Best way to use clamav (MTA or MailScanner)

Alex Neuman van der Hans alex at nkpanama.com
Sat Jan 13 22:45:27 CET 2007 

Julian Field wrote:
> One of the advantages of doing this at the MailScanner level is the 
> control over the message(s) sent out as a result of an infected message 
> received. You will probably want to just bin all viruses quietly, 
> whereas if you run it at the MTA level it will probably bounce it back 
> to the poor innocent soul whose address was faked as the "sender" 
> address of the message.

If you run it at the MTA level it drops the connection *before* 
accepting the message. Any bounces would come from misconfigured 
M-Sexchange servers that send out bogus NDR's.

> 
> Also, you might want to notify the recipient of the message, at which 
> point instead of receiving an unintelligible sendmail error report, they 
> get a nice friendly report which you write to explain to them what has 
> happened.

I don't think it would be practical to let them know "someone you know 
but whose address we can't know because viruses fake the sender address 
sent you a message with a virus and nothing else on it" - which is IMHO 
99% of the cases.
> 
> This applies to most of the things that MailScanner can do which can 
> also be done at the MTA level, the quality and content of the reporting. 
> Mere mortals don't understand MTA error messages at all, remember that 
> your users will call their support staff whenever they get a report they 
> don't understand. Understandable reports ==> less support calls.
> 

It's been my experience that most users *will not* read the reports, 
regardless of how clearly written they are. The carrot-vs-stick approach 
  usually works like this:

1. They call and say "my e-mail don't work"
2. You ask them to read the error message
3. They say they can't (won't) remember (write down) the message.
4. You tell them to call you back with the error message in order to 
resolve the issue. If they give you trouble you tell them you will 
definitely not take their call if they refuse to allow you to help them 
by telling you what the error messages (if any) are.

BTW, we *are* talking about virus scanning/bouncing, not "bad 
attachment" bouncing. *That* can be quite useful in a controlled 
environment.


> Jules
>

More information about the MailScanner mailing list