Sobig getting tagged as spam not virus

Julian Field mailscanner at ecs.soton.ac.uk
Fri Aug 22 09:23:47 IST 2003


Unfortunately, as the spam checking is done first, you can't put a virus
name in the ruleset deciding the spam actions :-(

I need to take a look at this area and have a good think about it, which
won't happen right now as I can't even keep up with my incoming mail, let
alone stop and think about anything.

Sounds like it would be a good idea to do the virus scanning first, then
the spam scanning. This would mean that everything would be virus-scanned,
even spam that was then deleted. But the cost of virus scanning extra files
is a lot lower than the cost of spam scanning extra files, which wasn't the
case when I first started writing MailScanner.

I'll try to find time this weekend to work on it, once I have sat and
thought about it for a couple of hours it might turn out to be trivial
change, but I need to be *very* careful in this area.

At 02:58 22/08/2003, you wrote:
>I am very pleased that my site is not one of those spewing forth 'you
>computer may be infected with the Sobig.F virus' reports, all due to
>Julian's 'Silent Virus' feature. It works fine...
>
>But, it would appear from the comments below, and also first hand
>observation, that a number of the Sobig emails are also getting caught by
>MS/SA as spam. These emails are generating 'you sent us spam' reports back
>to the sender, and of course that sender was forged by the virus.
>
>I am getting complaints from some sites that my MS system is hammering
>them with rejection notices. Not 'virus infected' notices, but rather 'you
>sent spam' notices. They are treating me like an idiot "Don't you know
>Sobig fakes the senders address? STOP sending us these notices NOW!" kind
>of messages.
>
>Being the receipient of many of these virus warnings from sites without a
>'Silent Virus' feature, I can understand the frustration of those yelling
>at me.
>
>Does anyone have a solution to this problem? Some means to recognize a
>spam as being sent by a silent virus, such as Sobig, and not in turn
>sending a spam rejection notice?
>
>Thanks!
>-Alan
>
> >> >Mail with the Sobig.F message body is coming in with and without an
> >> >attachment, therefore we get {SPAM?} or  {VIRUS?} tagged e-mail. The
> score
> >> >for the spam messages is the same 5.9.
>
> >>If a message contains a silent virus but also registers as spam, would it
> >>be delivered? (ssems so in this case)
> >
>
>
>
> >The virus-infected messages and the spam messages are separate. They are
> >all caused by the same thing, but don't expect all this mail to be
> >virus-infected, it's not.
> >--
> >Julian Field
> >www.MailScanner.info
> >MailScanner thanks transtec Computers for their support

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support



More information about the MailScanner mailing list