Any Ideas on these rules

Antony Stone Antony at SOFT-SOLUTIONS.CO.UK
Fri Sep 5 15:35:36 IST 2003 

On Friday 05 September 2003 3:24 pm, Shortt, Kevin wrote:

> > header   __SOBIG_X      X-MailScanner =~ /Found to be clean/
> >
> >>Please don't create an SA rule to label emails which have been scanned by
> >>MailScanner (in its default configuration) as spam.
> >>
> >>PLEASE do not post anything like this to the SA mailing list - people
> >> will use it without understanding the significance of what they are
> >> using.
>
> It's not a default config. It happens to be a characteristic of the virus
> that was propogated and as the rule is written only matches such messages.

No, what I meant by "default config" was that this header is exactly what
gets added to emails which have been scanned by a default MailScanner
installation.

Therefore this particular rule will match perfectly innocent messages long
after Sobig has disappeared over the horizon.

I was merely saying that I do not think it is a good idea to encourage people
to even think about matching on a part of the Sobig emails which will cause a
high false positive rate if applied to other emails.   I agree that in
combination with your other rules this becomes less likely, but please use
the other rules to achieve that without including this one.

> One can not presume the knowledge level (or lack of) when asking a
> question. A question is asked and directed at the people that have the
> knowledge. If someone uses the information incorrectly that is no ones
> fault but thier own. I thought that what the internet was about.

If this means you think I was suggesting that you don't know what you're
doing, then I never meant to say that.   I was trying to say "please don't
post a suggestion that SA should match on the MailScanner header in a bid
towards identifying a message as spam", because people who don't know that it
matches perfectly innocent MailScanner-scanned messages as well as the Sobig
ones will end up blocking good email as a result.   There's no need to
include this header in the rule, so I think it should not be advocated as a
way to identify spam.

If that wasn't what you meant then please ignore the above.

Regards,

Antony.

--

It suddenly dawns on the observer that there is no end to the creativity that
these mindless hackers can come up with.

 - Kevin Kelly, Out of Control

More information about the MailScanner mailing list