On Wed, Sep 06, 2006 at 03:58:10PM -0600, [EMAIL PROTECTED] wrote: > [EMAIL PROTECTED] wrote: > >recipient. If a virus is rejected at SMTP time then the sending server is > >likely to try to deliver that virus to the envelope sender, which is not > >at all friendly. Better to discard viruses than to reject them. > > That is the sending servers problem. Silently blackholing email is bad.
But "helping" the virus by allowing it to spread to a secondary target (which most viruses now put in the "MAIL From" field), isn't good either. Having the luxury of multiple (3) virus scanners, I take another approach which hopefully combines the best of both worlds. - if a virus is detected that is known NOT to be able to forge the sender (eg, a word macro virus), we reject it immediately. - all other viruses are treated as likely forging the sender. If only one scanner detects the virus, we TEMPFAIL it mentioning "possibly infected with $virusname". - if more than one virus scanner detects the incoming mail as a virus (and it's not recognised as a non-header-forging one), we discard the incoming mail (that is, we say "200 OK" and junk the mail into the black hole). This prevents most false positives (which are rare, but not non-existent), and keeps the amount of "bounced" viruses to a minimum (even if it is bounced by the sending mail server). -- Jan-Pieter Cornet <[EMAIL PROTECTED]> !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
