-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday, 27.07.2004 at 15:27 +0200, Lionel Bouton wrote:

> Dave Ewart wrote the following on 07/27/2004 02:47 PM :
> 
> >Don't notify the sender.
> >
> >You'll just be generating unnecessary mail.  In the case of most
> >virus-generated emails, which are the ones you are going to be
> >detecting, the sender address will be faked.  Therefore, any
> >notification would go to the wrong person in any case.
> > 
> >
> 
> You might want to be more accurate than that : worms using mail for 
> propagation usually fake the From header, but when clamav detects a 
> virus using other means of propagation (meaning the From couldn't be 
> faked by the virus), notifying the sender is useful.
> 
> Amavisd-new is configured to do this by using :
> $viruses_that_fake_sender_re = new_RE(
> ...
>  qr'Worm'i,      # worms as labeled by ClamAV, Kaspersky, etc
>  [qr'^(EICAR|Joke\.|Junk\.)'i         => 0],
>  [qr'^(WM97|OF97|W95/CIH-|JS/Fort)'i  => 0],
> );

Interesting.

I have heard of a particular incident where a sysadmin received a "you
have sent us a virus" message, replied with the standard "hey, don't you
know that most viruses fake headers, this autoreply from you is just
adding clutter", only to then be told that, "actually, this *particular*
virus does *not* fake the headers and your system really *does* have a
virus ..."

:-)

Dave.
- -- 
Dave Ewart
[EMAIL PROTECTED]
Computing Manager, Epidemiology Unit, Oxford
Cancer Research UK
PGP: CC70 1883 BD92 E665 B840 118B 6E94 2CFD 694D E370

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBB1/8bpQs/WlN43ARAlHGAJ9ZBAxmvnr5ltpEVjbdnzn6BVE5FwCeIMcn
j5Nj+Kze6/atgfxJOm0KIQA=
=MQqi
-----END PGP SIGNATURE-----


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Reply via email to