[Mimedefang] ClamAV's Worm/Trojan/Joke/W97M classifications

[Chris Gauch]

Matthew.van.Eerde wrote:
> 
> Heh, this is the plot of Spiderman.
> 
> The burglar is the viral message.
> Spiderman is the receiving MTA.  He chooses to reject the virus.
> The virus deflects onto his uncle.
> Spiderman is so racked with guilt that he turns to a life of vigilante
> justice.
> 
> Hope that doesn't happen to me...

I think you finally summed it all up with the whacky (but humorous)
Spiderman analogy.  

This issue is difficult to argue from either side. The "proper" thing to do
in order to conform to standards is to reject unacceptable mail (whether
infected or not infected by a virus), being as descriptive as possible in
the rejection statement.  Policy-wise, however, it is best to discard
infected messages.  By discarding you (A) remove the virus and put it out of
its misery, (B) don't send confusing rejection messages to
angel at innocent-bystander.example that may potentially cause further
infection of the innocent bystander's PC, and (C) reduce overhead because
you're eliminating known crap mail that your virus scanner has classified as
"infected" with virtually 100% accuracy and reliability. I would still argue
that FPs from virus scanners are 0% -- big deal, even in the case of an FP
you're probably discarding some sort of Windows executable, which should at
least be rejected at all costs anyway.  Windows executables compromise
security on any network, so whether a .vbs was written for legitimate
purposes or not, it can potentially self-execute in MS email applications.

- Chris    

------------------------------------------
Chris Gauch
Systems Administrator
Digicon Communications, Inc.
http://www.digiconcommunications.com
cgauch at digicon.net