Mydoom Virus getting Through - High Spam

Plant, Dean dean.plant at ROKE.CO.UK
Fri Feb 13 14:58:27 GMT 2004

We don't suffer from this problem as we forward all high scoring spam to an
exchange folder. This way all mail has passed through virus checking giving
correct statistics.


-----Original Message-----
From: Randal, Phil [mailto:prandal at HEREFORDSHIRE.GOV.UK]
Sent: 13 February 2004 10:57
Subject: Re: Mydoom Virus getting Through - High Spam

There'll be some pointy-haired boss somewhere who demands statistics about
numbers of viruses blocked.  Telling them "we can't tell you, most viruses
are marked as spam" doesn't go down too well, alas.


Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> Behalf Of Julian Field
> Sent: 12 February 2004 21:47
> Subject: Re: Mydoom Virus getting Through - High Spam
> At 21:31 12/02/2004, you wrote:
> >Julian Field wrote on Thu, 12 Feb 2004 18:19:33 +0000:
> >
> > > You can't trust anything that is in any header.
> > >
> >
> >I see what you mean. But I guess there is some way to handle
> this. But
> >even without a second scanning I think it's worthwhile to
> consider adding
> >such an option.
> >
> >What I was thinking is: why handle the extra load if I
> already know that a
> >message contains a virus or a filetype I want to block? At
> the moment all
> >viruses are scanned for spam as well which looks like a
> waste of time for
> >me.
> >I suppose just determining the file type would be the
> fastest check, then
> >maybe virus scanning and then spam scanning. If we get an
> .exe file we
> >don't care to know which virus it is or if the tweaked SA
> rules would have
> >caught it as well.
> But if it contains a harmless exe and a doc, you want to let the doc
> through so long as it isn't infected. So you still have to
> virus scan the
> message.
> >  Just stopping and quarantining is enough. Doing
> >something like this could lower the load considerably I think.
> >
> >At least at the moment I think it would be a good idea if I
> could tell it
> >to scan in this order:
> >
> >- filetype/extension detection
> >- virus detection
> >- spam detection
> I am looking at being able to switch virus+filetype with
> spam. It's not
> trivial. During normal times (i.e. not during big virus
> attacks) you get
> far more spam than viruses, so you want to throw away the spam first.
> During big virus attacks you want to be able to throw away
> the viruses first.
> So it needs to be switchable.
> --
> Julian Field
> Professional Support Services at
> MailScanner thanks transtec Computers for their support
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

Registered Office: Roke Manor Research Ltd, Siemens House, Oldbury, Bracknell,
Berkshire. RG12 8FZ

The information contained in this e-mail and any attachments is confidential to
Roke Manor Research Ltd and must not be passed to any third party without
permission. This communication is for information only and shall not create or
change any contractual relationship.

More information about the MailScanner mailing list