amavisd/clamav Virus Recipient email notification template woes

Warren Block wblock at wonkity.com
Fri Jul 30 17:23:14 PDT 2004 

On Fri, 30 Jul 2004, Tim Schutt wrote:

> On Jul 30, 2004, at 4:09 PM, Bill Moran wrote:

>> If you're going to send notification, there is only one _proper_ way 
>> to do it: analyze the Received: headers and find out where the virus 
>> _really_ originated, then contact the abuse@ address for that domain 
>> with the message.

> I completely understand where you are coming from, and I am only intending on 
> notifying the intended recipient of the email, not the "sender" for the very 
> reason that you note. If it was just me, I would can the message and be done 
> with it. However, I am in the midst of marketing this service to some highly 
> security conscious people so I would like the reinforcement of the 
> notifications for their piece of mind and a little customer-stroking 
> reminding them how great the service is. :-)

[Format recovered--please don't top-post.  It makes responding to your 
messages difficult and time-consuming, to the point that many people 
won't bother.]

"Virus detected" messages are generally abusive.  Here are some problems 
I've experienced on the receiving end of antivirus notification 
messages:

* Sent to the forged From address.  We'll skip the issue of a virus
   checker that trusts any content in a virus-generated message;
   what about long CC: and BCC: lists?

* Sent to the intended victim--"Hey, you almost got away without being
   harassed, but we wanted to brag about our antivirus system."

* Some include "this message guaranteed virus-free" text.  It's like the
   sender is saying "please sue me".

* Sent outside the detecting system's domains, spreading the damage.
   If you must send notifications, send them only to those systems you
   control, and where you are responsible to your users.

* Antivirus software forges "postmaster at victim'sdomain" into the From:
   line.  Senders of these messages get a 550 reject for all further
   mail.

* Some notifications include the virus.  Yes, there are actual
   "antivirus" programs out there that are dumb enough to do this.

Bearing that in mind, here's a suggestion for clamav flags:

clamav_milter_flags="--quiet --local --outgoing --max-children=50 --dont-log-clean --noxheader --outgoing"

-Warren Block * Rapid City, South Dakota USA

More information about the freebsd-questions mailing list