processing sequence

[Chris Trudeau]

Without going through the code (which in my case would be pointless  :)

Can somebody help me understand the sequence and decision making for handling/notifications that mailscanner uses?

In looking at a couple of log entries relating to Sobig...it seems that the system processes the SPAM checking, then (since action is deliver) scans with virus scanner and finds an infected attachment.  The system quarantines as it should...


New Batch: Scanning 1 messages, 101651 bytes
Spam Checks: Starting
Aug 21 10:14:00 HOST MailScanner[18553]: Message 93F0F1C00E from 1.2.3.4 (user at example.net) to example.com is spam, SpamAssassin (score=6, re
quired 6, BAYES_20 -2.60, DCC_CHECK 2.63, FORGED_MUA_OUTLOOK 2.17, INVALID_DATE 0.59, MICROSOFT_EXECUTABLE 0.10, MIME_BOUND_NEXTPART 0.16, MISSING_MIME
OLE 0.10, NO_REAL_NAME 1.15, RAZOR2_CF_RANGE_91_100 1.21, RAZOR2_CHECK 0.88, X_AUTH_WARNING -0.40)
Spam Checks: Found 1 spam messages
Spam Actions: message 93F0F1C00E actions are deliver
MailScanner E-Mail Virus Scanner version 4.22-5 starting...
Config: calling custom init function SQLLogging
Initialising SQL Logging temp files
Virus and Content Scanning: Starting
INFECTED:: W32/Sobig-F:: ./93F0F1C00E/document_all.pif
Virus Scanning: SophosSAVI found 1 infections
Virus Scanning: Found 1 viruses
Filetype Checks: No executables (document_all.pif)
Other Checks: Found 1 problems
Saved entire message to /quarantine/example.com/20030821/93F0F1C00E
writing to /quarantine/example.com/20030821/93F0F1C00E/message: No such file or directory

With that said, I pose the following questions and my attempt at the answers:

1.  Will the virus scanner always run no matter what the disposition and handling direction is for SPAM?
Answer:  Yes, no matter what handling or detection is done on the SPAM characteristics, the VIRUS scanner will be run against the message.


2.  If so, which disposition takes priority?  the SPAM or the VIRUS handling instructions?
Answer:  No matter the disposition/handling of the SPAM identified message, if the VIRUS SCAN is positive for a virus, VIRUS processing and handling takes over.

3.  This got me to thinking about VIRUS handling....is it safe to say that IF a message is clean, its passed and handled appropriately, however if it is infected, the scanner will attempt to clean the virus?  If it can clean the virus, it passes the message with a "Virus disinfected" notification?  If its not able to clean the virus the system delete's the attachment unless its told otherwise in the "Quarantine Infections =" directive?

Sorry for the long-winded question, just spawned a couple of ideas...

CT






-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030821/1c9d0769/attachment.html