[Mimedefang] ClamAV's Worm/Trojan/Joke/W97M classifications

[Les Mikesell]

On Wed, 2005-06-29 at 16:15, Matthew.van.Eerde at hbinc.com wrote:
> > 
> > If the thing sending is a standards-conforming MTA, your refusal
> > obligates it to construct a bounce back to what it thinks is the
> > sender.  In the case of viruses, this will always be incorrect so
> > you are likely swamping some innocent party's mailbox with bounces.
> 
> I have three problems with this argument.
> 
> Maybe the thing isn't a virus at all.  In which case the sender has a right to expect notification that their message didn't go through.

And if it is, you are helping it to propagate by forcing the
sending relay to bounce it somewhere else.  I'd have been on the
other side of this argument a couple of years ago, but the
virus scanners have proven to be accurate.

> Even if it is... *I* am not swamping some innocent party's mailbox.  Somebody else is.  And that same thing is sending viruses, too.  Which is worse?  If enough people get swamped, someone related might trace the bounce notifications back to the source, and fix the infection.  Or fix the relay.  Either way, this is a good thing.

You are the only one with a choice about it.  If you issue a 5xx
response the sending relay with worse virus identification than 
yours has no choice but to send what you have identified as a
virus on toward someone's mailbox.

> Finally... the standards-confirming MTA thing is a big assumption.  If the thing is really a virus, it's going to concentrate on sending itself, rather than following up with bounce notifications.

If it transmits to the end point directly, your rejection will drop
it anyway.  If it looks up outlook's relay or sends with the mail
api, it will end up being delivered somewhere if you force the
bounce to happen.  That's probably as good a way to spread as any.

-- 
  Les Mikesell
   les at futuresource.com