RE: To send or not to send 'virus in email' notifications?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The right answer for the original question is probably
"Buy an email server package with virus scanning hooks" or
"Get a virus scanner with sendmail milter hooks"
rather than specific details of how to set it...

The suggestion to do virus filtering during the
message transfer stage rather than the delivery stage is good.
It looks like sendmail milters can be tweaked to do this,
though unless they can recognize the virus from the mail headers,
they have to wait until the end-of-message hook to do it,
i.e. after the whole virus has been transferred
but before the message acceptance codes get transferred.
It's too bad that it's difficult to send a reject code
and continue a teergrube at the same time.

For virus scanners that run at other stages in the delivery process,
the right decision about whether to do a notification or not
is virus-dependent, if your anti-virus package supports it.
Sobig almost always forges sender addresses, so it shouldn't get a
reply,
but some other viruses don't forge the sender, and should get the
reply.
Limiting the responses to once a week per sender or whatever may
help,
but only if the same sender gets forged a lot.

Yet another reason to cryptographically sign your outgoing mail,
not that I usually do so or that most people or mail clients check.

    Thanks; Bill Stewart

For virus scanners that run at other stages in the delivery process,
the right decision about whether to do a notification or not
is virus-dependent, if your anti-virus package supports it.
Sobig almost always forges sender addresses, so it shouldn't get a
reply,
but some other viruses don't forge the sender, and should get the
reply.
Limiting the responses to once a week per sender or whatever may
help,
but only if the same sender gets forged a lot.

  One of my pet peeves is anti-virus programs that detect a virus by name, so
they should know that it always spoofs the sender address, still sending
messages referring to the "message you sent". I wonder if people receive
those, scan for viruses, and then when they don't find one, do one of the
following:

  1) Take their computer to a computer store and pay for needless 'repairs',
or

  2) Reinstall/reformat rather than take chances.

  At a very minimum, guys, adjust your messages to say "an email that appears
to have been sent by you" or similar language to indicate that you don't
know for sure who sent the message.

  DS

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

  One of my pet peeves is anti-virus programs that detect a virus by name,
so they should know that it always spoofs the sender address, still sending
messages referring to the "message you sent". I wonder if people receive
those, scan for viruses, and then when they don't find one, do one of the
following:

  1) Take their computer to a computer store and pay for needless 'repairs',
or

  2) Reinstall/reformat rather than take chances.

  3)Call up their Geeky son and panic...
<rant>
On this subject, my major pet peeve would be that at least 85% of the bounce
messages that I have seen coming back here, don't contain enough information
to figure out where the Original Message came from. How very nice of you to
tell me that my FreeBSD laptop is sending on A Windows Virus. Maybe if you
gave back the headers of the message, I could have a chance of guessing which
of the unlucky people that has my e-mail in their address book might be
infected. Or when previously mentioned panicing Dad calls up, we can figure
out which one of his friends has it. But my vote is still a flag in the
avscanner that says virus forges from/ don't e-mail ...
</rant>

- -Patrick

- --
Patrick Muldoon
Network/Software Engineer
INOC (http://www.inoc.net)
PGPKEY (http://www.inoc.net/~doon)
Key fingerprint = 8F70 6306 F0A7 B8DA BA95 76C4 606A 7DC1 370D 752C

Me no internet, only janitor, me just wax floors.

Patrick Muldoon wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

One of my pet peeves is anti-virus programs that detect a virus by name,
so they should know that it always spoofs the sender address, still sending
messages referring to the "message you sent". I wonder if people receive
those, scan for viruses, and then when they don't find one, do one of the
following:

1) Take their computer to a computer store and pay for needless 'repairs',
or

2) Reinstall/reformat rather than take chances.
   
3)Call up their Geeky son and panic...
<rant>
On this subject, my major pet peeve would be that at least 85% of the bounce messages that I have seen coming back here, don't contain enough information to figure out where the Original Message

<snip>
Amavis sends back in the notification message the original message's headers (plus more if you wish).
amavis-new has templates and such.

You would think other people who pay their developers nice sums of money could do the same.

I attest to Amavis on this one. Message headers, virus found, and also if you quarentine the message it sends the quarentined file name.

Gerardo

Joe Maimon writes: