Jeremy Kitchen wrote:
On Friday 06 January 2006 02:24, Michael wrote:
your massages convinced me only to report the sender.
I don't want only blackhole the message and nothing else, because i think
one of the both, the sender or the recipient should get informed.
no
you should NEVER notify the sender.
the sender 99.99999999% of the time is NOT the real 'sender' of the message.
you should simply BOUNCE (as in, reject the message at the door with a 5xx
response) or bitbucket (accept it with 2xx, but throw it in the trash) the
message.
If you wish to annoy your users, you can also optionally send them a report,
but they will probably get pissed off.
At any rate, DO NOT SEND NOTIFICATIONS TO THE SENDER.
I agree with this almost entirely. You should absolutely try to 5xx refuse
known-malicious email traffic, or if you have to accept it, silently file it
away in a quarantine area for a knowledgeable human to review questionable
cases, without generating additional email traffic.
But you shouldn't discard a message you've 2xx accepted unless you are positive
it is malicious.
It is useful to pass questionable email through but mark it with a header that
MUAs will pay attention to for junk mail filtering (ie, X-Spam-Status). I can't
entirely forbid people to pass .zip's through because they have need to do so,
but I will still virus-scan the contents to detect and block known-bad zipped
viruses, and mark them as potentially dangerous.
When a mail system receives a virus, given a choice between replying to both the
presumed sender and the recipient, or only one of the two, or none, it is better
to generate no additional traffic or else your server will DoS itself or
somebody else when it is flooded by malicious traffic during a targetted attack.
--
-Chuck
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
