a thorn in someone
> else's side because you wouldn't accept the message, it's quite possible
> that your policy of announcing that your 'OK' with the message then
> silently dropping it could be creating plenty of thorns of their own.

Well, a policy is a policy; that is obviously up to that admin and/or owners
of the company or organization.  We take a "do no harm" approach and
therefore discard rather than rejecting a known-infected email back to the
MX host and/or a "zombie" PC that can't properly deal with the reject code
anyway.  

> I make strict policy to accept and deliver or reject regardless of
> whether the message is spam, over quota, invalid user, or otherwise.
> This cut and dry rule is easy for my customers to understand.  Either we
> accepted the message and it's in your inbox, or we rejected the message
> in which case the sender will be notified of the problem by their relay.
>   There is no possibility for lost email because nothing is ever dropped.

I don't happen to agree with the theory of "announcing" your intentions to
other MX servers (most of those being broken MX and/or open relays), but do
believe it is a viable position to take.  I do, however, reject everything
EXCEPT for known viruses, so I would say that my policies are similar to
yours.  I reject Windows executables, for example (exe, bat, etc.), spam,
domain mismatches, etc. because I know that any of those have a MUCH higher
probability of being "legitimate".  Rarely, if ever, are virus-infected
emails legitimately sent with the user's knowledge.  It is (and should be)
the responsibility of the sender's ISP to closely monitor and track IPs with
virus activity (as we do), so if a virus is causing problems, the ISP can
politely notify the user or company using the infected PC so that it is
dealt with swiftly and effectively.  If it were left up to me, my only
response to anyone with an infected PC would be: "seek an alternative OS to
Windows".  

- Chris

------------------------------------------
Chris Gauch
Systems Administrator
Digicon Communications, Inc.
http://www.digiconcommunications.com
cgauch at digicon.net

More information about the MIMEDefang mailing list