Author: James P. Roberts Date: To: exim-users Subject: Re: [Exim] bouncing viruses
<snip> > If you had paid attention to _all_ of what I wrote then you would
> know that this is not exactly what I recommended.
hee hee. I don't even pay attention to everything I write!
(just kidding)
<snip> > > You can pass them on or
> > bounce them.
>
> NO, you CANNOT bounce them -- or rather you _MUST_NOT_ bounce them! Now > that is what this has all been about.
>
> You _can_ pass along a de-fanged copy, IFF you know how to do so reliably. >
Just because I can't let a good flame go by without commenting...
(especially after a late-nighter and only about 2 hours sleep)...
As I understand the discussion, my summary is as follows:
IF you choose to scan for viruses, AND you detect one, THEN:
The physically possible actions (without regard to good/bad) are:
(a) bounce it, (b) accept and deliver, (c) accept and "de-fang",
(d) accept and bit-bucket, or (e) reject at SMTP time (if you can
scan early and fast enough).
OK, from what I can glean from the conversation, there are
multiple views on the "preferences" one might apply to these
possibilities. (Was that subtle enough?) ;)
I gather that "(a) bounce it" is not a generally acceptable idea,
even though it is possible to do, because there are negative
side affects, the main ones being (1) inability to bounce due to
forged sender addresses, and (2) sending bounces to innocent
3rd parties that are victims of forged addresses. These are
bad things, because many email viruses out there do, in fact,
forge senders. (1) has a defense, (2) does not. The question
is, do you care? (I refuse to address the issue of whether you
should care, as all circumstances differ).
It seems obvious that (e) would be the preferred solution, in
cases where the server has the resources to do so. However,
there may be a problem with certain virus senders ignoring the
5xx reject during, or at the end of, DATA.
TANMB (There Are No Magic Bullets).
How am I doing so far?
With (b), (c), and (d), you are stuck with having accepted the
message, typically before determining there is a virus in it. In
these cases, the decision on what to do is something that each
email admin is going to have to decide for themselves, based
on their own particular user needs, legal requirements, etc.
That is, I am not promoting a preference for any of (b), (c) or (d).
I say, you each have to make up your own minds. I think any of
the options is defensible under certain circumstances, which
will certainly differ (wildly) for different servers.
By far, the biggest decision you can make, is whether to scan for
viruses at the MTA level at all. If you choose not to, all the other
questions become moot. If you choose to, then you must also
make these additional decisions, and live with the consequences
in your own environment.
TMTOWTDI.
I applaud the group for discussing the ramifications of these
options under various operating assumptions. Shared knowledge
is powerful. Even if sometimes, the knowledge gained comes at
the price of reading through some ranting and raving. ;)