Sobig getting tagged as spam not virus

Fri Aug 22 17:00:22 IST 2003

The files put in the quarantine are the original untouched messages+files.
It's up to you to be careful with your quarantine. Remember it's full of
viruses...

At 16:48 22/08/2003, you wrote:
>John,
>
>I think from a resource persepcitve you are right, but depending on the MTA
>being used, if you were to release a message from quarantine that was placed
>there because of a filename violation, it would never be scanned by the
>AV...right?
>
>Maybe I'm missing something.
>
>CT
>
>
>----- Original Message -----
>From: "John Rudd" <jrudd at UCSC.EDU>
>To: <MAILSCANNER at JISCMAIL.AC.UK>
>Sent: Friday, August 22, 2003 11:36 AM
>Subject: Re: Sobig getting tagged as spam not virus
>
>
> > IMO, the best order would be:
> >
> > filename checks (lowest cost)
> > virus checks (seems to be a lower cost than spam checking)
> > spam checks
> >
> > But I don't know where the filename checks fit into the mix right now.
> > (I was contemplating, earlier today, blocking all attachments to see if
> > that would help speed things up).
> >
> >
> >
> >
> > On Friday, Aug 22, 2003, at 01:23 US/Pacific, Julian Field wrote:
> >
> > >
> > > Unfortunately, as the spam checking is done first, you can't put a
> > > virus
> > > name in the ruleset deciding the spam actions :-(
> > >
> > > I need to take a look at this area and have a good think about it,
> > > which
> > > won't happen right now as I can't even keep up with my incoming mail,
> > > let
> > > alone stop and think about anything.
> > >
> > > Sounds like it would be a good idea to do the virus scanning first,
> > > then
> > > the spam scanning. This would mean that everything would be
> > > virus-scanned,
> > > even spam that was then deleted. But the cost of virus scanning extra
> > > files
> > > is a lot lower than the cost of spam scanning extra files, which
> > > wasn't the
> > > case when I first started writing MailScanner.
> > >
> > > I'll try to find time this weekend to work on it, once I have sat and
> > > thought about it for a couple of hours it might turn out to be trivial
> > > change, but I need to be *very* careful in this area.
> > >
> > > At 02:58 22/08/2003, you wrote:
> > >> I am very pleased that my site is not one of those spewing forth 'you
> > >> computer may be infected with the Sobig.F virus' reports, all due to
> > >> Julian's 'Silent Virus' feature. It works fine...
> > >>
> > >> But, it would appear from the comments below, and also first hand
> > >> observation, that a number of the Sobig emails are also getting
> > >> caught by
> > >> MS/SA as spam. These emails are generating 'you sent us spam' reports
> > >> back
> > >> to the sender, and of course that sender was forged by the virus.
> > >>
> > >> I am getting complaints from some sites that my MS system is hammering
> > >> them with rejection notices. Not 'virus infected' notices, but rather
> > >> 'you
> > >> sent spam' notices. They are treating me like an idiot "Don't you know
> > >> Sobig fakes the senders address? STOP sending us these notices NOW!"
> > >> kind
> > >> of messages.
> > >>
> > >> Being the receipient of many of these virus warnings from sites
> > >> without a
> > >> 'Silent Virus' feature, I can understand the frustration of those
> > >> yelling
> > >> at me.
> > >>
> > >> Does anyone have a solution to this problem? Some means to recognize a
> > >> spam as being sent by a silent virus, such as Sobig, and not in turn
> > >> sending a spam rejection notice?
> > >>
> > >> Thanks!
> > >> -Alan
> > >>
> > >> >> >Mail with the Sobig.F message body is coming in with and without
> > >> an
> > >> >> >attachment, therefore we get {SPAM?} or  {VIRUS?} tagged e-mail.
> > >> The
> > >> score
> > >> >> >for the spam messages is the same 5.9.
> > >>
> > >> >>If a message contains a silent virus but also registers as spam,
> > >> would it
> > >> >>be delivered? (ssems so in this case)
> > >> >
> > >>
> > >>
> > >>
> > >> >The virus-infected messages and the spam messages are separate. They
> > >> are
> > >> >all caused by the same thing, but don't expect all this mail to be
> > >> >virus-infected, it's not.
> > >> >--
> > >> >Julian Field
> > >> >www.MailScanner.info
> > >> >MailScanner thanks transtec Computers for their support
> > >
> > > --
> > > Julian Field
> > > www.MailScanner.info
> > > MailScanner thanks transtec Computers for their support

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support