From owner-freebsd-questions@FreeBSD.ORG Sat Jul 31 00:23:14 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 798DF16A4CE for ; Sat, 31 Jul 2004 00:23:14 +0000 (GMT) Received: from wonkity.com (wonkity.com [65.173.111.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id F2F7D43D4C for ; Sat, 31 Jul 2004 00:23:13 +0000 (GMT) (envelope-from wblock@wonkity.com) Received: from wonkity.com (localhost [127.0.0.1]) by wonkity.com (8.12.11/8.12.11) with ESMTP id i6V0M0MZ077835; Fri, 30 Jul 2004 18:22:00 -0600 (MDT) (envelope-from wblock@wonkity.com) Received: from localhost (wblock@localhost) by wonkity.com (8.12.11/8.12.11/Submit) with ESMTP id i6V0M0Wg077832; Fri, 30 Jul 2004 18:22:00 -0600 (MDT) (envelope-from wblock@wonkity.com) Date: Fri, 30 Jul 2004 18:22:00 -0600 (MDT) From: Warren Block To: Tim Schutt In-Reply-To: <1F94DE30-E269-11D8-8A9E-000A27B47720@square1consulting.com> Message-ID: <20040730175822.W77732@wonkity.com> References: <12abd8c2040730104259ea346e@mail.gmail.com> <20040730160947.4fdbe0dd.wmoran@potentialtech.com> <1F94DE30-E269-11D8-8A9E-000A27B47720@square1consulting.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.5.3 (wonkity.com [127.0.0.1]); Fri, 30 Jul 2004 18:22:00 -0600 (MDT) cc: freebsd-questions@freebsd.org Subject: Re: amavisd/clamav Virus Recipient email notification template woes X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Jul 2004 00:23:14 -0000 On Fri, 30 Jul 2004, Tim Schutt wrote: > On Jul 30, 2004, at 4:09 PM, Bill Moran wrote: >> If you're going to send notification, there is only one _proper_ way >> to do it: analyze the Received: headers and find out where the virus >> _really_ originated, then contact the abuse@ address for that domain >> with the message. > I completely understand where you are coming from, and I am only intending on > notifying the intended recipient of the email, not the "sender" for the very > reason that you note. If it was just me, I would can the message and be done > with it. However, I am in the midst of marketing this service to some highly > security conscious people so I would like the reinforcement of the > notifications for their piece of mind and a little customer-stroking > reminding them how great the service is. :-) [Format recovered--please don't top-post. It makes responding to your messages difficult and time-consuming, to the point that many people won't bother.] "Virus detected" messages are generally abusive. Here are some problems I've experienced on the receiving end of antivirus notification messages: * Sent to the forged From address. We'll skip the issue of a virus checker that trusts any content in a virus-generated message; what about long CC: and BCC: lists? * Sent to the intended victim--"Hey, you almost got away without being harassed, but we wanted to brag about our antivirus system." * Some include "this message guaranteed virus-free" text. It's like the sender is saying "please sue me". * Sent outside the detecting system's domains, spreading the damage. If you must send notifications, send them only to those systems you control, and where you are responsible to your users. * Antivirus software forges "postmaster@victim'sdomain" into the From: line. Senders of these messages get a 550 reject for all further mail. * Some notifications include the virus. Yes, there are actual "antivirus" programs out there that are dumb enough to do this. Bearing that in mind, here's a suggestion for clamav flags: clamav_milter_flags="--quiet --local --outgoing --max-children=50 --dont-log-clean --noxheader --outgoing" -Warren Block * Rapid City, South Dakota USA