> > Not a single person in the domains hosted on our > > server has received a single incident. > > > > I am getting approximately 40 to 50 of these a day, > while the rest of my users, combined, have received > no more than 20. >
>From begin of this month on we've disabled recipient virus warnings because A.) they create unnecessary traffic during worm waves B.) we've seen that the distribution of incoming virus (and also spam) is all other then balanced to our customers mailboxes. C.) over 99% of all incoming infected messages have no interesting content for the recipient because it's autogenerated from a self spreading worm. So our customers - if target of a worm attach - are happy to see that our virus filter works. But after the xx warning on the same day they are not more so happy. The solution for us: We've in use also declude junkmail. So we can add a custom mail header containing the final recipient mailbox name to every incoming message. Now we've written a short vb-script that goes trough our /spam/hold and /virus/hold folders parses the recipient mailbox name from every D*.SMD file and increment the counter in a Database. (Note: it works only because we keep all hold virus/spam messages and delete the after 14 days) Now we are able to send out a weekly report to our users who has received at least 5 spams or 1 virus in the last 7 days. As you can see in the attached diagram only ~1/3 of our mailboxes receive at least 1 virus from 09/01/2003 on. (The spam-diagramm has nearly the same distribution) Markus
<<attachment: virus_distribution.gif>>
