[EMAIL PROTECTED] wrote:
[...]
This would be perfectly acceptable if all AV software yielded a 0% false positive rate. However, we all know that just isn't the case. False positives DO happen.
How can you know that there is a false positive?
Customer sends an email and it is flagged as containing a virus. Customer runs up-to-date virus scan and finds no virus. Customer contains mail server administrator and mail server administrator runs a variety of scans on email. Most don't detect a virus, so admin sends virus to AV people for possible false positive examination. AV people reply back that this is indeed a false positive and modify signature so it won't happen again.
All of this is impossible if customer doesn't KNOW that the email has been quarantined in the first place. This problem is what I am addressing.
OK, so maybe is useful to sent notifies back to your own users if you're scanning the outgoings mails.
>> So why don't we change qmail-scanner to returna 5xx SMTP error code and a short message when a virus email is quarantined?
As you surely know, a 5xx is sent back to the return-path, and it is almost always faked...
No sir, a 5xx or a 451 or whatever is sent back during the actual SMTP session. It has absolutely nothing to do with the return path. No additional emails a generated. Instead, the connection is closed with an error code.
I'm sorry, but I have to say that a 5xx code is sent to the return-path address (or MALFROM as Jason named it in his lately post) not from your server but from the remote smtp server which you have ended the smtp session with a 5xx. That has accepted the mail as deliverabily so it has a return-path and to that return-path it sends the bounce.
[...]
What do you think?
From my experience, I receive every day a lot of "virus warinnings" that are "false negatives", I use a Mac. Now I'm using spamassassin to block all those bogus virus warnnings, they are really spam. I think that psender is enough good it is not perfect, but it is better than spread spam all over the wordl in the form of "virus warnnings" or bounces talking about you maybe has sent a virus, and the queue of my server doesn't fill with undeliberabily mails to address that really don't exist ([EMAIL PROTECTED])
I don't think you understand what I'm proposing.
Well, I understand what you are proposing. I have tried this way my self and after the tests I leave it...
Look at the post Jason has sent after our posts of yesterday. "In my opinion", actually, it is not a good practice to notify the sender, because "almost" all the sender (except some false positives) are faked. Perhaps it would be useful to send notifies to your users to avoid false positives.
There are a lot of people out there blocking all this "warnnings" and "bounces", you can have a look at <http://www.timj.co.uk/linux/bogus-virus-warnings.cf>, in fact some antivirus system already send a 5xx.
Cheers
Salvatore
-------------------------------------------------------
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
_______________________________________________
Qmail-scanner-general mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
