On 19 June 2002, Richard Greaney said:
> I am using the system_filter.exim (windows executable content filter)
> file which is currently available on the Exim website. I have found it
> to make a nice job of filtering out attachments but am having problems
> with the returning of the message to the original sender. There are two
> reasons for this.
I'm also using a filter distantly derived from the filter on the Exim
site; FWIW, I'm about ready to throw in the towel and switch to a real
virus detector. I'm tired of having to change the thing for every new
virus or variant that comes along. (Although I suspect I'll get equally
tired of upgrading 3rd-party virus detector software too... sigh.)
> First, my clients all use a dial-up mail server which collects mail for
> the domain via fetchmail then uses trestlemail to forward mail into the
> appropriate mailboxes. As trestlemail generates messages on the command
> line, they are listed as being sent by the trestlemail user as opposed
> to the person who actually sent them. This means that the exim error
> message is sent back to root@proxy rather than to the original sender.
I don't know what trestlemail is, but it sounds like it's doing a Bad
Thing to your email in munging the envelope sender. It should invoke
exim with "-f" and the original envelope sender in order to preserve the
return-path.
> Secondly, many worms these days act as though they have been sent from
> someone else in the user's address book. Therefore, to send the sender a
> warning message may be of limited use. The real header which is always
> of use is "Return Path:" which is genuine.
No, the return path (aka envelope sender) is often forged too.
IMHO six months ago, attempting to return viral email to the sender was
a worthwhile thing to do. It no longer is. Ideally, it should be
rejected at SMTP time. The second-best thing to do is put it in a
quarantine folder that is regularly reviewed for false positives. The
third-best thing to do is try to return it to the sender. The absolute
worst thing to do is notify the presumed recipient that you caught a
virus for them. (Even worse if you take the recipient from the "To"
header -- ugh.)
> I'm trying to find a way of using an Exim filter to deliver a message
> along with an error to the original sender. Instead of using "fail text
> "This message contains an attachment of unsafe type" etc etc, I am using
> "deliver $return_path" but this basically sends the message straight
> back to the sender and gives them no warning, nor does it stop the
> attachment from doing harm.
Take a look at my filter:
http://python.net/~gward/exim/
(the filter itself is at
http://python.net/~gward/exim/system_filter).
Greg
