Mydoom Virus getting Through - High Spam

Randal, Phil prandal at HEREFORDSHIRE.GOV.UK
Fri Feb 13 10:53:54 GMT 2004 

Then suddenly a new exploit with a hitherto considered sate filetype appers.

Boom!

Virus scan everything first, then do the other checks.

Phil

---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK 

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> Behalf Of Kai Schaetzl
> Sent: 12 February 2004 21:32
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: Mydoom Virus getting Through - High Spam
> 
> 
> Julian Field wrote on Thu, 12 Feb 2004 18:19:33 +0000:
> 
> > You can't trust anything that is in any header.
> >
> 
> I see what you mean. But I guess there is some way to handle 
> this. But 
> even without a second scanning I think it's worthwhile to 
> consider adding 
> such an option.
> 
> What I was thinking is: why handle the extra load if I 
> already know that a 
> message contains a virus or a filetype I want to block? At 
> the moment all 
> viruses are scanned for spam as well which looks like a waste 
> of time for 
> me.
> I suppose just determining the file type would be the fastest 
> check, then 
> maybe virus scanning and then spam scanning. If we get an 
> .exe file we 
> don't care to know which virus it is or if the tweaked SA 
> rules would have 
> caught it as well. Just stopping and quarantining is enough. Doing 
> something like this could lower the load considerably I think.
> 
> I'm not sure what "Blocked File" does, does the quarantining 
> of viruses 
> apply to it as well? Is there a particular order MailScanner 
> carries out 
> the actions?
> 
> At least at the moment I think it would be a good idea if I 
> could tell it 
> to scan in this order:
> 
> - filetype/extension detection
> - virus detection
> - spam detection
> 
> and if any of them is true quarantine (or whatever action I 
> have set) it 
> and stop scanning.
> 
> Maybe, if I could do this it would turn out as not too 
> effective and I 
> would stop using it soon. I don't know.
> But I can't try it out or can I?
> 
> 
> Kai
> 
> -- 
> 
> Kai Schätzl, Berlin, Germany
> Get your web at Conactive Internet Services: http://www.conactive.com
> IE-Center: http://ie5.de & http://msie.winware.org
>

More information about the MailScanner mailing list