Re: [Exim] bouncing viruses

Top Page
Delete this message
Reply to this message
Author: Alan J. Flavell
Date:  
To: Exim Users Mailing List
Subject: Re: [Exim] bouncing viruses
On Mon, 17 Feb 2003, Greg A. Woods wrote:

> > And just how are you supposed to reject before DATA for virus infected
> > mail? Is there support for "crystal ball" libraries in exim or something?
>
> In some cases, yes. Don't accept any connections from clients listed as
> "dial-up" or "dyanmic" in the various public DNS blacklists.


You're using contorted logic! - you're rejecting those mails for a
good reason, but that reason isn't that they are virus-infested.

> That'll stop a sizable number of viruses and worms.


By chance it will, yes. As well as a number of bona fide (would-be)
senders who thought that what they were doing was perfectly OK, and
get quite shirty when you try to explain the strategy...

> If you've acceptd a message containing a virus or worm then the best
> possible thing you can do is disable it


Well, the _best_ thing to do is not to accept it in the first place.
I don't really approve of delivering mail of which the body has been
interfered with. You could make yourself liable in various ways.

On the other hand there's some who insist you shouldn't look at it
either, since it could be bona fide mail that's accidentally
triggerered the detector, and looking at it would be a breach of
privacy. At least our users have been officially informed - here's
the relevant snippet:

Messages which fail, or which are automatically rated as abuse, are
likely to be viewed by the postmasters to determine the proper
disposal: the postmasters thus may inevitably become aware also of
the content of the message.

and I think this can be deemed to fall into that section, but
apparently some jurisdictions don't allow even that.

> You should not try to bounce it, as has already been clearly stated.


I agree with that part, sure.

[snipped a bit that I can't really trust myself to comment on...]

> Keeping your users well aware of all security issues is
> also a really good idea


Yes, I'm afraid that them knowing that an effort is being made to
defend them does tend to lead to a certain carelessness, as in failing
to apply security patches, failing to update their virus checkers,
etc.

Which means that when some nutter brings in a virus on their laptop
which they then casually plug into the network, all hell is liable to
break loose.

I wish we could send them some harmless but annoying viruses to keep
them on their toes, but it isn't going to happen. At least not in our
environment.

> (which reporting infected messages helps to do,


Hmmm, I guess you have a point there. I'm not sure I want to pester
them in that way, but it's a difficult choice.

cheers