amavisd/clamav Virus Recipient email notification template woes
Warren Block
wblock at wonkity.com
Fri Jul 30 17:23:14 PDT 2004
On Fri, 30 Jul 2004, Tim Schutt wrote:
> On Jul 30, 2004, at 4:09 PM, Bill Moran wrote:
>> If you're going to send notification, there is only one _proper_ way
>> to do it: analyze the Received: headers and find out where the virus
>> _really_ originated, then contact the abuse@ address for that domain
>> with the message.
> I completely understand where you are coming from, and I am only intending on
> notifying the intended recipient of the email, not the "sender" for the very
> reason that you note. If it was just me, I would can the message and be done
> with it. However, I am in the midst of marketing this service to some highly
> security conscious people so I would like the reinforcement of the
> notifications for their piece of mind and a little customer-stroking
> reminding them how great the service is. :-)
[Format recovered--please don't top-post. It makes responding to your
messages difficult and time-consuming, to the point that many people
won't bother.]
"Virus detected" messages are generally abusive. Here are some problems
I've experienced on the receiving end of antivirus notification
messages:
* Sent to the forged From address. We'll skip the issue of a virus
checker that trusts any content in a virus-generated message;
what about long CC: and BCC: lists?
* Sent to the intended victim--"Hey, you almost got away without being
harassed, but we wanted to brag about our antivirus system."
* Some include "this message guaranteed virus-free" text. It's like the
sender is saying "please sue me".
* Sent outside the detecting system's domains, spreading the damage.
If you must send notifications, send them only to those systems you
control, and where you are responsible to your users.
* Antivirus software forges "postmaster at victim'sdomain" into the From:
line. Senders of these messages get a 550 reject for all further
mail.
* Some notifications include the virus. Yes, there are actual
"antivirus" programs out there that are dumb enough to do this.
Bearing that in mind, here's a suggestion for clamav flags:
clamav_milter_flags="--quiet --local --outgoing --max-children=50 --dont-log-clean --noxheader --outgoing"
-Warren Block * Rapid City, South Dakota USA
More information about the freebsd-questions
mailing list