[1st ANNOUNCEMENT] Virus-Filter/Blocker

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,113
Location
California
[1st ANNOUNCEMENT] VirusChecker

Having finished SpamBlocker, I've decided to move along and get ExiScan, and Virus Filtering into the mix as soon as possible.

Note: Edited 06/22/2004 to rename the new product VirusChecker.

With that thought in mind I'm recommissioning my testbed DA server and installing on it an old domain for an ISP that has since gone out of business. It is, as you might imagine, a wonderful test domain for spamblocking and virus-checking, as it has tons of non-existing users who continue to get lots of spam and viruses.

I have some questions... what do YOU want in VirusChecker?

What I'd like to know is what most DA admins want to do with emails infected with viruses... do you want to dump them, refuse them, or pass them on to users but somehow marked.

Obviously my free DA distributions will be simple, because after all what I do for a living is sell this sort of stuff (for years for Cobalt RaQs, then for Plesk, and now for DA as well); only about 10% of my income is actually from hosting.

But I would like for my free releases to "just work" and work well for people who want to use them.

So...

What do you really want VirusChecker to do?

Please reply here rather than by email or by PM; I'd like to see the results all in one place if possible.

Thanks for your input, so I can make sure this new release does what YOU want.

Jeff
 
Last edited:
Well, we are using ClamAV and MailScanner and it function's fine. When a infected e-mail is comming on the server, it wil get the virus out of the e-mail and still send it to the user with some note's of what happend.

With spam it will only apply the [***SPAM***] into the subject.

This all is a good step forward from no spam/virus filter to this, but I think it's still not very easy for users. Because the 'infected' e-mails are still comming on the clients computer. Maybe 1 time a month 1 e-mail with a status of infected mails with there subjects so that if a user wants to it can look if there are any false 'infected' e-mails. That would be a nice feature for DA when it will get implemented spam and virus filter.
 
just strip the virus

If possible, i'd like a virus checker that would simply strip the virus from the email and also add a note at the top of the mail to let the user know - if we could find something like that which would be simple to install, i'd be a happy camper :D
 
I'd like a virusscanner which scans all email for virusses. It tags the headers that this was a virus and it tags the subject *** VIRUS ***.

It also has to remove the virus and add an attachment called virus.txt with short virus-information.
 
Responding first to Dennis...

Dennis, if you're specifying what it HAS to have, then you're on your own in terms of finding something that does exactly what you want, or having it created for you. We and others have programming services to do custom work.

And now responding to everyone, including Dennis... if you're looking for concensus, then let's work towards that.

Personally I don't like sending the virus on to the user marked "VIRUS" as many outlook and outlook express users will get infected automatically if they get the email.

We could try to disinfect the virus, but all the solutions that do that are commercial solutions and are extremely expensive for use in mailservers. Additionally, I'm not sure any of them would work on a Linux server; you might need a Windows server just to do the disinfecting.

So my belief is we should destroy the virus and not send it on.

Then the question is, should we send the email on to the recipient along with a note that it had a virus? My guess is we shouldn't send anything to the end-recipient.

Why? Years ago it was a good idea to send the email on to the client, so s/he could notify his/her correspondent that s/he had an infected system.

Today, however, most viruses come with forged sender information, and there's nothing you can do about it.

What about returning virus-containing email? We can't. For the same reason we can't return spam. Because most of it uses forged senders, and by trying to return it we're just creating a problem for someone else.

So what I like to do is block the entire virus at "data" time. That means I'd tell the server sending me the virus that we won't accept it because it contains a virus.

Legitimate senders should get a message back from their ISP (or whoever runs their SMTP server) that their email was refused; then they can decide what to do with it.

Fortunately this is fairly easy to do.

Anyone interested in this?

(I can have it ready within a week to a month, depending on whether or not I get it done before my vacation.)

Jeff
 
I agree 100% Jeff. Nothing else to be said, other than "when can you have it ready?" :p

Cheers...
 
Unfortunately, on the day I had time to work on it, I discovered that my testbed system wouldn't run DA; it kept teling me the license had expired. This is a monthly rental license (that way it gets continuous support), and wouldn't run DA :( .

John fixed it for me, and the fault was probably mine, since this system isn't always connected to the 'net, and might have been disconnected during the time it needed to update it's license.

Nevertheless, by then I'd lost my "window" for getting it done before my vacation (which starts Sunday morning).

So it now looks as if I won't be able to get to it until I get back (after June 2nd).

Jeff
 
Just as a note, we currently host clients on 12 different DA servers. We took a "poll" in our forums, and asked what features people wanted with regards to this.

Overwhelmingly, our customers DONT want their email modified in ANY way, including a txt attachment. A header flagged as "Spam" or "Virus" was the only acceptable answer to an overwhelming majority of users. Don't modify or change their email in any way shape or form - they're adults, they can decide for themselves.

Personally, I don't want to be responsible for server side filtering on a global basis. What's spam to client A may not be spam to client B. As soon as we took viruses and threw them to an attachement as a txt file, the place went into an uproar - only one person commented that they wanted it, everyone else said "if this continues, I'm leaving".

I truly hope DA does NOT incorporate this into their default releases. No offense to jlasman, but I want my users to decide... not me. They pay me to deliver the mail, as is - not to modify it or change it in any way (other than a possible brief modification to the header - and even that was 50/50).

Just my 2cents. (or is that 12 DA licenses?)
 
Well, I think everybody has to decide for them selve how to manage the things you can do with 'infected' e-mails. Maybe it's the best for DA to make let there customers decide. That means that you can configure it in the control pannel or in config file's. Personaly I think that's the best way to become the best control panel there is. Just by giving your customar a lot of choice.

Ofcourse DA is already the best control panel, but it can be better :).
 
I don't know about other parts of the world (maybe we do things different here in Australia?), but I've never come across a single company that actually prefers to have viruses delivered direct to their desktop, rather than have them filtered out at server level. The majority of SMEs don't have particularly good internal procedures to ensure that anti-virus software is kept up-to-date, and invariably they do get caught out all too often as a result. For everyone I know, it's a huge value-add to be able to say to a customer that their e-mail is scanned for viruses (and the attachment removed if infected) before it ever reaches their premesis, let alone their own desktop. Whether the functionality works server-wide or on an individual basis I don't care - I know either way the vast majority of my customers will be more than happy to have it. For those customers that don't want it, I suppose I could mail them a CD full of viruses or something, if that turns them on!
 
same for me
i don't dare yet to install mailscanner/spamassassin myself, as i don't want to risk my email stops working

It would be very great if this will be standard DA stuff, but it should be turned on/off per domain
 
@host-pc.com:

http://www.hostpc.com/forums/index.php?showtopic=953&hl=anti-virus

Is this the poll? I could not find any other topic about virusscanning on your forum. As far as I can tell your users love the idea as long as they have the option to turn it off? Correct me if I'm wrong. I just started to look for it because I was curious about the reactions. I'm not trying to put you on the spot or something.
 
@host-pc, when you say your users don't want their mail to be scanner in any way, I guess they don't have the need yet but here we have users recieving a lot of spam/virus (when I say a lot, it can go up to 700 bullshit mails in only one night, 200 infected sobig mails in one hour.)

When you run this kind of customers you don't really have the choice :
-you need to filter otherwise it will take a lot of space.
-your users will run after you to prevent their mailbox to be so hardly spammed.
(try to find one important mail out of 700 spam/virus mails..)


So, for me spam/virus filtering is a need, I had to install it because of those users and I ll be glad if DA provvides me with an automated way to control it.

I guess that for sure it will be possible to disable it.
 
hostpc.com said:
I truly hope DA does NOT incorporate this into their default releases. No offense to jlasman, but I want my users to decide... not me.
And I agree. That's why all our changes come with everything turned off by default.

The main reason I still haven't done anything about viruses is I'm not sure yet what to do.

As far as SpamAssassin is concerned; we simply use the DA SpamAssassin installation, which defaults to doing a lot to incoming spam emails. We've gotten no complaints.

But you can certainly change the SpamAssassin behavior whether or not you implement SpamBlocker or Virus-Filter/Blocker.

However, I'd think your customers would rather not have SpamBlocker, since it blocks spam before they get a chance to see it.

We're currently letting our clients choose. At some point in the future, as spam gets worse, we may actually charge our customers to get spam, since it costs us money to receive it for them.

Jeff
 
I guess the behaviour of mailscanner+clamav is the correct.
Extract the virus and attach a warning email.

For the the antivirus module should have (well it is my ideal)
* An antivirus panel would rock! this panel should allow the customer would the emails in quarantine and release a false positive email if any, along with several statistics. The reseller must be able to disabled this panel for his customers as well
as the spam/antivirus filtering.

* Having a statistics feature... with graphics like this:

http://mailwatch.sourceforge.net/images/mail_by_date_rpt.png
http://mailwatch.sourceforge.net/images/top_viruses_rpt.png
http://mailwatch.sourceforge.net/

and the capacity of include just strings like this in their homepages:

MAILS PROCESSED: 10000
SPAM DETECTED: 123 (30%)
VIRUS DETECTED: 123 (30%)
TOP TEN VIRUS DETECTED:
virus 1 (%)
virus 2 (%)
virus 3 (%)
virus 4 (%)
virus 5 (%)

and the possibility to have reports by domain, when on demand requested by a web form...

(in fact I started a thread in webhostingtalk.com about this
type of module for mailscanner.
 
Last edited:
albatroz said:
I guess the behaviour of mailscanner+clamav is the correct.
Extract the virus and attach a warning email.
That was great behavior when viruses were mostly attached to legitimate emails sent by legitimate senders.

However today most viruses come automatically from zombies (infected machines) and as such are spam as well as viruses.

I don't know about you, but I don't want to be bothered with emails telling me some infected system somewhere has sent me a virus which was detected and deleted.

I'm still waiting for reasonable discussion on this before I go ahead with Virus-Filter/Blocker.
For the the antivirus module should have (well it is my ideal)
* An antivirus panel would rock!
My free solution will consist of only an exim.conf file and necessary other files.

After that, DA can create anything they want around my solution. (Or around their own if they don't want to wait for mine.)
(in fact I started a thread in webhostingtalk.com about this
type of module for mailscanner.
I generally don't have time to read other forums to see what DA folk are interested in; please use this forum if you want me to see what you'd like.

And please give me reasons, rather than just what you'd like to see.

Currenly I've not seen any reasons to forward on virus-carrying emails without the virus or to delver a warning message.

Are there any such reasons?

Jeff
 
Currenly I've not seen any reasons to forward on virus-carrying emails without the virus or to delver a warning message.

Are there any such reasons?
Sure, some people work in the security and/or software fields and analyze viruses, trojans, etc either as a business or hobby. They often receive samples from others. There's also coders who write this stuff and send their work back and forth. For everyone else, IMO there's really no need.

Before the net got so polluted, most people probably received a periodic virus mostly from someone they knew or had prior contact. You could warn the other person to clean his PC. Today, the activity is too heavy and frequent plus many addresses are spoofed. I see no reason to warn the email originator now because it's either coming from a fake address or he's most likely getting hundreds or thousands of bounced messages anyway.

IMO if you provide the ability to turn this feature on and off by domain and/or email address, you can dump them all into the bit bucket. Those afraid of false positives or manipulation of their emails can turn it on whenever they want. I doubt any in this latter group are getting many viruses.
 
I've decided that what I'd like to do is offer these two options:

1) no virus checking

2) virus check at data time and refuse email at data time.

Note that all my free distributions are on a per domain basis only (and with whitelisting available for sending domains [blacklisting can simply be done through my already existing SpamBlocker exim.conf file free distribution]).

That's because I sell other solutions :) .

Of course you, or DA, or anyone else, is free to take any of my exim.conf files I make available under the applicable open-source license, and change it in any way you wish, as long as you also keep your changes under the applicable license.

Jeff
 
So what I like to do is block the entire virus at "data" time. That means I'd tell the server sending me the virus that we won't accept it because it contains a virus.

Legitimate senders should get a message back from their ISP (or whoever runs their SMTP server) that their email was refused; then they can decide what to do with it.

Fortunately this is fairly easy to do.

Anyone interested in this?

I like this idea but I am not sure it will work due to forged return address.

If the infected message is relayed from there SMTP relay to the direct admin smtp it will still create a bounce of sorts. The SMTP server that was trying to send the infected message will send a notice to the return address on the infected email.

Worser still some spam blacklists will list servers that forward virus warnings to the senders of Clez since they are usually forged.

Anyways, I am still excited to try this when you get it out!

Matthew
 
I understand the problem.

But it won't happen as often as you think, since most viruses are sent directly from the infected system rather than through an smtp relay.

I suppose I could offer the option of either dropping or refusing the virus.

I'll ask some AV gurus what they recommend.

Jeff
 
Back
Top