Date: Sun, 18 Apr 2004 08:05:05 -0600 (MDT) From: Warren Block <wblock@wonkity.com> To: Matthew Seaman <m.seaman@infracaninophile.co.uk> Cc: questions@freebsd.org Subject: Re: Milter Logging Message-ID: <20040418074703.W6209@wonkity.com> In-Reply-To: <20040417182956.GB90463@happy-idiot-talk.infracaninophile.co.uk> References: <20040416215610.Y1689@wonkity.com> <408170DB.3070201@mac.com> <20040417182956.GB90463@happy-idiot-talk.infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 17 Apr 2004, Matthew Seaman wrote: > On Sat, Apr 17, 2004 at 02:00:59PM -0400, Chuck Swiger wrote: > > Warren Block wrote: > > >What do people do for milter logging? A MAILER-DAEMON message for every > > >virus caught by clamav-milter is a little annoying (both to the intended > > >recipient and to postmaster), but I'm hesitant to just discard them. > > clamav-milter logs what it does to syslog very effectively. The > warning messages to postmaster aren't really necessary but for a low > traffic site, they do give you some vicarious pleasure for a while. My mistake was that in trying to make sure I didn't bounce virus mail to forged From: addresses, I overrode the default clamav-milter flags with just -N (--noreject). This was not the correct option, and not the only option needed. "--quiet --local --outgoing --max-children=50" seems to be more like what was needed. > > Refusing to accept viral mail is the best option if you can; failing that, > > I discard such messages. Frankly, I gave up bouncing viral mail after I > > got tired of answering complaints when someone got a bounce from a > > forgery... I've said elsewhere that it's silly for an antivirus program to trust *any* information in a known virus-generated message. That would include bouncing to the From: address. > Yes -- rejecting the messages at the SMTP DATA stage is the way to go. Which is what is accomplished with clamav-milter, at least with the right combination of flags. 8-) I'd still like some summary logging of the results; if a system has sent a lot of viruses recently, it may be necessary to reject them through access.db, or even at the firewall. -Warren Block * Rapid City, South Dakota USA
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040418074703.W6209>