Firstly I suppose this thread is directly mainly at Chirpy as it relates to his products, but nevertheless I'd appreciate any comments.
This follows on from the new "Minimum score for Exim Deny blocking" option for Chirpy's MailScanner front-end.
Just as a quick summary, the above mentioned "Minimum score for Exim Deny blocking" option automatically adds to /etc/exim_deny the IP address of any host that sends mail with a SpamAssassin score higher than a selected number, preventing the relevant host from connecting to Exim for a short period of time.
This feature has made a noticeable difference to the level of spam MailScanner has to deal with and so a similar feature for virus infected emails seems a good idea in theory.
The first main hurdle I can think of is that most viruses tend to be sent from hordes of infected home or office PCs. Therefore if such machines were denied a connection to Exim, legitimate mail would be affected. Admittedly the denial would only last a short period, however once elapsed such machines may well try and send viruses again, possibly preventing legitimate mail.
Therefore the sort of system I was thinking of would work as follows:
Before denial
1. Machine 123.123.123.123 sends out a virus infected mail to [email protected]
2. Exim receives the mail
3. MailScanner spots a virus and adds 123.123.123.123 to /etc/something
During denial
1. Machine 123.123.123.123 sends out a virus infected mail to [email protected]
2. Exim checks /etc/something, spots the IP and prevents reciept of the mail AND sends an error back to the sender (not a bounceback mail, but an SMTP error) which clearly states that the particular host has been denied from connecting due to having send out a virus within the last X minutes, further suggesting that the machine be checked and cleaned of viruses
The whole thing
1. Machine XXX.XXX.XXX.XXX sends a mail to [email protected]
2. Exim checks /etc/something for XXX.XXX.XXX.XXX and
2a) XXX.XXX.XXX.XXX not found - receive mail
2b) XXX.XXX.XXX.XXX found - send SMTP error
3. MailScanner processes the mail and
3a) Virus found - add XXX.XXX.XXX.XXX to /etc/something
3b) Virus not found - continue as normal
As well as this, a cron job would periodically clear out /etc/something.
With such a system, infected machines sending viruses would be repeatedly prevented from connecting to Exim if viruses were still sent once the denial had elapsed AND the users of the machines have at least a chance at being given a valid reason why the connection was denied.
Since infected machines often send using a local SMTP server put there by the virus, it shouldn't really matter if the machine is denied a connection to Exim as the user of the machine will most likely be sending mail through an SMTP server not on their machine. Nevertheless if they are sending from a valid SMTP server on their machine, they should get an SMTP error stating why the connection was refused.
As far as I can tell this seems at least a half-decent idea without any major flaws, however I'm no Chirpy and could well have missed something blindly obvious that turns this seemingly good idea into a load of nonsense.
Even if there are no major flaws in the idea, it is still dependent on MailScanner being capable of adding an IP to a file when a virus is found AND being able to add a relevant ACL to Exim and without sufficient knowledge I can't say if these are possible.
So, that's the idea. Any comments? Does it sound feasible?
This follows on from the new "Minimum score for Exim Deny blocking" option for Chirpy's MailScanner front-end.
Just as a quick summary, the above mentioned "Minimum score for Exim Deny blocking" option automatically adds to /etc/exim_deny the IP address of any host that sends mail with a SpamAssassin score higher than a selected number, preventing the relevant host from connecting to Exim for a short period of time.
This feature has made a noticeable difference to the level of spam MailScanner has to deal with and so a similar feature for virus infected emails seems a good idea in theory.
The first main hurdle I can think of is that most viruses tend to be sent from hordes of infected home or office PCs. Therefore if such machines were denied a connection to Exim, legitimate mail would be affected. Admittedly the denial would only last a short period, however once elapsed such machines may well try and send viruses again, possibly preventing legitimate mail.
Therefore the sort of system I was thinking of would work as follows:
Before denial
1. Machine 123.123.123.123 sends out a virus infected mail to [email protected]
2. Exim receives the mail
3. MailScanner spots a virus and adds 123.123.123.123 to /etc/something
During denial
1. Machine 123.123.123.123 sends out a virus infected mail to [email protected]
2. Exim checks /etc/something, spots the IP and prevents reciept of the mail AND sends an error back to the sender (not a bounceback mail, but an SMTP error) which clearly states that the particular host has been denied from connecting due to having send out a virus within the last X minutes, further suggesting that the machine be checked and cleaned of viruses
The whole thing
1. Machine XXX.XXX.XXX.XXX sends a mail to [email protected]
2. Exim checks /etc/something for XXX.XXX.XXX.XXX and
2a) XXX.XXX.XXX.XXX not found - receive mail
2b) XXX.XXX.XXX.XXX found - send SMTP error
3. MailScanner processes the mail and
3a) Virus found - add XXX.XXX.XXX.XXX to /etc/something
3b) Virus not found - continue as normal
As well as this, a cron job would periodically clear out /etc/something.
With such a system, infected machines sending viruses would be repeatedly prevented from connecting to Exim if viruses were still sent once the denial had elapsed AND the users of the machines have at least a chance at being given a valid reason why the connection was denied.
Since infected machines often send using a local SMTP server put there by the virus, it shouldn't really matter if the machine is denied a connection to Exim as the user of the machine will most likely be sending mail through an SMTP server not on their machine. Nevertheless if they are sending from a valid SMTP server on their machine, they should get an SMTP error stating why the connection was refused.
As far as I can tell this seems at least a half-decent idea without any major flaws, however I'm no Chirpy and could well have missed something blindly obvious that turns this seemingly good idea into a load of nonsense.
Even if there are no major flaws in the idea, it is still dependent on MailScanner being capable of adding an IP to a file when a virus is found AND being able to add a relevant ACL to Exim and without sufficient knowledge I can't say if these are possible.
So, that's the idea. Any comments? Does it sound feasible?
