DOS attach with zip of death?
mailscanner at ecs.soton.ac.uk
Fri Nov 22 14:32:55 GMT 2002
At 14:28 22/11/2002, you wrote:
>On Fri, Nov 22, 2002 at 12:31:38PM +0000, Julian Field wrote:
> > I've just tested this on RedHat 7.3 with the latest V3 code. I got this
> > (using a batch of 3 messages, with the ZipOfDeath in the middle)
> > Nov 22 12:42:11 sailor mailscanner: Saved entire message to
> > /var/spool/MailScanner/quarantine/20021122/gAMCVGnf003351
> > which is what I would expect. Note that you should get 1 DOS report without
> > the message id, followed by another DOS report with the message id, a few
> > minutes later.
>One thing I notice from the above output is that you quarantine the
>message. We have a policy of not doing this at all and deleting any
>virus but on the two machines that coped with the ping of death it
>seems to have deleted the attack email (at least, I can't find it).
>Is there anyway to have it delete any virus but to keep the dos attack
>message/attachment so that it "can be used in evidence"? :-)
Not easily, no. The quarantining is an "all or nothing" affair.
In V4 you could use a Custom Function to decide whether to quarantine based
on the reports in the message. But you can't in V3.
Julian Field Teaching Systems Manager
jkf at ecs.soton.ac.uk Dept. of Electronics & Computer Science
Tel. 023 8059 2817 University of Southampton
Southampton SO17 1BJ
More information about the MailScanner