First, I hope cross-posting this message to both the ClamAV and qmail-scanner lists doesn't cause problems; I wasn't sure where it should go.
Many dumb AV scanners out there still reply to incoming viruses generated by Mydoom, Klez, etc. even though the 'From' address is always bogus. Using ClamAV and qmail-scanner-queue, I can easily configure particular viruses, such as Mydoom, to just get silently dropped.
However, I did receive one very useful autoreply that came from a Kaspersky labs protected system. Their scanner had pulled out the sender's originating IP address from the headers, looked up who the admin was of that IP address (me), and sent me a message about the infected machine.
This is obviously extra overhead for the system, but as the system admin, I found it very useful to be auto e-mailed the offending IP address.
For instance, here are the headers (see below) of a virus sent out by an infected machine. Kaspersky pulled out the 141.140.105.194 address, determined who should be told, and told them (me). An option to do this sort of thing with ClamAV/qmail-scanner would be great!
Thanks, Ted Fines Macalester College
Return-Path: <[EMAIL PROTECTED]>
Received: from CONVERSION-DAEMON.mail.Macalester.edu by mail.Macalester.edu
(PMDF V6.2 #30776) id <[EMAIL PROTECTED]> for
[EMAIL PROTECTED] (ORCPT [EMAIL PROTECTED]); Wed,
28 Jan 2004 12:23:12 -0600 (CST)
Received: from u.washington.edu
(std194.dorms5.macalester.edu [141.140.105.194]) by mail.Macalester.edu
(PMDF V6.2 #30776) with ESMTP id <[EMAIL PROTECTED]> for
[EMAIL PROTECTED] (ORCPT [EMAIL PROTECTED]); Wed,
28 Jan 2004 12:23:11 -0600 (CST)
Date: Wed, 28 Jan 2004 12:24:32 -0600
From: [EMAIL PROTECTED]
Subject: HELLO
To: [EMAIL PROTECTED]
Message-id: <[EMAIL PROTECTED]>
MIME-version: 1.0
Content-type: multipart/mixed; boundary="Boundary_(ID_XQsj10GAPa3E6f8WccG0PQ)"
X-Priority: 3
X-MSMail-priority: Normal
------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
