These forums are locked and archived, but all topics have been migrated to the new forum. You can search for this topic on the new forum: Search for ClamAV & reply generation on the new forum.
Web Hosting and Cloud Computing Control Panels
Hey Christian,
This wouldn't be useful. Virus emails never include accurate "From:" information--they always spoof it, in order to avoid being cleaned up.
So, responding to viruses at the address they claim to originate from would only victimize the person whose email address has been spoofed--sending them "spam" about a virus that had nothing to do with them.
--
Check out the forum guidelines!
Hello Joe,
thanks for the quick answer.
But with deletion of the virus mail, neither the sender nor the receiver would ever get notice of the email. In most cases this will do no harm, but in case the sender wasn't aware of the virus neither of them would know if there was any communications.
I know everybody should have a working and uptodate virus scanner active, but who knows...
Is it perhaps possible to just get rid of the attachement and sending them anyways in best case with a short text notification that virus files have been remove?
I know that other virus/spam tools are able to do it... for example GFI MailSecurity (Windows tool... don't ask. I just learned to love my postfix smarthost setup as initial (and most time final) block to spam :P ).
Best regards
Christian
Hey Christian,
<i>Is it perhaps possible to just get rid of the attachement and sending them anyways in best case with a short text notification that virus files have been remove?</i>
I believe this assumes something that just doesn't happen anymore (and hasn't for seven years or more): Viruses attaching themselves to legitimate mail.
Viruses these days send themselves out automatically, at a rate of thousands per hour, from the infected host--with spoofed from addresses and as much of the traceable evidence as possible hidden. I haven't seen a real message with a virus attached in...I can't even remember the last time I saw such a message. I guess it could happen, but it seems pretty unlikely.
You can setup Virtualmin to save emails with detected viruses to their own mailbox, and then you could look at them in Usermin (which isn't subject to viruses) to be sure nothing legit got filtered. I doubt you'd ever run into any legitimate messages in the virus mailbox, though.
Removing attachments is possible with tools like MIME-Defang and anomy...you would then replace the default virus removal rule in procmail with a call to one of those tools.
--
Check out the forum guidelines!
Hey Joe,
agreed. But I'm ... hmm, call me too soft, but I would like to give the sender the chance to remove the virus and try it again.
I have a very strict postfix setup, which filters out a huge amount of spam senders, more than I ever thought to be possible.
If one of the infected hosts sends out from a infected host, I believe in the most cases it is blocked before any data is send. If the setup of the virus-sender is setup, as a normal smtp server should be, there is a small chance, that it was accidentally.
What do you think about this:
- creating a mailbox for virus mails
- forwarding to this account if a virus is found
- the mailbox is setup to reply a text and delete the mail
I will give it a shot, at least ;)
Christian
Hey Christian,
<i>agreed. But I'm ... hmm, call me too soft, but I would like to give the sender the chance to remove the virus and try it again.</i>
We're talking past one another, here. ;-)
What you describe <i>never</i> happens. It's not a matter of being soft or being harsh. If your mail server receives a virus, it was not sent by a human being and it was not sent from the address it claims to come from. There's not going to be someone at the other end wondering, "Why doesn't Christian respond to my mail?" because the person in the from field did not send the message!
So, if you received a mail claiming to be from "joe@virtualmin.com" and it contained a virus, you can be certain that I didn't actually write you an email in that message. It was sent by the virus itself running on some zombie machine somewhere in the world (not even my machine!). This isn't a matter of letting people know they have a virus--the address that you see on the email has no relation to the actual system that sent the email.
So, if you send me a response saying "Hey, I got this virus from you. You should scan your box for viruses, dummy." I'm not going to have any idea what the heck you're talking about, because the virus didn't come from me or my box. You'd be just spamming me with unrelated messages that I can't do anything about.
See what I'm saying? I understand that some products do this (I still get those kinds of messages occasionally from servers doing this, though it's gotten more rare over the years), but it's bad behavior to send out those messages. It makes assumptions about virus emails that haven't been true in many, many, many, years.
I strongly recommend against sending out replies to viruses. Like I said, if you want to be sure you're not throwing out the good with the bad, have them delivered to another box. But please don't respond to them!
There's actually two reasons to <i>never</i> respond to a virus.
1. It's not really from who it claims to be from. You're just going to confuse or irritate the person that you're responding to.
2. If you enable this, your mail server will become an open relay for anyone that wants to go to the trouble of sticking the EICAR signature in their spams. They can then send spams to your server claiming to be from "joe@virtualmin.com", and when the virus filter bounces it back to "joe@virtualmin.com" I'll get that spam. This is a more common tactic than you would imagine--I get several spams like this every couple of days. Your mail server will end up in one of the many DNS blacklists, if you enable behavior like this--it is an easily exploited hole. Even if you delete the "virus" and just include part of the message or the subject (since you have to identify what you're responding to, for it to accomplish what you're trying to accomplish), it's still of value to spammers. They can say all they need to say in a subject line, and if they get the good reputation of your server (which will be fleeting if you allow this to occur) that message will get through the several thousand recipients every day until the hole is fixed.
So, don't do it! Please! I'm begging you! ;-)
--
Check out the forum guidelines!
Hey Joe,
good points... I got it. The solution was working like I wanted it to, but I will remove the settings.
I guess with this arguments I can work against the issues within the company... if there are any.
On the other hand... everyone could be save from "faked" virus replies, just setting up a proper SPF setting ;)
I will remove it asap. Thanks for your help! :)
Christian
<i>On the other hand... everyone could be save from "faked" virus replies, just setting up a proper SPF setting ;)</i>
To some degree that's true. It at least insures the message came from the domain it claims to come from. So, going forward, I'm sure viruses and spammers running botnets will begin to incorporate smarter elements--like sending from the same domain as a configured email address in Outlook or Thunderbird, and making use of the authentication details to send through an authenticated server. So far, this isn't happening on a large scale, but only because it doesn't have to yet.
Once it does become possible, you will be able to trace back a virus or spam to the sending machine with some accuracy, and that will be very good for reducing spam. But, even then, we can't safely respond to them automatically--due to the spam factor.
This is a problem with the "you must respond to this message for your mail to go through" filters, as well.
Spam and viruses are a hard problem, and all of the "simple" solutions don't actually work. ;-)
--
Check out the forum guidelines!
Agreed, simple does not do it... but this setup is not simple. :P
For the moment I'm quite happy with my postfix setup. I setup the approriate helo, sender an recipient parameters, I have the policy daemon running with autoblacklisting, whitelisting, greylisting, spamtrap etc. and I have SPF up an working. This is just the smart host. On the server hosting the accounts there is spamassassin and clamav setup.
At the moment I server only 10 mail accounts with that and these have been a good target to spam (I can not believe how careless relatives can be with giving out email addresses on public websites...). When I switched to my new smtp server the spam mails have been reduced to almost zero.
This was just for my private setup as preparation for the next step when I will server additional ~50 accounts for the company I am working at. I will see how this is working... as the current situation there is a Windows 2003 SMTP with GFI Security/MailEssentials and SPF for our domain is not yet implemented, I expect a major improvement in spam reduction. I can not believe how limited windows smtp service is in comparison to postfix etc.
Ok... many words, laugh, I just want to say, that I am happy with this solution for the moment and with the time, when spammers develop more aggressive method, I hope to get more improvements from the anti-spam-community. ;)