From owner-freebsd-questions@FreeBSD.ORG Sun Apr 18 07:05:07 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1695C16A4CE for ; Sun, 18 Apr 2004 07:05:07 -0700 (PDT) Received: from wonkity.com (wonkity.com [65.173.111.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9AA6843D2D for ; Sun, 18 Apr 2004 07:05:06 -0700 (PDT) (envelope-from wblock@wonkity.com) Received: from wonkity.com (localhost [127.0.0.1]) by wonkity.com (8.12.11/8.12.11) with ESMTP id i3IE553D006274; Sun, 18 Apr 2004 08:05:05 -0600 (MDT) (envelope-from wblock@wonkity.com) Received: from localhost (wblock@localhost) by wonkity.com (8.12.11/8.12.11/Submit) with ESMTP id i3IE55WV006271; Sun, 18 Apr 2004 08:05:05 -0600 (MDT) (envelope-from wblock@wonkity.com) Date: Sun, 18 Apr 2004 08:05:05 -0600 (MDT) From: Warren Block To: Matthew Seaman In-Reply-To: <20040417182956.GB90463@happy-idiot-talk.infracaninophile.co.uk> Message-ID: <20040418074703.W6209@wonkity.com> References: <20040416215610.Y1689@wonkity.com> <408170DB.3070201@mac.com> <20040417182956.GB90463@happy-idiot-talk.infracaninophile.co.uk> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: clamd / ClamAV version devel-20040410, clamav-milter version 0.70g cc: questions@freebsd.org Subject: Re: Milter Logging X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Apr 2004 14:05:07 -0000 On Sat, 17 Apr 2004, Matthew Seaman wrote: > On Sat, Apr 17, 2004 at 02:00:59PM -0400, Chuck Swiger wrote: > > Warren Block wrote: > > >What do people do for milter logging? A MAILER-DAEMON message for every > > >virus caught by clamav-milter is a little annoying (both to the intended > > >recipient and to postmaster), but I'm hesitant to just discard them. > > clamav-milter logs what it does to syslog very effectively. The > warning messages to postmaster aren't really necessary but for a low > traffic site, they do give you some vicarious pleasure for a while. My mistake was that in trying to make sure I didn't bounce virus mail to forged From: addresses, I overrode the default clamav-milter flags with just -N (--noreject). This was not the correct option, and not the only option needed. "--quiet --local --outgoing --max-children=50" seems to be more like what was needed. > > Refusing to accept viral mail is the best option if you can; failing that, > > I discard such messages. Frankly, I gave up bouncing viral mail after I > > got tired of answering complaints when someone got a bounce from a > > forgery... I've said elsewhere that it's silly for an antivirus program to trust *any* information in a known virus-generated message. That would include bouncing to the From: address. > Yes -- rejecting the messages at the SMTP DATA stage is the way to go. Which is what is accomplished with clamav-milter, at least with the right combination of flags. 8-) I'd still like some summary logging of the results; if a system has sent a lot of viruses recently, it may be necessary to reject them through access.db, or even at the firewall. -Warren Block * Rapid City, South Dakota USA