SV: Sobig getting tagged as spam not virus

[Anders Andersson, IT]

> -----Ursprungligt meddelande-----
> Från: Julian Field [mailto:mailscanner at ECS.SOTON.AC.UK] 
> Skickat: den 22 augusti 2003 10:24
> Till: MAILSCANNER at JISCMAIL.AC.UK
> Ämne: Re: Sobig getting tagged as spam not virus
> 
> 
> Unfortunately, as the spam checking is done first, you can't 
> put a virus name in the ruleset deciding the spam actions :-(
> 
> I need to take a look at this area and have a good think 
> about it, which won't happen right now as I can't even keep 
> up with my incoming mail, let alone stop and think about anything.
> 
> Sounds like it would be a good idea to do the virus scanning 
> first, then the spam scanning. This would mean that 
> everything would be virus-scanned, even spam that was then 
> deleted. But the cost of virus scanning extra files is a lot 
> lower than the cost of spam scanning extra files, which 
> wasn't the case when I first started writing MailScanner.

I second that..... even if a file been stoped bu rules for intanse *.exe and
is trnsfered to quarantine its goood to know it already passed the virus
testing.... as it is now it feel a little unsafe to move qf/df files for
transport to user.  If they passed virus test atleast I know they ought to
be safe. I could accept a little higher load on the server for the extra
safety

/Anders

> 
> I'll try to find time this weekend to work on it, once I have 
> sat and thought about it for a couple of hours it might turn 
> out to be trivial change, but I need to be *very* careful in 
> this area.
> 
> At 02:58 22/08/2003, you wrote:
> >I am very pleased that my site is not one of those spewing 
> forth 'you 
> >computer may be infected with the Sobig.F virus' reports, all due to 
> >Julian's 'Silent Virus' feature. It works fine...
> >
> >But, it would appear from the comments below, and also first hand 
> >observation, that a number of the Sobig emails are also 
> getting caught 
> >by MS/SA as spam. These emails are generating 'you sent us spam' 
> >reports back to the sender, and of course that sender was 
> forged by the 
> >virus.
> >
> >I am getting complaints from some sites that my MS system is 
> hammering 
> >them with rejection notices. Not 'virus infected' notices, 
> but rather 
> >'you sent spam' notices. They are treating me like an idiot 
> "Don't you 
> >know Sobig fakes the senders address? STOP sending us these notices 
> >NOW!" kind of messages.
> >
> >Being the receipient of many of these virus warnings from 
> sites without 
> >a 'Silent Virus' feature, I can understand the frustration of those 
> >yelling at me.
> >
> >Does anyone have a solution to this problem? Some means to 
> recognize a 
> >spam as being sent by a silent virus, such as Sobig, and not in turn 
> >sending a spam rejection notice?
> >
> >Thanks!
> >-Alan
> >
> > >> >Mail with the Sobig.F message body is coming in with 
> and without 
> > >> >an attachment, therefore we get {SPAM?} or  {VIRUS?} tagged 
> > >> >e-mail. The
> > score
> > >> >for the spam messages is the same 5.9.
> >
> > >>If a message contains a silent virus but also registers as spam, 
> > >>would it be delivered? (ssems so in this case)
> > >
> >
> >
> >
> > >The virus-infected messages and the spam messages are 
> separate. They 
> > >are all caused by the same thing, but don't expect all 
> this mail to 
> > >be virus-infected, it's not.
> > >--
> > >Julian Field
> > >www.MailScanner.info
> > >MailScanner thanks transtec Computers for their support
> 
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>