Author: Alexander Sabourenkov Date: To: Walt Reed CC: Karl Eklund, exim-users Subject: Re: [Exim] Re: Limit on message size for filtering?
Walt Reed wrote: > On Tue, Dec 16, 2003 at 01:57:54PM +0100, Karl Eklund said:
>
>>Tim Jackson <lists@???> writes:
>>
>>
>>>No, please drop them instead. It's alright for you to say "ah, never
>>>mind" (or words to that effect), but it's not you who's going to be on the
>>>receiving end of your collateral spam!
>>
>>The consensus here seems to be to drop them, so I will change it. The
>>cons of dropping them are mostly theoretical (not 'polite' to delete
>>stuff with no notice) but in practice, I guess it's much better.
>
>
> If you can't reject them at SMTP time, then you need to drop them.
>
I found that this is not enough, because the collateral spam will instead be
generated by the servers that try to relay the viruses (that have no virus
scanner installed and are trying to relay them).
Not that the majority of virus payloads experience more than one hop over
SMTP, but the collateral spam is there with SMTP-time rejection too.
Had to add a regex match on virus name and silently drop messages laden with
viruses that propagate via mail.
> Using the Exiscan patch, I reject virus notification messages as well,
> as this is exactly the type of collateral spam we are trying to avoid in
> the first place.
>
> If enough people do this, unenlightened admins that enable virus
> notifications may finally "get it" and turn that "feature" off.
I would not even consider hoping that the clueless can "get" anything. They're
clueless and mostly ignorant in the first place.
A flag in the virus scanner reply that says something along the lines of 'This
virus propagates via email and forges sender address' would be nice though.
Hope antivirus people implement that sooner than later.
