At 06:51 AM 1/10/2006, Jan Pieter Cornet wrote:
On Fri, Jan 06, 2006 at 12:37:02PM -0500, Chuck Swiger wrote:
> Anyway, amavisd-new lists a dozen or so examples:
>
> # Treat envelope sender address as unreliable and don't
send sender
> # notification / bounces if name(s) of detected
virus(es) match the list.
> # Note that virus names are supplied by external virus
scanner(s) and are
> # not standardized, so virus names may need to be adjusted.
> # See README.lookups for syntax.
> #
> $viruses_that_fake_sender_re = new_RE(
>
qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar'i,
> qr'tanatos|lentin|bridex|mimail|trojan\.dropper'i,
> );
This list is pretty much incomplete (at least sober,
somefool and mydoom
are missing, to name a few). And having this makes you
follow the latest
virus definitions scanning for possible new virus strands
that fake their
sender.
I believe it's way easier to do the opposite: list only
viruses that do
NOT fake the sender. The only ones you'd expect to find in
email are
things like eicar, joke and macro viruses.
For the last couple years amavisd-new assumes the sender is
fake but for a few exceptions by default. The above list
is from a much older version which required manual updating.
--
Noel Jones
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
