Mydoom Virus getting Through - High Spam

Kai Schaetzl maillists at CONACTIVE.COM
Fri Feb 13 15:31:43 GMT 2004

Phil Randal wrote on         Fri, 13 Feb 2004 14:18:32 -0000:

> I did say "a hitherto considered safe" filetype, i.e, one you let through.

But there is no file type I "let thru". There are only file types I do NOT let
thru. Any non-blocked file makes it to the virus scan.

> Call me paranoid if you like, but I don't like the idea of having
> virus-infected files sitting in quarantine without MailScanner telling me
> that they are infected.

I can perfectly understand this. However, others like me won't mind.

> It's an accident waiting to happen.
> Agreed, it's a small window of opportunity, but under pressure human error
> occurs.

That's why I thought it might be useful to start scanning a released email
with the next "stage". This would prevent the small chance of a user releasing
a blocked file type which contains a virus from happening. However, if that is
painful to implement I'm quite happy without it. But just allowing MS to stop
scanning if a match occurs shouldn't be that difficult I assume. If Julian
doesn't like the idea he won't put it in, anyway ;-)

> > Back to your original question I hooked on: I see high-scoring spam marked
> > as containing a virus as well, so there must be something different in
> your
> > setup if it doesn't work for you.
> High Scoring Spam Actions = store delete

Ah, we just have "store". This implies that MS first does the spam scan and
then already discards the mail. Maybe you could direct high scoring spam with
some rules in a different quarantine directory and remove the "delete"? If
that is possible you could then run a deletion script from cron.



Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services:
IE-Center: &

More information about the MailScanner mailing list