Re: [exim] Malware bounce filtering

On Wed, 30 Nov 2005, Tony Finch wrote:

> On Tue, 29 Nov 2005, David Saez Padros wrote:
> >
> > The main problem is that most virus warnings don't use a null
> > envelope sender.
>
> They are best handled in the traditional SpamAssassin manner, by
> matching patterns in the message subject and body.

For many of them, this is indeed good advice.

Some of them also use tell-tale envelope-sender addresses, which can
be blocked (I even set up a specific rejection report for them, so -
instead of the regular 5xx "your envelope sender address is locally
blacklisted" - they get a specific "...blocked for sending bogus virus
reports". Not that I'd expect them to have the wit to read these, but
you never know - it might just stir half a neuron somewhere. If more
of us did it, maybe the message would finally get through? Although
we were lectured by a German site that their legislation mandated them
to create such nuisance reports (which I hope is a misinterpretation
of their law?). At least, we are not mandated to accept them! (except
they are addressed to our postmaster/abuse address).

Localparts like "antivirus", "Symantec_AntiVirus_for_SMTP_Gateways",
"virusalert", "avadmin", "mailsweeper", "virus-protection",
"viruschecker", even (I'm sorry to say) "clamav", feature in our list
(case-insensitive match throughout). (Clarification: we don't block
on the localpart alone - only on the complete addresses, but I'm not
listing their actual domains here).

> They have almost no useful information from the original message and
> serve only as advertisements for the vendors' products (ads of the
> kind that make the discerning viewer say "I wouldn't use that if you
> paid me").

Well put, indeed!