[Mimedefang] ClamAV's Worm/Trojan/Joke/W97M classifications

Matthew Schumacher matt.s at aptalaska.net
Wed Jun 29 16:08:50 EDT 2005 

Matthew.van.Eerde at hbinc.com wrote:
> Sven wrote:
> 
>>The only problem with 554 is in cases (like ours) where the AV machine
>>is not the MX server, i.e. the MX (inbound) gateway does user and rbl
>>checks then passes the email to the av scanner. A 554 on the av
>>scanner would then cause the MX machine to try and bounce the email
>>which then creates all the double-bounces and extraneous traffic.
>>Ergo, our avscanners simply drop virus-laden emails.
> 
> 
> This is a valid point.  We used to run this way.  I considered it a flaw in our network.  I went to a great deal of trouble to make sure that our MX servers did their own virus-scanning so I wouldn't have to choose between the three evils of:
> 
> * Send "your message to RECIPIENT was discarded as a virus" to the purported sender
> * Send "A message to you from SENDER was discarded as a virus" to the recipient
> * Silently discard
> 
> There are still some bounce messages we send - over quota, out of office - but it's much better than it was.
> 

My solution for this is very simple.  My secondary MX host uses the
mimdefang server (over tcp socket) on the primary, but is setup to not
fail if the milter is unavailable (no F=T).  Then I put all of my quota,
virus, spam, account status, etc code in mimedefang.

Using this setup, both MX hosts know to reject or accept messages
according to my policy, but should the primary fail the secondary starts
queuing without mimedefang.  This will cause bounce notifications and
thus double bounce messages, but only for the messages sent during the
primary server outage.  Since this happens quite infrequently I live
with it.

Another thing I do to stop spam is add several RBL's in the sendmail
config on the secondary MX.  This way if a user gets a message from a
server that is blacklisted it may be rejected as spam depending on how
it scores, but if the spam is sent to the secondary directly the
connection will be rejected.

Most spam is sent to the secondary mx record because they figure you
have less filtering on that box, so I put more filtering on it.

More information about the MIMEDefang mailing list