Sobig getting tagged as spam not virus

[Chris Trudeau]

John,

I think from a resource persepcitve you are right, but depending on the MTA
being used, if you were to release a message from quarantine that was placed
there because of a filename violation, it would never be scanned by the
AV...right?

Maybe I'm missing something.

CT


----- Original Message -----
From: "John Rudd" <jrudd at UCSC.EDU>
To: <MAILSCANNER at JISCMAIL.AC.UK>
Sent: Friday, August 22, 2003 11:36 AM
Subject: Re: Sobig getting tagged as spam not virus


> IMO, the best order would be:
>
> filename checks (lowest cost)
> virus checks (seems to be a lower cost than spam checking)
> spam checks
>
> But I don't know where the filename checks fit into the mix right now.
> (I was contemplating, earlier today, blocking all attachments to see if
> that would help speed things up).
>
>
>
>
> On Friday, Aug 22, 2003, at 01:23 US/Pacific, Julian Field wrote:
>
> >
> > Unfortunately, as the spam checking is done first, you can't put a
> > virus
> > name in the ruleset deciding the spam actions :-(
> >
> > I need to take a look at this area and have a good think about it,
> > which
> > won't happen right now as I can't even keep up with my incoming mail,
> > let
> > alone stop and think about anything.
> >
> > Sounds like it would be a good idea to do the virus scanning first,
> > then
> > the spam scanning. This would mean that everything would be
> > virus-scanned,
> > even spam that was then deleted. But the cost of virus scanning extra
> > files
> > is a lot lower than the cost of spam scanning extra files, which
> > wasn't the
> > case when I first started writing MailScanner.
> >
> > I'll try to find time this weekend to work on it, once I have sat and
> > thought about it for a couple of hours it might turn out to be trivial
> > change, but I need to be *very* careful in this area.
> >
> > At 02:58 22/08/2003, you wrote:
> >> I am very pleased that my site is not one of those spewing forth 'you
> >> computer may be infected with the Sobig.F virus' reports, all due to
> >> Julian's 'Silent Virus' feature. It works fine...
> >>
> >> But, it would appear from the comments below, and also first hand
> >> observation, that a number of the Sobig emails are also getting
> >> caught by
> >> MS/SA as spam. These emails are generating 'you sent us spam' reports
> >> back
> >> to the sender, and of course that sender was forged by the virus.
> >>
> >> I am getting complaints from some sites that my MS system is hammering
> >> them with rejection notices. Not 'virus infected' notices, but rather
> >> 'you
> >> sent spam' notices. They are treating me like an idiot "Don't you know
> >> Sobig fakes the senders address? STOP sending us these notices NOW!"
> >> kind
> >> of messages.
> >>
> >> Being the receipient of many of these virus warnings from sites
> >> without a
> >> 'Silent Virus' feature, I can understand the frustration of those
> >> yelling
> >> at me.
> >>
> >> Does anyone have a solution to this problem? Some means to recognize a
> >> spam as being sent by a silent virus, such as Sobig, and not in turn
> >> sending a spam rejection notice?
> >>
> >> Thanks!
> >> -Alan
> >>
> >> >> >Mail with the Sobig.F message body is coming in with and without
> >> an
> >> >> >attachment, therefore we get {SPAM?} or  {VIRUS?} tagged e-mail.
> >> The
> >> score
> >> >> >for the spam messages is the same 5.9.
> >>
> >> >>If a message contains a silent virus but also registers as spam,
> >> would it
> >> >>be delivered? (ssems so in this case)
> >> >
> >>
> >>
> >>
> >> >The virus-infected messages and the spam messages are separate. They
> >> are
> >> >all caused by the same thing, but don't expect all this mail to be
> >> >virus-infected, it's not.
> >> >--
> >> >Julian Field
> >> >www.MailScanner.info
> >> >MailScanner thanks transtec Computers for their support
> >
> > --
> > Julian Field
> > www.MailScanner.info
> > MailScanner thanks transtec Computers for their support