Mydoom Virus getting Through - High Spam
maillists at CONACTIVE.COM
Fri Feb 13 15:31:43 GMT 2004
Phil Randal wrote on Fri, 13 Feb 2004 14:18:32 -0000:
> I did say "a hitherto considered safe" filetype, i.e, one you let through.
But there is no file type I "let thru". There are only file types I do NOT let
thru. Any non-blocked file makes it to the virus scan.
> Call me paranoid if you like, but I don't like the idea of having
> virus-infected files sitting in quarantine without MailScanner telling me
> that they are infected.
I can perfectly understand this. However, others like me won't mind.
> It's an accident waiting to happen.
> Agreed, it's a small window of opportunity, but under pressure human error
That's why I thought it might be useful to start scanning a released email
with the next "stage". This would prevent the small chance of a user releasing
a blocked file type which contains a virus from happening. However, if that is
painful to implement I'm quite happy without it. But just allowing MS to stop
scanning if a match occurs shouldn't be that difficult I assume. If Julian
doesn't like the idea he won't put it in, anyway ;-)
> > Back to your original question I hooked on: I see high-scoring spam marked
> > as containing a virus as well, so there must be something different in
> > setup if it doesn't work for you.
> High Scoring Spam Actions = store delete
Ah, we just have "store". This implies that MS first does the spam scan and
then already discards the mail. Maybe you could direct high scoring spam with
some rules in a different quarantine directory and remove the "delete"? If
that is possible you could then run a deletion script from cron.
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
IE-Center: http://ie5.de & http://msie.winware.org
More information about the MailScanner