Milter Logging

[Warren Block]

On Sat, 17 Apr 2004, Matthew Seaman wrote:

> On Sat, Apr 17, 2004 at 02:00:59PM -0400, Chuck Swiger wrote:
> > Warren Block wrote:
> > >What do people do for milter logging?  A MAILER-DAEMON message for every
> > >virus caught by clamav-milter is a little annoying (both to the intended
> > >recipient and to postmaster), but I'm hesitant to just discard them.
>
> clamav-milter logs what it does to syslog very effectively.  The
> warning messages to postmaster aren't really necessary but for a low
> traffic site, they do give you some vicarious pleasure for a while.

My mistake was that in trying to make sure I didn't bounce virus mail to
forged From: addresses, I overrode the default clamav-milter flags with
just -N (--noreject).  This was not the correct option, and not the only
option needed.  "--quiet --local --outgoing --max-children=50" seems to
be more like what was needed.

> > Refusing to accept viral mail is the best option if you can; failing that,
> > I discard such messages.  Frankly, I gave up bouncing viral mail after I
> > got tired of answering complaints when someone got a bounce from a
> > forgery...

I've said elsewhere that it's silly for an antivirus program to trust
*any* information in a known virus-generated message.  That would
include bouncing to the From: address.

> Yes -- rejecting the messages at the SMTP DATA stage is the way to go.

Which is what is accomplished with clamav-milter, at least with the
right combination of flags.  8-)

I'd still like some summary logging of the results; if a system has sent
a lot of viruses recently, it may be necessary to reject them through
access.db, or even at the firewall.

-Warren Block * Rapid City, South Dakota USA