Exim_deny - MailScanner/Virus combination

Firstly I suppose this thread is directly mainly at Chirpy as it relates to his products, but nevertheless I'd appreciate any comments.

This follows on from the new "Minimum score for Exim Deny blocking" option for Chirpy's MailScanner front-end.

Just as a quick summary, the above mentioned "Minimum score for Exim Deny blocking" option automatically adds to /etc/exim_deny the IP address of any host that sends mail with a SpamAssassin score higher than a selected number, preventing the relevant host from connecting to Exim for a short period of time.

This feature has made a noticeable difference to the level of spam MailScanner has to deal with and so a similar feature for virus infected emails seems a good idea in theory.

The first main hurdle I can think of is that most viruses tend to be sent from hordes of infected home or office PCs. Therefore if such machines were denied a connection to Exim, legitimate mail would be affected. Admittedly the denial would only last a short period, however once elapsed such machines may well try and send viruses again, possibly preventing legitimate mail.

Therefore the sort of system I was thinking of would work as follows:

Before denial
1. Machine 123.123.123.123 sends out a virus infected mail to myself@example.com
2. Exim receives the mail
3. MailScanner spots a virus and adds 123.123.123.123 to /etc/something

During denial
1. Machine 123.123.123.123 sends out a virus infected mail to myself@example.com
2. Exim checks /etc/something, spots the IP and prevents reciept of the mail AND sends an error back to the sender (not a bounceback mail, but an SMTP error) which clearly states that the particular host has been denied from connecting due to having send out a virus within the last X minutes, further suggesting that the machine be checked and cleaned of viruses

The whole thing
1. Machine XXX.XXX.XXX.XXX sends a mail to myself@example.com
2. Exim checks /etc/something for XXX.XXX.XXX.XXX and
2a) XXX.XXX.XXX.XXX not found - receive mail
2b) XXX.XXX.XXX.XXX found - send SMTP error
3. MailScanner processes the mail and
3a) Virus found - add XXX.XXX.XXX.XXX to /etc/something
3b) Virus not found - continue as normal

As well as this, a cron job would periodically clear out /etc/something.

With such a system, infected machines sending viruses would be repeatedly prevented from connecting to Exim if viruses were still sent once the denial had elapsed AND the users of the machines have at least a chance at being given a valid reason why the connection was denied.

Since infected machines often send using a local SMTP server put there by the virus, it shouldn't really matter if the machine is denied a connection to Exim as the user of the machine will most likely be sending mail through an SMTP server not on their machine. Nevertheless if they are sending from a valid SMTP server on their machine, they should get an SMTP error stating why the connection was refused.

As far as I can tell this seems at least a half-decent idea without any major flaws, however I'm no Chirpy and could well have missed something blindly obvious that turns this seemingly good idea into a load of nonsense.

Even if there are no major flaws in the idea, it is still dependent on MailScanner being capable of adding an IP to a file when a virus is found AND being able to add a relevant ACL to Exim and without sufficient knowledge I can't say if these are possible.

So, that's the idea. Any comments? Does it sound feasible?

 

Excellent, it nice to hear that its both feasible and not a major task (or not at least for one in the know).

It'll definitely be nice to see batches of 10 or 20 viruses at once knocked down to only a couple.

Whilst I'm on the subject, I've noticed (from looking at mails through Mailwatch) that mails found to contain viruses also include a breakdown of the SpamAssassin scoring, which clearly suggests that they are being scanned by SpamAssassin. For me, if a given mail is found to contain a virus, there is little point in using server resources to check if the mail is also spam (aside from purely academic curiosity!).

Therefore would it be a feasible option to have MailScanner run virus checks first and then spam checks second, with the option of skipping the spam check if the virus check turned up something malicious?

 

That's a shame, however two good ideas in one day was probably pushing things a bit!