Mydoom Virus getting Through - High Spam
Kai Schaetzl
maillists at CONACTIVE.COM
Fri Feb 13 15:31:43 GMT 2004
Phil Randal wrote on Fri, 13 Feb 2004 14:18:32 -0000:
> I did say "a hitherto considered safe" filetype, i.e, one you let through.
But there is no file type I "let thru". There are only file types I do NOT let
thru. Any non-blocked file makes it to the virus scan.
>
> Call me paranoid if you like, but I don't like the idea of having
> virus-infected files sitting in quarantine without MailScanner telling me
> that they are infected.
I can perfectly understand this. However, others like me won't mind.
>
> It's an accident waiting to happen.
>
> Agreed, it's a small window of opportunity, but under pressure human error
> occurs.
That's why I thought it might be useful to start scanning a released email
with the next "stage". This would prevent the small chance of a user releasing
a blocked file type which contains a virus from happening. However, if that is
painful to implement I'm quite happy without it. But just allowing MS to stop
scanning if a match occurs shouldn't be that difficult I assume. If Julian
doesn't like the idea he won't put it in, anyway ;-)
>
> > Back to your original question I hooked on: I see high-scoring spam marked
> > as containing a virus as well, so there must be something different in
> your
> > setup if it doesn't work for you.
>
> High Scoring Spam Actions = store delete
>
Ah, we just have "store". This implies that MS first does the spam scan and
then already discards the mail. Maybe you could direct high scoring spam with
some rules in a different quarantine directory and remove the "delete"? If
that is possible you could then run a deletion script from cron.
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
IE-Center: http://ie5.de & http://msie.winware.org
More information about the MailScanner
mailing list