Author: Alan J. Flavell Date: To: Exim users list Subject: Re: [Exim] FIY: Turn off virus alerts to sender (slightly OT)
On Wed, 11 Feb 2004, Brian Dessent wrote:
> Once you accept the message at SMTP time, you're responsible for either
> delivering it or generating a bounce, by classical logic at least. So
> if you accept everything and only then scan later, you're left with a
> quandry of either discarding the message or generating a bounce.
Except that if this archetypical accept-and-then-scan merchant then
recognises the virus as being one of the viruses which plugs-in
arbitrary sender and recipient addresses, then the LAST thing that
logic would suggest would be getting in touch with those arbitrary
senders and recipients. This is the thing that drives me demented
about all those reports saying "we discovered MyDoom and we accuse you
of sending it", when their antivirus vendor is already offering them
the well-known information that this is yet another virus which fakes
the sender address.
More to the point would be to block the IP from which they had
accepted that crap, and to compose a report to the registered abuse
address for that IP.
> The key factor of scanning at delivery time is you don't accept
> responsibility for it if you deem it to be crap.
"Amen to that".
> Couple this with malware/AV software that comes by
> default with the option enabled -- perhaps as an underhanded form of
> advertising its effectiveness