On Fri, Jul 30, 2004 at 06:22:00PM -0600, Warren Block wrote: > On Fri, 30 Jul 2004, Tim Schutt wrote: > > >On Jul 30, 2004, at 4:09 PM, Bill Moran wrote: > > >>If you're going to send notification, there is only one _proper_ way > >>to do it: analyze the Received: headers and find out where the virus > >>_really_ originated, then contact the abuse@ address for that domain > >>with the message. > > >I completely understand where you are coming from, and I am only intending > >on notifying the intended recipient of the email, not the "sender" for the > >very reason that you note. If it was just me, I would can the message and > >be done with it. However, I am in the midst of marketing this service to > >some highly security conscious people so I would like the reinforcement of > >the notifications for their piece of mind and a little customer-stroking > >reminding them how great the service is. :-) > > [Format recovered--please don't top-post. It makes responding to your > messages difficult and time-consuming, to the point that many people > won't bother.] > > "Virus detected" messages are generally abusive. Here are some problems > I've experienced on the receiving end of antivirus notification > messages: > > * Sent to the forged From address. We'll skip the issue of a virus > checker that trusts any content in a virus-generated message; > what about long CC: and BCC: lists? > > * Sent to the intended victim--"Hey, you almost got away without being > harassed, but we wanted to brag about our antivirus system." > > * Some include "this message guaranteed virus-free" text. It's like the > sender is saying "please sue me". > > * Sent outside the detecting system's domains, spreading the damage. > If you must send notifications, send them only to those systems you > control, and where you are responsible to your users. > > * Antivirus software forges "[EMAIL PROTECTED]'sdomain" into the From: > line. Senders of these messages get a 550 reject for all further > mail. > > * Some notifications include the virus. Yes, there are actual > "antivirus" programs out there that are dumb enough to do this. > > Bearing that in mind, here's a suggestion for clamav flags: > > clamav_milter_flags="--quiet --local --outgoing --max-children=50 > --dont-log-clean --noxheader --outgoing"
Amen brother. I agree basically with all of that. I'd like to bring out a point implicit in what Warren says, which is that the best -- if not the only -- way to notify someone in the sending chain that they are sending you a virus infected e-mail is to reject the message with a 550 or 554 code at the SMTP DATA stage. This will generate at least a log message on the sending server, and hopefully will alert the admins of that machine that they need to take action. Even so, if your e-mails are commonly relayed through some MXes that don't run AV scans, doing that will result in sending bounce messages with all the implications of those going astray due to forged headers. In that sense, the only 'safe' thing to do is to accept the message and immediately route it to /dev/null. Except that runs counter to the SMTP standards. It's a toss-up: but neither way is completely ideal. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK
Description: PGP signature