[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: OT: Viruses on lists

On Sun, May 09, 2004 at 09:59:45AM +0100, Jonathan Matthews wrote:
| Evenin' all.
| I've installed ClamAV+Exim4 to reject viruses at SMTP time.  d-u's 
| headers don't seem to mention anything about /virus/ scanning (as 
| opposed to SpamAssassin), so I guess I'm ok asking this question here:
| The whole point of having virus scanning while the sender still has an 
| open connection is a) to reduce email processing load on your system and 

Well, virus scanning is increased processing (as compared to no
content scanning) and when done during the smtp session -could- lead
to Denial of Service.

| b) to reduce bounces to forged headers - which must be sent if the email 
| is accepted and only scanned later.


| I'm fine with (a) - I think that still holds -

| but is (b) incorrect when dealing with listmail?

Pretty much.

| Since the mail has already been received and accepted by murphy, am
| I just pushing the sending of spoofed bounce messages one stage back
| up the email processing ladder?

Almost.  murphy generates a bounce and sends it to the list manager
(mailman, majordomo, ezmlm, etc. - I don't know what one murphy is
running).  The list manager then counts that against you in its
determination of which addresses are invalid and need to be removed
from the list.

| Is it an unfriendly thing to do to murphy - should I be whitelisting
| it instead?

It's up to you, now that you know the consequences.

My choice is to simply drop viruses.  I don't expect to have any legit
messages falsely identified as viral, and dropping the message simply
removes waste from the network bandwidth and disk storage of the
world.  I see no need to push the bounce back at someone else,
particularly since the offender is rarely the one punished in that

I do, however, reject messages with certain spam-like characteristics
(for example, invalid sender domain).  As a result, one of the lists I
subscribe to periodically sends me a "probe" to see if my address
really is invalid.  Of course, the probe works and I am not removed
from the list, but it is still annoying and wasteful of resources.

| Any thoughts on this, or how to configure the exceptions inside Exim 
| would be appreciated!

This depends on how your av scanner is run.  I think exiscan has its
own ACL directive so you can put whatever condition you like on it.


"He is no fool who gives up what he cannot keep to gain what he cannot lose."
    --Jim Elliot
www: http://dman13.dyndns.org/~dman/            jabber: dman@dman13.dyndns.org

Attachment: signature.asc
Description: Digital signature

Reply to: