Don,
More than 99% of viruses forge the sender, so therefore there is no
utility in notifying anyone since 99% of it would be misplaced. The
only non-forging viruses that you are likely to see are macro viruses
and they are quite rare these days.
The only notifications that I send out are from bannotify.eml which is
for banned extensions. These will only be triggered when a banned
extension is seen and a virus is not detected. I also skip sending
these for encrypted archives using the following in my bannotify.eml file:
SKIPIFEXT ZIP-EXE
SKIPIFEXT ZIP-SCR
SKIPIFEXT ZIP-PIF
SKIPIFEXT ZIP-COM
SKIPIFEXT RAR-EXE
SKIPIFEXT RAR-SCR
SKIPIFEXT RAR-PIF
SKIPIFEXT RAR-COM
You should also add a SKIPIFEXT line for every BANNAME entry in your
virus.cfg file.
Still with this config, during an outbreak like the one last week where
my scanners lagged detection by one to two days, I was creating a ton of
backscatter. This can be improved by running JunkMail before Virus and
applying an action of either HOLD or DELETE on certain weights so that
such messages if scored high enough, will not need to be bounced. If
you use ROUTETO and have only one domain that you capture spam in, then
you should also add to your bannnotify.eml file a line that has
"SKIPIFRECIP @your-capture-domain.com" so that things that are captured
as spam, but not deleted, will not generate bannotify.eml bounces.
During any given time my system receives between 5% an 10% of all
connection traffic from backscatter, virtually all of it to invalid
addresses on the domains that I protect. This volume is so tremendous
that it out paces legitimate E-mail by as much as three times. I would
implore everyone here to stop using postmaster.eml, sender.eml and
recipient.eml bounces entirely even if they take care to try to keep up
with forging virus names. When over 99% of it is forging, it makes no
sense to be bouncing any of it when it is detected as a virus.
Matt
Don Schreiner wrote:
I am looking for the best approach to stop notifications to both
sender and recipients of virus detection (to reduce what I call back
scatter). However, if one of our own customers sends an e-mail and
whereas a virus is detected, I certainly want them to receive a
notification about same so they can check their computer. What is the
best way to set this up in Declude 4.0+?
Reviewing the Declude Manual for 4.08 (while it does not specifically
state this), if you remove the Recipient.eml and the Postmaster.eml,
this would be one method to stop the notifications, but I am unsure
what other wanted notification functions this would break?
Another approach I used prior to upgrade was to modify the EML files
with the following. I am not sure this is still the best approach? Is
there a more up-to-date list of Virus' that forge the sender address?
SKIPIFVIRUSNAMEHAS Magistr
SKIPIFVIRUSNAMEHAS Vulnerability
SKIPIFVIRUSNAMEHAS Klez
SKIPIFVIRUSNAMEHAS Bugbear
SKIPIFVIRUSNAMEHAS W32/[EMAIL PROTECTED]
SKIPIFVIRUSNAMEHAS W32/[EMAIL PROTECTED] <mailto:W32/[EMAIL PROTECTED]>
Thanks.
-Don
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
