[Mimedefang] ClamAV's Worm/Trojan/Joke/W97M classifications

Chris Gauch cgauch at digicon.net
Wed Jun 29 18:35:21 EDT 2005

Les Mikesell wrote:

> If the thing sending is a standards-conforming MTA, your refusal 
> obligates it to construct a bounce back to what it thinks is the 
> sender.  In the case of viruses, this will always be incorrect so you 
> are likely swamping some innocent party's mailbox with bounces.

This is probably the best argument FOR silently discarding viruses.  Any
standards-conforming MTA will send a "delivery failure" message back to the
alleged sender (undoubtedly forged in the header of the message generated by
the virus), so by rejecting a virus you actually perpetuate the problem,
keeping the virus at-large and inevitably bouncing to some legitimate
recipient. The recipient may, in turn, ignorantly open the attachment
encapsulated in the bounce and infect his/her own PC; so I guess the creator
of that virus accomplished the mission anyway (it wound up in someone's
inbox, and that's all that matters).

Just look at what SOBER did for almost 2 weeks (about 1 month ago).  If
everyone had been silently discarding messages infected by SOBER at their
gateways, the virus would've had a much smaller impact on home users and
small to medium businesses.  There were times where we were discarding over
200,000 virus-infected messages per day; virtually ALL of those discards
were from BOUNCES that had encapsulated the virus in the bounce message. 

- Chris 

Chris Gauch
Systems Administrator
Digicon Communications, Inc.
cgauch at digicon.net

More information about the MIMEDefang mailing list