[unisog] Auto AV Notification ( was Re: New virus)
stevev at uoregon.edu
Mon Nov 28 19:20:03 GMT 2005
Russell Fulton writes:
> Now if someone can come up with a way to decide if a message is a worm
> or spam before accepting it then we could also suppress normal bounce
> messages for old addresses. That would solve the irritating problem of
> users ringing the heldesk "I've just received a bounce message for an
> email I never sent. Has someone stolen my email account?"
Actually, we're doing virus scanning on inbound mail using ClamAV
(specifically clamav-milter hooked into sendmail) so we can do exactly
that; messages that scan as infected are refused at the end of the DATA
phase in the SMTP transaction (note, this is not bouncing the mail,
unless the remote sender is really an MTA instead of a worm-spewer).
I'm not really a big fan of the virus-scanning approach but ClamAV turns
out to be surprisingly efficient (on our systems it has an overhead of
about 0.01 CPU-seconds per message on average) and they have a nice
automated method for updating their signature database. Besides
recognizing various Windows worms/viruses ClamAV also recognizes a
number of common phishing mail patterns.
More information about the unisog