Re: [Exim] What to do with messages that seem to be virus-in…

Top Page
Delete this message
Reply to this message
Author: Kevin Reed
Date:  
To: exim-users
Subject: Re: [Exim] What to do with messages that seem to be virus-infected?
Toralf Lund said:
> I'm just wondering how other people on this list handle messages that
> are classified as "virus". We've so far return them directly, or frozen
> them for a while, then returned them (via auto-thaw) if no-one deleted
> them or forced delivery. However, sending error reports to the From or
> Sender addresses is pointless and/or a way of annoying innocent people,
> since all viruses ("viri"?) come with forged addresses these days. At
> the same time, the sender probably wants to be notified if the virus
> check mistakenly stops an uninfected. And of course, with all the bad
> stuff floating around the net these days, checking the blocked messages
> "by hand" is a nearly impossible task.


If we know they are bad when they are being given to us, we deny them at
SMTP time. We try hard to make sure that this is the #1 option.

Almost all of the virus mail that arrives has spoofed or forged headers so
there is no way of knowing who actually sent it other than the server
attempting to give it to you.

If we accept ANY email and find a problem with it later, we Discard the mail.

Sending an error report for discovery of a Virus is in itself Spam in my
book, and can earn you a block.

Its been pretty quiet the past several weeks around most of our current
mail servers because nothing really new has hit that is not already
auto-caught by our existing rules. Mydoom, NetSky were all pretty much
non-issues. Bagle looked like it might be a problem but again the
existing blocks worked on it too.

--
Kevin W. Reed - TNET Services, Inc.
Unoffical Exim MTA Info Forums - http://exim.got-there.com/forums