Virus Alerts make the Virus problem worse

The traditional model of antivirus management on the SMTP gateway overloads the average users mailbox with unnecessary and confusing messages.
Originally, virus laden email were otherwise legitimate messages that just happened to contain a macro virus in a word document or something similar. It was desired therefor to clean the virus from the message and ensure delivery of the non-viral content. At the same time it was important to notify the sender of their virus infection so they could get the problem rectified.
The problem with this approach is obvious today. Viruses today have moved beyond the simple macro virus. Instead they are self-generating and contain no redeeming content that the user would want to see. The problem first manifested itself in unnecessary calls to the help-desk. The user would be worried that they received a message with the “subject” and the “from” line that we warned them about!!! Of course, if they had opened the message they would see that the attachment had been removed by the anti-virus software. Messages like this really waste the end users time and also the time of the help-desk. The problem came to a head with swen.a as some unlucky user accounts received thousands to 10s of thousands of virus messages, all appropriately defanged by the anti-virus software. This was basically a denial of service attack that could have been prevented if the anti-virus software ate the offending message.
The other side of the problem is the forged sender problem. Most email worms pick random return addresses. Antivirus systems that follow the old model and send a warning back to the supposed sender are generally going to be bothering an innocent party.
So what do you do about it? You dont want to participate in harassing innocent third parties, yet you dont want to harass your own employees. Common sense says you shouldn’t drop email messages down a rabbit hole. The compromise position is, if a message contains a virus do not deliver to the employee. If the virus is a network worm, then there is no need to tell the sender or recipient about the problem (there is no legitimate content). If the virus is not a network worm, then it is ok to tell the sender that their message was not delivered and why (we blocked it because it contains virus x in file y). This is a simple matter of adding a flag in the virus definition to describe which viruses are email worms. Many vendors have that now, and others are moving toward that model.
This will help cut down on the completely unnecessary mail traffic associated with many email viruses. Unfortunately, this will not stop the problem completely as not everyone will be running a good anti-virus product. Users will still receive email bounces (no such email address), and notifications for file removal for mail that they did not send. Until SMTP messages are secured in some manner (look into SPF) there isn’t anything that can be done on that part of the problem.