Virus scanner bounces messages back -- ARGH

[cmelnick]

Hello,

I was using the recommended virus scanner on e-mails. However, since a lot of e-mails containing viruses are malicious and from spoofed e-mail addresses, FastMail bounces the message back to the sender (which is a fake address), then THEIR server bounces the message back to ME, telling me that the user cannot be found on that domain. Is there any way to configure the virus scanner to scan messages, but not send an e-mail to the sender?

Thanks in advance,
Chris

[Jeremy Howard]

Our virus scanner does not inform the sender any more, AFAIK. Are you 100% sure it is a FastMail.FM notification that is bouncing around?

[kirvnet]

My wife recieved a email containing the new "Bagle" virus last night on her Yahoo account and I got her to forward it to my Fastmail acct. Fastmail caught it and rejected it and never sent my wife a email about the rejection.

[calle]

I have a similar problem: Can it be set so that the host simply silently drops virus messages, without rejecting them with a 550 error? This is causing problems with several mailing lists (some Yahoo groups as well).

Thanks

[robmueller]

The virus scanner does silently drop messages. It does NOT return a 5xx code.

Rob

[calle]

I didn't confirm it directly, but this is what the logs of Yahoo Groups claim:

Remote host said: 550 Error: Common virus payload files .pif and .scr blocked (eg.
W32/Sobig). To send this file, please zip it first

It appeared to me that this is what the fastmail.fm SMTP server is saying, since this log is for one of my fastmail addresses. I could be wrong, though - and Yahoo could be wrong too, wouldn't be the first time.

Can you shed some light on this maybe?

[mwild]

That's not the scanner, it's a rule. See http://www.emaildiscussions.com/...threadid=15204.

[calle]

Ah, I see. Thanks, that at least locates the problem. Though the question remains - can this be blocked silently?

Thanks
Calle

[mcowger]

Sure - just change the rule to discard instead of reject.

[calle]

I hope I'm not overlooking something simple now... but where exactly do I set this rule? I looked at the Define Rules and Antivirus pages in the options, but I have no such option anywhere. Sure, I can make my own rules silent, but the executable-blocking rule isn't there. And reading the thread you mentioned it seems to me that this is a system-wide rule. Or am I getting this wrong?

Thanks
Calle

[mwild]

You don't, it's a systemwide rule, not user-configurable. I guess we need another contribution from the FM guys here.

[jhs]

Quote:

Originally posted by robmueller
The virus scanner does silently drop messages. It does NOT return a 5xx code.

Rob, are you saying that your server doesn't bounce messages with a 5xx code because of virueses? I think it does, I have got bounces with the following error:

Quote:

<username@fastmail.fm>: host smtp.us.messagingengine.com[66.111.4.4] said:
550 Error: Common virus payload files .pif and .scr blocked (eg.
W32/Sobig). To send this file, please zip it first

and

Quote:

<username@fastmail.fm>: host smtp.us.messagingengine.com[66.111.4.4] said:
550 Error: Possible Novarg virus blocked

--
Jan

[bitequator]

It's a delicate issue... FM's smtp reject rules naturally occur before the antivirus checking (thus preempting it). In most cases something should be caught by the antivirus (thus dropped silently) if there's no smtp rule. But the smtp rules do reduce the chances of something slipping past altogether, and reduce unnecessary load on the servers/pipeline I guess...

[bat]

We have just rejected a message to you from {...} because it tested as positive to a virus
using Kaspersky Anti-virus (http://www.kaspersky.com).

If you do not wish to use anti-virus protection, log into
your account, click Preferences, and uncheck 'Virus Protection'.

The virus scanner output was:
----
>From {...}][Date Wed, 28 Jan 2004 12:56:10 +0800]/message.zip/message.htm .scr Infected by virus: I-Worm.Novarg


I've been getting so many of these that I've made a filter rule in Mozilla Mail (which I now use because FastCheck has stopped working, but that's a whole 'nother thread), but I agree with the thread on Slashdot at the moment, that virus detectors shouldn't be spamming the "From" addresses. Is that what's happening, or is it something else?

[mwild]

Quote:

Originally posted by bat
We have just rejected a message to you from {...} because it tested as positive to a virus
using Kaspersky Anti-virus (http://www.kaspersky.com).
etc ..

That's not a bounce, it's FM's AV notifying the intended recipient that a virus-positive message has been discarded.

There are 2 rather different cases here :

1. Message triggers SMTP block. SMTP session terminates with 5xx to sending server, possibly before the body is sent. Session information is discarded. RCPT address is NOT notified - indeed, depending on the block, FM may not even know what it is.

2. SMTP session terminated 2xx OK. Message then tests virus-positive. RCPT address is notified (as above), message is discarded by FM. Sender is NOT notified.

That said, I know it's a tricky call, but the volume of complaints seems to show that SMTP blocks are generating an unacceptably large number of false positives.