Mydoom Virus getting Through - High Spam

[Kai Schaetzl]

Julian Field wrote on Thu, 12 Feb 2004 18:19:33 +0000:

> You can't trust anything that is in any header.
>

I see what you mean. But I guess there is some way to handle this. But 
even without a second scanning I think it's worthwhile to consider adding 
such an option.

What I was thinking is: why handle the extra load if I already know that a 
message contains a virus or a filetype I want to block? At the moment all 
viruses are scanned for spam as well which looks like a waste of time for 
me.
I suppose just determining the file type would be the fastest check, then 
maybe virus scanning and then spam scanning. If we get an .exe file we 
don't care to know which virus it is or if the tweaked SA rules would have 
caught it as well. Just stopping and quarantining is enough. Doing 
something like this could lower the load considerably I think.

I'm not sure what "Blocked File" does, does the quarantining of viruses 
apply to it as well? Is there a particular order MailScanner carries out 
the actions?

At least at the moment I think it would be a good idea if I could tell it 
to scan in this order:

- filetype/extension detection
- virus detection
- spam detection

and if any of them is true quarantine (or whatever action I have set) it 
and stop scanning.

Maybe, if I could do this it would turn out as not too effective and I 
would stop using it soon. I don't know.
But I can't try it out or can I?


Kai

-- 

Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
IE-Center: http://ie5.de & http://msie.winware.org