Clamd reject emails instead of delivery

The current options you can select with clamd when a virus-infected email is discovered is to either silently delete it, or deliver it to a "virus" folder. Other mail systems I have worked with would outright reject the email and it would be returned to the sender. I find this method to be a lot nicer than either silently deleting it or delivering it to a "virus" folder as:

  • When deleting it, neither the sender or receiver are aware that the message contained a virus. Matter of fact, the receiver has no idea that a message has even been sent to them, and the sender has no idea that the receiver didn't get it

and

  • When delivering it, the sender still has no idea that the message contained a virus, and the receiver now has a virus-laden email message on her computer.

So, in short, I would like to see the ability to reject/bounce the message back to the sender as well.

Status: 
Active

Comments

I'll pass this along to Jamie for further comment -- but the problem here is that more often than not, the "From" address of an email containing a virus is typically forged.

That means that replying to the message generates spam to an innocent party.

That's often called "backscatter": http://en.wikipedia.org/wiki/Backscatter_(e-mail)

There are some details on the problem at various sites around the Net, including this one:

http://www.dontbouncespam.org/

Yes, bouncing a spam or virus email like this is a bad idea .. spammers use this to bounce email to other addresses via your mail server, by using faked From addresses. This can cause your system to look like a spam source!

Joe's picture
Submitted by Joe on Wed, 10/07/2009 - 18:27 Pro Licensee

Yep, I have to concur. Bouncing at any point beyond the initial connection stage is simply asking to be used for spamming. So, if it can't reject during the initial conversation with the sending server (as in the case with greylisting, various destination checks, etc.) it can't be rejected safely.

It would be trivial to send spam through your system, if it did so. A spammer would just add the EICAR test virus signature (or a real virus) to the message, and set the from: to the email address they want to spam. You'd then send that message on for them, but now with your (presumably non-spammy) domain name and IP, SPF record, etc. You'd very soon find yourself on blacklists and considered an untrustworthy SMTP server.

As far as I know, anti-virus can't be run in a policy server configuration (policy servers in Postfix can make rejection decisions at connect time, like the postgrey policy server that Virtualmin can configure), since the whole message is not yet available at that point, so rejecting viruses can't be done safely. That said, in a lot of cases, viruses that transmit via email won't follow RFCs very well, and so greylisting will kill them before they ever even arrive.

I wonder how the Exim / clamd configuration does it then, as my current DirectAdmin box does the rejection that I am talking about:

This is the mail system at host server2.example.com.

I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to

If you do so, please include this problem report. You can delete your own text from the attached returned message.

The mail system

rjones@example.com: host mail.example.com[66.187.102.xx] said: 550-This message contains a virus or other harmful content 550 (Eicar-Test-Signature) (in reply to end of DATA command)

This was actually delivered by the original sending server that sent the virus (my test VirtualMin server). So my production DirectAdmin box, who rejected the message, never actually sent the message. Looks like it was rejected at the initial connection to me. So it is my understanding that, at least with my DirectAdmin setup, the box could not be used as a bounce-back spam source.

It is theoretically possible to implement this, but only if your mail server supports virus filtering at the SMTP conversation level. I've set this up in the past for Qmail (which some hacking), but unfortunately I don't know of any way to implement it using Postfix, which is Virtualmin's primary mail server ..