High score tag and releasing quarantined messages

Jim Levie jim at ENTROPHY-FREE.NET
Tue Oct 8 18:10:29 IST 2002


On Tue, 2002-10-08 at 11:25, Julian Field wrote:
> At 16:45 08/10/2002, you wrote:
> >Are there any plans to enable high scoring emails detected
> >by SA to tagged in a different manner.
>
> How would you like them to be tagged?
>
> >Also, has anyone devised any neat ways of releasing
> >quarantined messages from unix hosts?
>
> I'm afraid that is left as an exercise for the reader :-)
>
> But seriously, have any of the rest of you come up with a system to manage
> this?
> It's an entire project in its own right...
> --
I think how best to handle quarantined attachments probably varies a lot
from site to site. At one site where I have MailScanner installed I've
built a web application the allows users to retrieve quarantined
attachments (only those that failed the filename rules and are virus
clean, per Sophos). It works by changing the notification message to
include a URL to the directory that contains the attachments associated
with that mess that are being held in quarantine (and lots of
admonitions about being safe about any attachment that is retrieved).

At this particular site most user's are responsible and knowledgeable
enough to allow this. They know exactly who would be sending a specific
attachment, by filename, and generally aren't of the type to "just get
some random attachment to see what it is". I've got other sites where
the policy is that attachments can only be retrieved via special request
(essentially they don't trust the users to act responsibly, and pretty
much with good reason).

One problem that you have with any automated process lies in ensuring
that the intended recipient is the only one to get an attachment out of
quarantine. The way I've done it so far is basically a "security through
obscurity" approach. The quarantine area isn't browsable and the user
has to go to the exact URL found in the notification method. To be able
to do it right I'd have to know at the web server side who the intended
recipients of each message were that had quarantined parts and
authenticate those users before granting them access to an attachment.
--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
The instructions said to use Windows 98 or better, so I installed RedHat
   Jim Levie                                 email:
jim at entrophy-free.net



More information about the MailScanner mailing list