Date: Fri, 30 Jul 2004 18:22:00 -0600 (MDT) From: Warren Block <wblock@wonkity.com> To: Tim Schutt <tim@square1consulting.com> Cc: freebsd-questions@freebsd.org Subject: Re: amavisd/clamav Virus Recipient email notification template woes Message-ID: <20040730175822.W77732@wonkity.com> In-Reply-To: <1F94DE30-E269-11D8-8A9E-000A27B47720@square1consulting.com> References: <12abd8c2040730104259ea346e@mail.gmail.com> <20040730160947.4fdbe0dd.wmoran@potentialtech.com> <1F94DE30-E269-11D8-8A9E-000A27B47720@square1consulting.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 30 Jul 2004, Tim Schutt wrote: > On Jul 30, 2004, at 4:09 PM, Bill Moran wrote: >> If you're going to send notification, there is only one _proper_ way >> to do it: analyze the Received: headers and find out where the virus >> _really_ originated, then contact the abuse@ address for that domain >> with the message. > I completely understand where you are coming from, and I am only intending on > notifying the intended recipient of the email, not the "sender" for the very > reason that you note. If it was just me, I would can the message and be done > with it. However, I am in the midst of marketing this service to some highly > security conscious people so I would like the reinforcement of the > notifications for their piece of mind and a little customer-stroking > reminding them how great the service is. :-) [Format recovered--please don't top-post. It makes responding to your messages difficult and time-consuming, to the point that many people won't bother.] "Virus detected" messages are generally abusive. Here are some problems I've experienced on the receiving end of antivirus notification messages: * Sent to the forged From address. We'll skip the issue of a virus checker that trusts any content in a virus-generated message; what about long CC: and BCC: lists? * Sent to the intended victim--"Hey, you almost got away without being harassed, but we wanted to brag about our antivirus system." * Some include "this message guaranteed virus-free" text. It's like the sender is saying "please sue me". * Sent outside the detecting system's domains, spreading the damage. If you must send notifications, send them only to those systems you control, and where you are responsible to your users. * Antivirus software forges "postmaster@victim'sdomain" into the From: line. Senders of these messages get a 550 reject for all further mail. * Some notifications include the virus. Yes, there are actual "antivirus" programs out there that are dumb enough to do this. Bearing that in mind, here's a suggestion for clamav flags: clamav_milter_flags="--quiet --local --outgoing --max-children=50 --dont-log-clean --noxheader --outgoing" -Warren Block * Rapid City, South Dakota USA
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040730175822.W77732>