Re: [Clamav-users] Notification E-mail
On Wed, 22 Sep 2004, Matt wrote: The easiest way to distinguish this is if you are scanning the mail AFTER you have accepted delivery of the email, then discard, do not bounce. However, if you are filtering before accepting the email, then reject. Agreed. If you're filtering your mail after it was accepted, then you're a user, and you have the right to discard your own email. I only object to the server doing this. As always, it is down to personal preference. I will admit that I would prefer to discard, as an email being returned to someone who is not the original sender with a virus appended can be another avenue of propogation if their virus scanning software is not upto date, or if they have no software installed. If you're using sendmail, use the "nobodyreturn" privacy option. Bounce messages won't include the message body (only the header/subject). Presumably other MTAs have similar options. Damian Menscher -- -=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| <[EMAIL PROTECTED]> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Notification E-mail
On Wed, 22 Sep 2004, Kelson wrote: Simple solution to the question of whether to send a notice: You know what virus was detected. You know whether it's a mass-mailer or something else. (starts with Worm., ends with @mm, a few specific others) Based on that, you can decide whether to reject it or discard it. One [not so] minor nit: s/You know/You *think* you know/ And that makes all the difference. (We want to guard against false positives, remember?) Damian Menscher -- -=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| <[EMAIL PROTECTED]> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Notification E-mail
As a riposte: I'm not alone in this, far from it, actually. A similar request was recently issued by virusalert.nl, a dutch organisation on virus prevention. See http://www.virusalert.nl/?show=nieuws&id=559 I attempted to use the Fish to translate, and looked at their little picture of the situation. Maybe I'm missing something, but they're not talking about not rejecting. They're talking about not bouncing (sending out non-delivery notifications in response to EVERY virus). There's a huge difference. I think you'd be hard-pressed to find a legitimate company suggesting making email unreliable. The Fish got it right. B. --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Notification E-mail
Damian Menscher wrote: > Maybe I'm missing something, but they're not talking about not > rejecting. They're talking about not bouncing (sending out non-delivery > notifications in response to EVERY virus). There's a huge difference. I > think you'd be hard-pressed to find a legitimate company suggesting > making email unreliable. The easiest way to distinguish this is if you are scanning the mail AFTER you have accepted delivery of the email, then discard, do not bounce. However, if you are filtering before accepting the email, then reject. As always, it is down to personal preference. I will admit that I would prefer to discard, as an email being returned to someone who is not the original sender with a virus appended can be another avenue of propogation if their virus scanning software is not upto date, or if they have no software installed. Needs must, and while the RFC's are an oft quoted standard in these discussions, they themselves can be extremely contradictory of each other. To be RFC compliant is preferable, but in honesty, most mailserver admin's are fighting a non compliant threat. It is of no use preaching etiquette to someone (or something in this regard) which is already breaking the rules. If the virus creators are going to break every rule they can, why should one fight them fairly. Tha dunt ger'owt fo nowt. Matt --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Notification E-mail
Simple solution to the question of whether to send a notice: You know what virus was detected. You know whether it's a mass-mailer or something else. (starts with Worm., ends with @mm, a few specific others) Based on that, you can decide whether to reject it or discard it. -- Kelson Vibber SpeedGate Communications --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Notification E-mail
On Wed, 22 Sep 2004, Jan Pieter Cornet wrote: On Tue, Sep 21, 2004 at 06:39:25PM -0500, Damian Menscher wrote: As a riposte: I'm not alone in this, far from it, actually. A similar request was recently issued by virusalert.nl, a dutch organisation on virus prevention. See http://www.virusalert.nl/?show=nieuws&id=559 I attempted to use the Fish to translate, and looked at their little picture of the situation. Maybe I'm missing something, but they're not talking about not rejecting. They're talking about not bouncing (sending out non-delivery notifications in response to EVERY virus). There's a huge difference. I think you'd be hard-pressed to find a legitimate company suggesting making email unreliable. However, if the remote end is a real mailserver, either because the [...] That is not your fault. It is the fault of the remote mailserver. Educate them. Seriously, you cannot possibly expect all mail servers out there to suddenly install decent virus filters. Some mail servers will probably never install virus filters, instead using other lines of defense against viruses. You cannot dictate how someone else runs their server. Of course not. But then they get to handle all the complaints from users getting bounces from them. That's their choice. Also, I think people tend to over-state the scale of the problem here. You don't need to worry about *all* mail relays on the planet. Only those that have legitimate mail to relay to your users. In my experience, that number is rather small, and typically the relays are hosted by the same organization. So, the effect of the 5xx reject is, in the worst case, resulting in the virus being sent elsewhere (in the form of a bounce). So while you're protecting your own users, you are directing the virus "attack" to some unsuspecting bystander. My users take priority over protecting some idiot admin from having to install a virus scanner on their mail relay. True. However, sit at an ISP helpdesk for a day and you'll learn how email does get lost. People are simply clumsy with it. That's reality :( We're not living in the friendly academic internet of 1993 anymore. *shrug* My servers don't lose email. And, the people complaining about bogus virus notifications is far greater than the number of people complaining about not receiving a warning after sending a virus. THAT IS BECAUSE THEY DON'T KNOW! THIS IS THE ENTIRE POINT OF THE DISCUSSION. It probably comes down to the number of false positives that can be expected. I've found a bit of ranting on the net, about virus scanners seeing eachother as false positives, and mcafee having lots of false positives, but I haven't found any hard statistics, unfortunatly. Is anyone aware of something tangible? I've seen something like 3 messages to me get blocked, and have had one outgoing message get blocked. That's the ones I know about. Also there's the frequent posts on this list about where to submit false positives. I think it's a bigger problem than most people realize, specifically because they never find out when it happens. Damian Menscher -- -=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| <[EMAIL PROTECTED]> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Notification E-mail
On Tue, Sep 21, 2004 at 06:39:25PM -0500, Damian Menscher wrote:
> On Wed, 22 Sep 2004, Jan Pieter Cornet wrote:
> >On Mon, Sep 20, 2004 at 04:26:40PM -0700, [EMAIL PROTECTED]
> >wrote:
> >>It is perfectly acceptable to place an explanatory message in an SMTP
> >>REJECT message.
> >
> >Acceptable, maybe, but I believe it's better to simply discard all
> >viruses.
>
> And most sane people believe you are wrong.
I don't think the derogatory comment is necessary.
As a riposte: I'm not alone in this, far from it, actually. A similar
request was recently issued by virusalert.nl, a dutch organisation
on virus prevention.
See http://www.virusalert.nl/?show=nieuws&id=559
> No, you also guard against false positives.
True. However, I've never seen any in email. I might be persuaded to
only discard when two independant virus scanners detect the malware.
> >However, if the remote end is a real mailserver, either because the
[...]
> That is not your fault. It is the fault of the remote mailserver.
> Educate them.
"It's the fault of the remote server". Well, maybe. But I'm still
looking through RFCs that say that you SHOULD not send nasty windows
executables with the SMTP protocol. Hopefully an RFC that says something
similar is in the works?
Seriously, you cannot possibly expect all mail servers out there to
suddenly install decent virus filters. Some mail servers will probably
never install virus filters, instead using other lines of defense
against viruses. You cannot dictate how someone else runs their server.
So, the effect of the 5xx reject is, in the worst case, resulting in
the virus being sent elsewhere (in the form of a bounce). So while
you're protecting your own users, you are directing the virus "attack"
to some unsuspecting bystander.
At least, if you look at the big numbers. Most emails containing
viruses are forging the From address, these days. (If I look at our
own stats, out of 140K viruses blocked yesterday, 2 are EICAR,
3 "Joke" type viruses and one word 97 macro virus. That's less than
0.004% of the viruses. I could be missing one or two other non-faking
viruses though, I don't know every virus brand).
If the entire world adapted proper virus filters, then, yes, it
would be wise to respond with a 5xx reject to a virus (also, it
would change practically nothing, except for the case of false
positives).
> A common problem I see in the AV community is that they forget that
> *email* is a service. It must work. Antivirus is a cute little feature
> we tack on top to make life more convenient, much like anti-spam tools
> are added. But virus/spam blocking is a feature -- not part of the
> basic service. Please do NOT break the service. Reliable email
> delivery depends on not having messages get lost.
True. However, sit at an ISP helpdesk for a day and you'll learn how
email does get lost. People are simply clumsy with it. That's reality :(
We're not living in the friendly academic internet of 1993 anymore.
And, the people complaining about bogus virus notifications is far
greater than the number of people complaining about not receiving
a warning after sending a virus. In fact, I believe that last number
is close to zero.
It probably comes down to the number of false positives that can be
expected. I've found a bit of ranting on the net, about virus scanners
seeing eachother as false positives, and mcafee having lots of false
positives, but I haven't found any hard statistics, unfortunatly.
Is anyone aware of something tangible?
--
#!perl -wpl # mmfppfmpmmpp mmpffm <[EMAIL PROTECTED]>
$p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+
$_[2]}->(map{/p|f/i+/f/i}split//,$&)+97):qw(m p f)[map{((ord$&)%32-1)/$_%3}(9,
3,1)]),5,1)='`'lt$&;$f.eig;# Jan-Pieter Cornet
---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Notification E-mail
On Wednesday 22 September 2004 04:10 am, Randal, Phil wrote: > > > Why? Since all you achieve with rejects is indirectly > > > causing a lot of > > > "virus bounces" to appear at innocent bystanders. > > > > NO. > > Virii are usually send directly from the virus and the virus > > will not send bounces... :D However, if a virus can send > > through an SMTP server, that server needs to be blamed for forwarding > > virii. > BUT... The bounce goes back to the spoofed sender, not the actual > sender. right, which, in my opinion, is the problem of the MTA who relayed the virus in the first place. -Jeremy -- Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc. [EMAIL PROTECTED] ++ www.inter7.com ++ 866.528.3530 ++ 815.776.9465 int'l kitchen @ #qmail #gentoo on EFnet ++ scriptkitchen.com/qmail GnuPG Key ID: 481BF7E2 ++ scriptkitchen.com/kitchen.asc pgpsWXa9oKmIB.pgp Description: PGP signature
Re: [Clamav-users] Notification E-mail
On Tue, 21 Sep 2004 15:21:22 -0400 in [EMAIL PROTECTED] Ryan Moore <[EMAIL PROTECTED]> wrote: > Brian Morrison wrote: > > You need to do something appropriate to sendmail.cf or the milter > > configuration (which I know nothing about I'm afraid) to do this. > > > > This is not something that can be configured in clamav AFAICS. > > > > He was referring to the clamav-milter, which *does* hook clamav into > sendmail, and is included as part of the clamav package. Yes, I know, but the point is that I think that like with Exim, the milter configuration for clamav simply tells sendmail that there is a virus/exploit, it is up to sendmail itself to generate the 5xx SMTP protocol message. -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Notification E-mail
Steffen wrote: > Hi > >> Why? Since all you achieve with rejects is indirectly > causing a lot of > "virus bounces" to appear at innocent bystanders. > > NO. > Virii are usually send directly from the virus and the virus > will not send bounces... :D However, if a virus can send > through an SMTP server, that server needs to be blamed for forwarding > virii. > > Regards, > Steffen BUT... The bounce goes back to the spoofed sender, not the actual sender. Read the SMTP RFCs sometime. Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Notification E-mail
On Tuesday 21 September 2004 06:39 pm, Damian Menscher wrote: > > Why? Since all you achieve with rejects is indirectly causing a lot of > > "virus bounces" to appear at innocent bystanders. > > No, you also guard against false positives. exactly. If the remote sender is sending a legitimate file that just happens to be infected with a virus, they'll get the bounce back and hopefully, notice that they are infected with something. This, in my experience, is EXTREMELY rare (in fact, I've never seen it with my own eyes, but that's not to say it doesn't happen), but it's worthwhile in my opinion. > > However, if the remote end is a real mailserver, either because the > > virus is programmed to send via the default outgoing smtp server, or > > because someone .forwards all mail to you, or maybe because there's > > a lower preference MX for some domain, or maybe even because some > > viruses abuse any listening port 25 that's willing, and one of those > > smarthosts to your server, then you will cause that other mail server to > > send a bounce to the wrong person. > > That is not your fault. It is the fault of the remote mailserver. > Educate them. I totally agree. If another server is relaying viruses, then they deserve to have to handle the bounces in my opinion. I don't currently reject viruses, however, I do monitor all virus reports that come into my mailbox (which, since I'm not a huge provider, isn't much, but I do take the time to review each one) -Jeremy -- Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc. [EMAIL PROTECTED] ++ www.inter7.com ++ 866.528.3530 ++ 815.776.9465 int'l kitchen @ #qmail #gentoo on EFnet ++ scriptkitchen.com/qmail GnuPG Key ID: 481BF7E2 ++ scriptkitchen.com/kitchen.asc pgpK6of1SPsKr.pgp Description: PGP signature
Re: [Clamav-users] Notification E-mail
Brian Morrison wrote: You need to do something appropriate to sendmail.cf or the milter configuration (which I know nothing about I'm afraid) to do this. This is not something that can be configured in clamav AFAICS. He was referring to the clamav-milter, which *does* hook clamav into sendmail, and is included as part of the clamav package. Ryan Moore -- Perigee.net Corporation 704-849-8355 (sales) 704-849-8017 (tech) www.perigee.net --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Notification E-mail
On Wed, 22 Sep 2004, Jan Pieter Cornet wrote: On Mon, Sep 20, 2004 at 04:26:40PM -0700, [EMAIL PROTECTED] wrote: It is perfectly acceptable to place an explanatory message in an SMTP REJECT message. Acceptable, maybe, but I believe it's better to simply discard all viruses. And most sane people believe you are wrong. Why? Since all you achieve with rejects is indirectly causing a lot of "virus bounces" to appear at innocent bystanders. No, you also guard against false positives. If the virus delivers the email directly to your scanner - it doesn't matter what return code you give. Agreed. However, if the remote end is a real mailserver, either because the virus is programmed to send via the default outgoing smtp server, or because someone .forwards all mail to you, or maybe because there's a lower preference MX for some domain, or maybe even because some viruses abuse any listening port 25 that's willing, and one of those smarthosts to your server, then you will cause that other mail server to send a bounce to the wrong person. That is not your fault. It is the fault of the remote mailserver. Educate them. A common problem I see in the AV community is that they forget that *email* is a service. It must work. Antivirus is a cute little feature we tack on top to make life more convenient, much like anti-spam tools are added. But virus/spam blocking is a feature -- not part of the basic service. Please do NOT break the service. Reliable email delivery depends on not having messages get lost. Damian Menscher -- -=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| <[EMAIL PROTECTED]> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Notification E-mail
On Mon, Sep 20, 2004 at 04:26:40PM -0700, [EMAIL PROTECTED] wrote:
> It is perfectly acceptable to place an explanatory message in an SMTP
> REJECT message.
Acceptable, maybe, but I believe it's better to simply discard all
viruses.
Why? Since all you achieve with rejects is indirectly causing a lot of
"virus bounces" to appear at innocent bystanders.
If the virus delivers the email directly to your scanner - it doesn't
matter what return code you give.
However, if the remote end is a real mailserver, either because the
virus is programmed to send via the default outgoing smtp server, or
because someone .forwards all mail to you, or maybe because there's
a lower preference MX for some domain, or maybe even because some
viruses abuse any listening port 25 that's willing, and one of those
smarthosts to your server, then you will cause that other mail server to
send a bounce to the wrong person.
And even in case the virus does _not_ fake the sender address, then
a 5xx return code will land a bounce in the mailbox of someone who
is ignorant enough to get infected by a virus. Probably someone who
deleted JDBGMGR.EXE a few months ago, and was then told by the sysadmin
to NEVER trust any email again saying "you have a virus". Or in other
words, a person who is guaranteed to not understand any message a
MAILER-DAEMON sends them.
In short, I do not see any merit in letting the sender of a virus
know that they sent a virus. If you really want to do something,
contact the abuse contact/postmaster of the site sending the viruses,
in a nice daily or weekly summary. But there's no automated software
for doing that, and doing it by hand is really difficult and a lot
of work.
However, there's also the issue of false positives, but I've always
assumed they are practically negligable. What I'd really like is
to report viruses at SMTP level like this:
>>> DATA
<<< 354 continue
>>> [virus laden email]
>>> .
<<< 250 OK, your $virus infected email was DISCARDED.
But unfortunately, you cannot change the "success" reply with milter :(
--
#!perl -wpl # mmfppfmpmmpp mmpffm <[EMAIL PROTECTED]>
$p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+
$_[2]}->(map{/p|f/i+/f/i}split//,$&)+97):qw(m p f)[map{((ord$&)%32-1)/$_%3}(9,
3,1)]),5,1)='`'lt$&;$f.eig;# Jan-Pieter Cornet
---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Notification E-mail
On Tuesday 21 Sep 2004 16:44, [EMAIL PROTECTED] wrote: > Nigel Horne wrote: > > On Monday 20 Sep 2004 22:45, Jonathan Pitcher wrote: > >> Is it possible to send a message onto the user that they had an > >> e-mail blocked? Or to an admin stating that [EMAIL PROTECTED] had a virus > >> sent to them? > > > > Yes it is, though the first option is not advisable. You can find how > > to by running "man clamav-milter". > > It is precisely that manpage to which I was referring in my previous email. Is > there a way to customize the SMTP rejection message?> This only matters for false > positives. But I'd like to provide a phone number for out-of-band conversations > about false positives. Yes - you can use the template feature. > [EMAIL PROTECTED] 805.964.4554 x902 -Nigel -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Notification E-mail
On Tue, 21 Sep 2004 08:44:45 -0700 in [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > If there is no way to do this currently, can I submit this as a > feature request for clamav-milter? But as you have already been told, it is up to the MTA to do this. When Exim passes incoming mail through clamd for me, all it knows is that either an exploit of some kind is detected or that it is not, plus the name of the malware if there is a positive. Hence my exim.conf file has: # # Reject virus infested messages. deny message = This message contains malware ($malware_name) demime = * malware = * in it so that Exim returns the correct SMTP response with an appropriate error message. You need to do something appropriate to sendmail.cf or the milter configuration (which I know nothing about I'm afraid) to do this. This is not something that can be configured in clamav AFAICS. -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Notification E-mail
Nigel Horne wrote:
> On Monday 20 Sep 2004 22:45, Jonathan Pitcher wrote:
>> Is it possible to send a message onto the user that they had an
>> e-mail blocked? Or to an admin stating that [EMAIL PROTECTED] had a virus
>> sent to them?
>
> Yes it is, though the first option is not advisable. You can find how
> to by running "man clamav-milter".
It is precisely that manpage to which I was referring in my previous email. Is there
a way to customize the SMTP rejection message? This only matters for false positives.
But I'd like to provide a phone number for out-of-band conversations about false
positives.
If there is no way to do this currently, can I submit this as a feature request for
clamav-milter?
[EMAIL PROTECTED] 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Notification E-mail
On Monday 20 Sep 2004 22:45, Jonathan Pitcher wrote: > We have Clam Av installed and running. It is blocking virus e-mails > but is not generating any notification. > > Is it possible to send a message onto the user that they had an e-mail > blocked? Or to an admin stating that [EMAIL PROTECTED] had a virus sent to > them? Yes it is, though the first option is not advisable. You can find how to by running "man clamav-milter". > Thanks in advance. -Nigel -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Notification E-mail
On 9/20/2004 11:45 PM +0200, Jonathan Pitcher wrote: We have Clam Av installed and running. It is blocking virus e-mails but is not generating any notification. Is it possible to send a message onto the user that they had an e-mail blocked? Or to an admin stating that [EMAIL PROTECTED] had a virus sent to them? Thanks in advance. Don't send notification emails at all! Perhaps maybe to the mail administrator, but you don't want that on a busy mail server. If you want to know how many viruses hit your box, you take a look at the clam logs. Don't confuse your users with a message that you've stopped a virus. Who wants to know these days? I, as a mail admin and a user, certainly don't want to. A Week ago I switched from qmail-scanner, to simscan [1]. It drops viruses at smtp level with a permanent failure message. No one is notified or emailed. Just another entry in the clam logs. I love it. [1] http://www.inter7.com/?page=simscan Regards, Niek Baakman -- ___ Read about mime:http://www.geoapps.com/nomime.shtml Read about quoting: http://www.netmeister.org/news/learn2quote.html Read about disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Notification E-mail
> With one caveat. > It is perfectly acceptable to place an explanatory message in an SMTP > REJECT message. > > Something like > > EHLO (hi) > MAIL FROM (ok) > RCPT TO (ok) > DATA (can't accept for delivery, contains the EICAR virus!) > > If the mail is being sent by a virus, the virus will usually just give > up and go on to the next recipient server on their list. No "you sent a > virus" mail is sent to a (usually) innocent third party. > > If the virus is a false positive, and is really good mail being sent by > a legitimate mail server, the sending mail server will keep the > responsibility of generating the undeliverable message. > > It would be nice if the SMTP reject message was customizable - say, to > include a phone number to call in case of false positives. I didn't see > anything in the man pages for 0.75.1 - did I miss it? > > [EMAIL PROTECTED] 805.964.4554 x902 Clam doesn't do this at all. It's the widget that is used to integrate with the MTA that has control of this. I use courier, and this is exactly how my mail server handles it. Whatever integration tool you use to tie clam to your MTA (or the MTA itself) has this job - that's why it's not in the clam man pages ;-) m/ --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Notification E-mail
Christopher X. Candreva said: > On Mon, 20 Sep 2004, Jonathan Pitcher wrote: > >> Is it possible to send a message onto the user that they had an e-mail >> blocked? Or to an admin stating that [EMAIL PROTECTED] had a virus sent to >> them? > > Yes. > > It is also a bad idea. > > Since most viruses forge the From: address, you will not be proideing any > usefull information. > And since most users are idiots, you'll create needless anxiety and extra work for the admin who has to explain that the message you've sent is bogus. --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Notification E-mail
On Mon, 20 Sep 2004, Jonathan Pitcher wrote: > Is it possible to send a message onto the user that they had an e-mail > blocked? Or to an admin stating that [EMAIL PROTECTED] had a virus sent to > them? Yes. It is also a bad idea. Since most viruses forge the From: address, you will not be proideing any usefull information. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Notification E-mail
Steffen Heil wrote:
> Hi
>
>> We have Clam Av installed and running. It is blocking virus e-mails
but
>> is not generating any notification.
>
> ... PLEASE only send a notification to the
> intended user, NOT to the author. This would cause lot of
> collateral damage.
With one caveat.
It is perfectly acceptable to place an explanatory message in an SMTP
REJECT message.
Something like
EHLO (hi)
MAIL FROM (ok)
RCPT TO (ok)
DATA (can't accept for delivery, contains the EICAR virus!)
If the mail is being sent by a virus, the virus will usually just give
up and go on to the next recipient server on their list. No "you sent a
virus" mail is sent to a (usually) innocent third party.
If the virus is a false positive, and is really good mail being sent by
a legitimate mail server, the sending mail server will keep the
responsibility of generating the undeliverable message.
It would be nice if the SMTP reject message was customizable - say, to
include a phone number to call in case of false positives. I didn't see
anything in the man pages for 0.75.1 - did I miss it?
[EMAIL PROTECTED] 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Notification E-mail
Jonathan Pitcher wrote: Is it possible to send a message onto the user that they had an e-mail blocked? Or to an admin stating that [EMAIL PROTECTED] had a virus sent to them? http://www.mailscanner.info -- /Peter Bonivart --Unix lovers do it in the Sun --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
