Sobig getting tagged as spam not virus

John Rudd jrudd at UCSC.EDU
Fri Aug 22 16:36:54 IST 2003 

IMO, the best order would be:

filename checks (lowest cost)
virus checks (seems to be a lower cost than spam checking)
spam checks

But I don't know where the filename checks fit into the mix right now.
(I was contemplating, earlier today, blocking all attachments to see if
that would help speed things up).




On Friday, Aug 22, 2003, at 01:23 US/Pacific, Julian Field wrote:

>
> Unfortunately, as the spam checking is done first, you can't put a
> virus
> name in the ruleset deciding the spam actions :-(
>
> I need to take a look at this area and have a good think about it,
> which
> won't happen right now as I can't even keep up with my incoming mail,
> let
> alone stop and think about anything.
>
> Sounds like it would be a good idea to do the virus scanning first,
> then
> the spam scanning. This would mean that everything would be
> virus-scanned,
> even spam that was then deleted. But the cost of virus scanning extra
> files
> is a lot lower than the cost of spam scanning extra files, which
> wasn't the
> case when I first started writing MailScanner.
>
> I'll try to find time this weekend to work on it, once I have sat and
> thought about it for a couple of hours it might turn out to be trivial
> change, but I need to be *very* careful in this area.
>
> At 02:58 22/08/2003, you wrote:
>> I am very pleased that my site is not one of those spewing forth 'you
>> computer may be infected with the Sobig.F virus' reports, all due to
>> Julian's 'Silent Virus' feature. It works fine...
>>
>> But, it would appear from the comments below, and also first hand
>> observation, that a number of the Sobig emails are also getting
>> caught by
>> MS/SA as spam. These emails are generating 'you sent us spam' reports
>> back
>> to the sender, and of course that sender was forged by the virus.
>>
>> I am getting complaints from some sites that my MS system is hammering
>> them with rejection notices. Not 'virus infected' notices, but rather
>> 'you
>> sent spam' notices. They are treating me like an idiot "Don't you know
>> Sobig fakes the senders address? STOP sending us these notices NOW!"
>> kind
>> of messages.
>>
>> Being the receipient of many of these virus warnings from sites
>> without a
>> 'Silent Virus' feature, I can understand the frustration of those
>> yelling
>> at me.
>>
>> Does anyone have a solution to this problem? Some means to recognize a
>> spam as being sent by a silent virus, such as Sobig, and not in turn
>> sending a spam rejection notice?
>>
>> Thanks!
>> -Alan
>>
>> >> >Mail with the Sobig.F message body is coming in with and without
>> an
>> >> >attachment, therefore we get {SPAM?} or  {VIRUS?} tagged e-mail.
>> The
>> score
>> >> >for the spam messages is the same 5.9.
>>
>> >>If a message contains a silent virus but also registers as spam,
>> would it
>> >>be delivered? (ssems so in this case)
>> >
>>
>>
>>
>> >The virus-infected messages and the spam messages are separate. They
>> are
>> >all caused by the same thing, but don't expect all this mail to be
>> >virus-infected, it's not.
>> >--
>> >Julian Field
>> >www.MailScanner.info
>> >MailScanner thanks transtec Computers for their support
>
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support

More information about the MailScanner mailing list