Skip scan for viruses

Julian Field mailscanner at ecs.soton.ac.uk
Fri Jan 30 11:53:32 GMT 2004


At 11:32 30/01/2004, you wrote:
>Thanks, Julian.
>The other issue is about accurate statistics gathering.
>MailScanner rocks.  It and ClamAV have been the only things preventing
>MyDoom.A and Mymail.s getting into our corporate network.

Wonderful!

I would possibly end up scanning everything, but as I say it's going to
take some considerable thought. The current architecture rolls along the
message batch data structures quite well, I need to start drawing stuff to
work out an alternative top-level architecture that could do this. And then
be able to switch between the two.

It would be cool if I could make it automatically switch modes depending on
the current mail activity, so when it starts seeing loads of viruses it
does virus scanning first, but normally runs the other way round (lots of
people don't deliver spam at all, which cuts down the load considerably as
it is not virus-scanned). Whether that is possible or not, I haven't a clue
at the moment. But as I said, I think it would be cool.

>I think we should all have a good look at your Amazon wish-list and
>contribute.

Sorry there aren't many cheap things on it at the moment. You could either
club together, or else just think up something you reckon I might like. I'm
sure I like loads of stuff that's not on my list, I just don't know it yet.

And if anyone fancies writing to the Queen and nominating me for the Honors
list, that would go down well too!
I didn't make the Open Source Initiative awards, not the Jan 2004 round
anyway. Next lot are due in April. Maybe I'll have better luck next time.

> > -----Original Message-----
> > From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> > Behalf Of Julian Field
> > Sent: 30 January 2004 11:23
> > To: MAILSCANNER at JISCMAIL.AC.UK
> > Subject: Re: Skip scan for viruses
> >
> >
> > At 11:12 30/01/2004, you wrote:
> > >No, spam can't directly compromise your PC, viruses can.
> > >
> > >As it stands it is a gaping security hole in MailScanner.
> >
> > That's a bit strong....
> >
> > >Hypothethical example:  User phones, and says "your flipping
> > anti-spam gizmo
> > >has blocked an email which isn't spam, can you release it?".
> >  You look at
> > >the logs, see that Mailscanner doesn't think it's a virus
> > and release it
> > >from quarantine.  BOOM!
> >
> > "MailScanner doesn't think it's a virus" is not the same as
> > "MailScanner
> > doesn't know if it is a virus or not" which is what is
> > actually happening here.
> >
> > I need to take a look at this problem again. It would be nice
> > to be able to
> > switch the evaluation order. It's not a trivial problem (I
> > delay setting up
> > expensive data structures until the last moment so as not to waste CPU
> > doing it for messages which might get trashed anyway).
> >
> > Let me have a think.
> > I'll get back to you.
> >
> >
> > >Phil
> > >
> > >---------------------------------------------
> > >Phil Randal
> > >Network Engineer
> > >Herefordshire Council
> > >Hereford, UK
> > >
> > > > -----Original Message-----
> > > > From: MailScanner mailing list
>[mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> > > Behalf Of David Hooton
> > > Sent: 30 January 2004 11:05
> > > To: MAILSCANNER at JISCMAIL.AC.UK
> > > Subject: Re: Skip scan for viruses
> > >
> > >
> > > > So it seems to me that SpamAssassin and its spam checks is
> > > more of a CPU
> > > > hog than the whole virus scanning process.
> > >
> > > Depending on your configuration, but here it is...
> > >
> > > > My thought would be
> > > >
> > > > if a Virus is dropped before the Spam Scanning can even
> > > pick it up, that
> > > > would mean less work to the CPU, thus less ressources are
> > > consumed or am
> > > > I making a mistake?
> > >
> > > This is a very dynamic situation, a little while ago it was
> > > suggested that
> > > the order be configurable.  I forget where that thread ended, but in
> > > situations like we've had this week it certainly would be
> > > nice to be able to
> > > reverse the process to virus scan first.  _however_ we also
> > > have weeks when
> > > spam traffic is very significantly higher than virus traffic
> > > in which case
> > > obviously it would be good to have the other way around.
> > >
> > > I would really love to see an option for this, it's been
> > > asked for before,
> > > unless there is a serious security implication or it already exists!
> > >
> > > Regards,
> > >
> > > David Hooton
> > >
> > >
> > > ==============================================================
> > > ==========
> > >  Pain free spam & virus protection by:
> >www.mailsecurity.net.au
> >  Forward undetected SPAM to:                   spam at mailsecurity.net.au
> >========================================================================
>
>--
>Julian Field
>www.MailScanner.info
>MailScanner thanks transtec Computers for their support
>
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654



More information about the MailScanner mailing list