Alan wrote: > One of the reasons I use 550 rejects for viruses is that I also scan > outgoing mail... so if by some chance one of my users gets infected with > a virus (regardless of the fact that we have desktop antivirus software > installed on all our machines as well as ClamAV on the MX server) and it > tries to send out using our mail gateway, the mail gateway will reject > that mail with a 550 and throw an error back to the client machine. > > if the virus is in an attachment that they're legitimately trying to > send, they'll get an error message and then they'll undoubtedly come > crying to the helpdesk which will then kick them and tell them to run > the latest antivirus software/signatures. >
While it certainly makes sense to reject viruses when scanning outgoing mail from your own network, it's best to make sure that virus attachment is removed prior to rejecting and generating the bounce. We also used to do the same thing (rejecting viruses) when it came to outbound mail from our own mail server (which is completely separate from our MD/ClamAV (CanIt-PRO) gateway cluster), where we run a commercial AV scanner. In at least a dozen or so situations early last year, we were basically rejecting viruses from client PCs, but the ignorant users (who WERE NOT infected prior to receiving the bounce), would open the attachments in the bounce and infect their PCs, spreading the virus like wild fire. Let me explain... So, [EMAIL PROTECTED] would be infected (where a virus, such as W32.Bagle, would be auto-generating email from their PC and sending out copies of itself), sending out the virus using a forged FROM address from [EMAIL PROTECTED], and our mail server would reject and generate a bounce to user-y, containing the virus attachment in the NDN. This raised hell for us. After spending all-nighters several days in a row getting rid of the virus last year, we changed the policy on our mail server so that viruses were removed, so that the reject only contained the 5xx code and headers, hoping that we could, perhaps, trace the source based on the NDN -- not the case. Recent viruses make our lives even more difficult because they fake the source IP, so now we can't even trace the thing back to the infected PC, at least not via the NDN. We have to rely on logging to trace viruses. You could easily argue my position by stating "well, if you reject at the SMTP connection phase, the client PC sending the virus receives the rejection no matter what". Ok, that's true, but the NDN/reject still confuses the user, but yes, it does help to narrow down where the virus is coming from, but logging is even easier and wastes less of our time. So, now we discard outbound viruses sent from users on our own network, and rely solely on our virus logging utilities to figure out where the virus originated from. We have found that rejections are absolutely USELESS to end users, they don't understand them and it just generates unnecessary and wasteful helpdesk calls. When you're trying to maximize and use your IT staff's time most efficiently, discarding viruses is the ONLY resolution that makes sense; and I imagine this scenario applies to a majority, and not just a few of you. - Chris ------------------------------------------ Chris Gauch Systems Administrator Digicon Communications, Inc. http://www.digiconcommunications.com [EMAIL PROTECTED] _______________________________________________ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list [email protected] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
