Mydoom Virus getting Through - High Spam

Randal, Phil prandal at HEREFORDSHIRE.GOV.UK
Fri Feb 13 10:56:54 GMT 2004


There'll be some pointy-haired boss somewhere who demands statistics about
numbers of viruses blocked.  Telling them "we can't tell you, most viruses
are marked as spam" doesn't go down too well, alas.

Phil

---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> Behalf Of Julian Field
> Sent: 12 February 2004 21:47
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: Mydoom Virus getting Through - High Spam
>
>
> At 21:31 12/02/2004, you wrote:
> >Julian Field wrote on Thu, 12 Feb 2004 18:19:33 +0000:
> >
> > > You can't trust anything that is in any header.
> > >
> >
> >I see what you mean. But I guess there is some way to handle
> this. But
> >even without a second scanning I think it's worthwhile to
> consider adding
> >such an option.
> >
> >What I was thinking is: why handle the extra load if I
> already know that a
> >message contains a virus or a filetype I want to block? At
> the moment all
> >viruses are scanned for spam as well which looks like a
> waste of time for
> >me.
> >I suppose just determining the file type would be the
> fastest check, then
> >maybe virus scanning and then spam scanning. If we get an
> .exe file we
> >don't care to know which virus it is or if the tweaked SA
> rules would have
> >caught it as well.
>
> But if it contains a harmless exe and a doc, you want to let the doc
> through so long as it isn't infected. So you still have to
> virus scan the
> message.
>
> >  Just stopping and quarantining is enough. Doing
> >something like this could lower the load considerably I think.
> >
> >At least at the moment I think it would be a good idea if I
> could tell it
> >to scan in this order:
> >
> >- filetype/extension detection
> >- virus detection
> >- spam detection
>
> I am looking at being able to switch virus+filetype with
> spam. It's not
> trivial. During normal times (i.e. not during big virus
> attacks) you get
> far more spam than viruses, so you want to throw away the spam first.
> During big virus attacks you want to be able to throw away
> the viruses first.
> So it needs to be switchable.
>
> --
> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>



More information about the MailScanner mailing list