Mydoom Virus getting Through - High Spam

Julian Field mailscanner at ecs.soton.ac.uk
Thu Feb 12 21:47:17 GMT 2004


At 21:31 12/02/2004, you wrote:
>Julian Field wrote on Thu, 12 Feb 2004 18:19:33 +0000:
>
> > You can't trust anything that is in any header.
> >
>
>I see what you mean. But I guess there is some way to handle this. But
>even without a second scanning I think it's worthwhile to consider adding
>such an option.
>
>What I was thinking is: why handle the extra load if I already know that a
>message contains a virus or a filetype I want to block? At the moment all
>viruses are scanned for spam as well which looks like a waste of time for
>me.
>I suppose just determining the file type would be the fastest check, then
>maybe virus scanning and then spam scanning. If we get an .exe file we
>don't care to know which virus it is or if the tweaked SA rules would have
>caught it as well.

But if it contains a harmless exe and a doc, you want to let the doc
through so long as it isn't infected. So you still have to virus scan the
message.

>  Just stopping and quarantining is enough. Doing
>something like this could lower the load considerably I think.
>
>At least at the moment I think it would be a good idea if I could tell it
>to scan in this order:
>
>- filetype/extension detection
>- virus detection
>- spam detection

I am looking at being able to switch virus+filetype with spam. It's not
trivial. During normal times (i.e. not during big virus attacks) you get
far more spam than viruses, so you want to throw away the spam first.
During big virus attacks you want to be able to throw away the viruses first.
So it needs to be switchable.

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654



More information about the MailScanner mailing list