[Mimedefang] ClamAV's Worm/Trojan/Joke/W97M classifications
Matthew Schumacher
matt.s at aptalaska.net
Thu Jun 30 21:19:54 EDT 2005
Les Mikesell wrote:
> On Thu, 2005-06-30 at 08:39, WBrown at e1b.org wrote:
>
> I still think you'll change your mind the day your address is the
> one being forged and the target of a million bounces.
>
> You didn't answer when I asked this before so I'll try again. Viruses
> virtually always use legitimate addresses found in the local contact
> list or headers of received email - just not the real sender. How
> does your system ensure that rejections by the next hop can only
> be returned to the real sender, not a forged address? If you can't
> do this yourself, how can you expect the rest of the world to do it?
> If you can, I'd like to know how.
>
Les and the others make valid points. Rejecting the message will still
cause some other relay to generate a bounce message, that is a
disadvantage of rejecting vs dropping.
Personally I would rather give the legit user the benefit of the doubt.
If someone does send a virus infected attachment, or if the virus
scanner has a false positive the user needs to be notified.
There is another case where rejecting is better that hasn't been bought
up yet (or at least I didn't read it) password protected zip archives.
On our mail system we call these viruses simply because they almost
always are, but if we where silently dropping them then that would be a
problem.
One last issue is that of trust. I am simply not confident enough with
virus scanners, password protected archives, and other false positives
to start dropping email silently.
schu
More information about the MIMEDefang
mailing list