Re: [Exim] What to do with messages that seem to be virus-in…

Top Page
Delete this message
Reply to this message
Author: Toralf Lund
Date:  
To: Exim Mailing List
Subject: Re: [Exim] What to do with messages that seem to be virus-infected?
Kevin Reed wrote:

>Toralf Lund said:
>
>
>>I'm just wondering how other people on this list handle messages that
>>are classified as "virus". We've so far return them directly, or frozen
>>them for a while, then returned them (via auto-thaw) if no-one deleted
>>them or forced delivery. However, sending error reports to the From or
>>Sender addresses is pointless and/or a way of annoying innocent people,
>>since all viruses ("viri"?) come with forged addresses these days. At
>>the same time, the sender probably wants to be notified if the virus
>>check mistakenly stops an uninfected. And of course, with all the bad
>>stuff floating around the net these days, checking the blocked messages
>>"by hand" is a nearly impossible task.
>>
>>
>
>If we know they are bad when they are being given to us, we deny them at
>SMTP time. We try hard to make sure that this is the #1 option.
>
>

What exactly happens to the message when you do that? Won't there still
be an attempt to send an error message - not by your server, but by the
one contacting it?

>Almost all of the virus mail that arrives has spoofed or forged headers so
>there is no way of knowing who actually sent it other than the server
>attempting to give it to you.
>
>If we accept ANY email and find a problem with it later, we Discard the mail.
>
>Sending an error report for discovery of a Virus is in itself Spam in my
>book, and can earn you a block.
>
>

Yes. I tend to agree. Especially when they contain silly notes like

Please update your virus scanner or contact your IT support
personnel as soon as possible as you have a virus on your system.

(which ours don't) (And the text is taken from an actual message I got.)

Actually, it sems like I get more misplaced error messages than actual
viruses nowadays.

>Its been pretty quiet the past several weeks around most of our current
>mail servers because nothing really new has hit that is not already
>auto-caught by our existing rules. Mydoom, NetSky were all pretty much
>non-issues. Bagle looked like it might be a problem but again the
>existing blocks worked on it too.
>
>--
>Kevin W. Reed - TNET Services, Inc.
>Unoffical Exim MTA Info Forums - http://exim.got-there.com/forums
>
>--
>
>## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
>
>
>