Author: Toralf Lund Date: To: Exim Mailing List Subject: Re: [Exim] What to do with messages that seem to be virus-infected?
Tor Slettnes wrote:
>
> On Mar 5, 2004, at 15:44, Toralf Lund wrote:
>
>> Kevin Reed wrote:
>>
>>> If we know they are bad when they are being given to us, we deny
>>> them at
>>> SMTP time. We try hard to make sure that this is the #1 option.
>>
>>
>> What exactly happens to the message when you do that? Won't there still
>> be an attempt to send an error message - not by your server, but by the
>> one contacting it?
>
>
> That is usually the infected machine itself. Virii rarely use
> smarthosts to forward the message.
But, don't virus messages often come from machines that don't have an
SMTP server at all, but where the MUA connects to a remote one, possibly
at an ISP?
>
> (I can see it now: "Hi, I am your friendly neigborhood virus. In
> order for me to work, I need to know the name of an SMTP server
> through which I can relay my payload. Please enter it here: ........")
>
> The exception is if your domain has several MX hosts, and your
> secondary accepts the mail before the primary has a chance to reject
> it. For this reason, it is my opinion that:
> - Your domain should have only one MX host. Well-behaved MTAs know
> what to do if that host happens to be down for a while.
> - If this is impossible, you should synchronize the rejection
> criteria between your various MX hosts.
> - If this is impossible, you should drop the message.
> - You should NEVER EVER generate a bounce message as a result of a
> virus check.
>
> -tor
>