if the virus is a spoofing virus you have no way of identifying the sender mail address, unless you force the sender to authenticate before sending a message.
well, smpt auth could be and idea for this purpose, but postfix indeed would knows the real client sender IP. That's the reason why I suggested a map between real (known) IPs and real (known) email addresses.
$viruses_that_fake_sender_re = new_RE( qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|palyh|inor|fizzer'i );
I don't understand. IMHO there is no need to warn the sender if external, as the
sending address can be always forged (and maybe this also would
unveil attacker your kind of virus scanner and maybe whether it's
not updated or not able to maybe recognize a certain virus). IMHO the
this is used also to alter virus report, the user gets a report stating she received a virus from an unknown source, vs. a real mail address.
which user are you talking about: internal (i.e. local) or external?
Bye. Giuseppe.
