-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday, 27.07.2004 at 15:27 +0200, Lionel Bouton wrote:
> Dave Ewart wrote the following on 07/27/2004 02:47 PM : > > >Don't notify the sender. > > > >You'll just be generating unnecessary mail. In the case of most > >virus-generated emails, which are the ones you are going to be > >detecting, the sender address will be faked. Therefore, any > >notification would go to the wrong person in any case. > > > > > > You might want to be more accurate than that : worms using mail for > propagation usually fake the From header, but when clamav detects a > virus using other means of propagation (meaning the From couldn't be > faked by the virus), notifying the sender is useful. > > Amavisd-new is configured to do this by using : > $viruses_that_fake_sender_re = new_RE( > ... > qr'Worm'i, # worms as labeled by ClamAV, Kaspersky, etc > [qr'^(EICAR|Joke\.|Junk\.)'i => 0], > [qr'^(WM97|OF97|W95/CIH-|JS/Fort)'i => 0], > ); Interesting. I have heard of a particular incident where a sysadmin received a "you have sent us a virus" message, replied with the standard "hey, don't you know that most viruses fake headers, this autoreply from you is just adding clutter", only to then be told that, "actually, this *particular* virus does *not* fake the headers and your system really *does* have a virus ..." :-) Dave. - -- Dave Ewart [EMAIL PROTECTED] Computing Manager, Epidemiology Unit, Oxford Cancer Research UK PGP: CC70 1883 BD92 E665 B840 118B 6E94 2CFD 694D E370 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBB1/8bpQs/WlN43ARAlHGAJ9ZBAxmvnr5ltpEVjbdnzn6BVE5FwCeIMcn j5Nj+Kze6/atgfxJOm0KIQA= =MQqi -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
