Thanks for reply and helping me decide best to remove these notifications all together. It seems the Declude manual would warn against same.
-Don _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, January 03, 2007 8:03 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Stopping Unwanted Virus Notifications Don, More than 99% of viruses forge the sender, so therefore there is no utility in notifying anyone since 99% of it would be misplaced. The only non-forging viruses that you are likely to see are macro viruses and they are quite rare these days. The only notifications that I send out are from bannotify.eml which is for banned extensions. These will only be triggered when a banned extension is seen and a virus is not detected. I also skip sending these for encrypted archives using the following in my bannotify.eml file: SKIPIFEXT ZIP-EXE SKIPIFEXT ZIP-SCR SKIPIFEXT ZIP-PIF SKIPIFEXT ZIP-COM SKIPIFEXT RAR-EXE SKIPIFEXT RAR-SCR SKIPIFEXT RAR-PIF SKIPIFEXT RAR-COM You should also add a SKIPIFEXT line for every BANNAME entry in your virus.cfg file. Still with this config, during an outbreak like the one last week where my scanners lagged detection by one to two days, I was creating a ton of backscatter. This can be improved by running JunkMail before Virus and applying an action of either HOLD or DELETE on certain weights so that such messages if scored high enough, will not need to be bounced. If you use ROUTETO and have only one domain that you capture spam in, then you should also add to your bannnotify.eml file a line that has "SKIPIFRECIP @your-capture-domain.com" so that things that are captured as spam, but not deleted, will not generate bannotify.eml bounces. During any given time my system receives between 5% an 10% of all connection traffic from backscatter, virtually all of it to invalid addresses on the domains that I protect. This volume is so tremendous that it out paces legitimate E-mail by as much as three times. I would implore everyone here to stop using postmaster.eml, sender.eml and recipient.eml bounces entirely even if they take care to try to keep up with forging virus names. When over 99% of it is forging, it makes no sense to be bouncing any of it when it is detected as a virus. Matt Don Schreiner wrote: I am looking for the best approach to stop notifications to both sender and recipients of virus detection (to reduce what I call back scatter). However, if one of our own customers sends an e-mail and whereas a virus is detected, I certainly want them to receive a notification about same so they can check their computer. What is the best way to set this up in Declude 4.0+? Reviewing the Declude Manual for 4.08 (while it does not specifically state this), if you remove the Recipient.eml and the Postmaster.eml, this would be one method to stop the notifications, but I am unsure what other wanted notification functions this would break? Another approach I used prior to upgrade was to modify the EML files with the following. I am not sure this is still the best approach? Is there a more up-to-date list of Virus' that forge the sender address? SKIPIFVIRUSNAMEHAS Magistr SKIPIFVIRUSNAMEHAS Vulnerability SKIPIFVIRUSNAMEHAS Klez SKIPIFVIRUSNAMEHAS Bugbear SKIPIFVIRUSNAMEHAS W32/[EMAIL PROTECTED] SKIPIFVIRUSNAMEHAS W32/[EMAIL PROTECTED] Thanks. -Don --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
