don't quarantine silent viruses?

Howard Robinson howard at harper-adams.ac.uk
Wed May 26 12:46:24 IST 2004 

On 26 May 04, at 12:18, Randal, Phil wrote:
Hello Phil
I have just implemented Anjana's rules and it looks to be working
fine.I have had a notification that there was a Netsky-P virus in an
email but it has not been quarantined.
Did you use tabs as spacing?


> Ahhh, interesting...
>
> What I'm finding is that viruses which match the "no" answers in these
> rules are still being flagged as spam by Spamassassin and being stored in
> quarantine.  At least, I think that's what's happening.
>
> Comments, anyone?
>
> Phil
>
> ----
> Phil Randal
> Network Engineer
> Herefordshire Council
> Hereford, UK
>
> > -----Original Message-----
> > From: MailScanner mailing list
> > [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Patel, Anjana
> > Sent: 26 May 2004 11:37
> > To: MAILSCANNER at JISCMAIL.AC.UK
> > Subject: Re: don't quarantine silent viruses?
> >
> > This config works quite well for us (cuts down the quarantine dir by
> > 8o%):
> >
> > In MailScanner.conf:
> >
> > Quarantine Infections = %rules-dir%/quarantine.rules
> >
> > Example quarantine.rules file:
> >
> > Virus:          bagle           no
> > Virus:          dumaru          no
> > Virus:          klez            no
> > Virus:          lovgate         no
> > Virus:          mimail          no
> > Virus:          mydoom          no
> > Virus:          netsky          no
> > Virus:          sober           no
> > Virus:          sobig           no
> > Virus:          swen            no
> > Virus:          default         yes
> >
> > Hope this helps
> >
> > Anjana
> >
> > > -----Original Message-----
> > > From: MailScanner mailing list
> > [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> > > Behalf Of Randal, Phil
> > > Sent: 26 May 2004 10:46
> > > To: MAILSCANNER at JISCMAIL.AC.UK
> > > Subject: Re: don't quarantine silent viruses?
> > >
> > > That is another excellent idea.  I've just scanned the
> > archives and am
> > > still confused as to what the ruleset would be to still quarantine
> > > "illegal" attachments but not quarantine viruses.  I don't have a test
> > > box to
> > play
> > > on,
> > > alas.
> > >
> > > Cheers,
> > >
> > > Phil
> > >
> > > ----
> > > Phil Randal
> > > Network Engineer
> > > Herefordshire Council
> > > Hereford, UK
> > >
> > > > -----Original Message-----
> > > > From: MailScanner mailing list
> > > > [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of David Lee
> > > > Sent: 26 May 2004 10:40
> > > > To: MAILSCANNER at JISCMAIL.AC.UK
> > > > Subject: Re: don't quarantine silent viruses?
> > > >
> > > > On Wed, 26 May 2004, John Wilcock wrote:
> > > >
> > > > > On Wed, 26 May 2004 10:55:40 +0200, Marcin Rozek wrote:
> > > > > > about 98% of e-mails that stays in our quarantine are
> > copies of
> > > > > > netsky/bagle/etc
> > > > > > - could you please add an option to mailscanner "Don't
> > quarantine
> > > > > > silent viruses"? That would save a lot of disk-space.
> > > > >
> > > > > This can already be done with a ruleset (search the
> > archives) but
> > I
> > > > > agree that this would be such a useful function that it
> > > > might be worth
> > > > > an option of its own.
> > > >
> > > > <just-a-thought>
> > > > I agree with the above idea, but question its "another option"
> > > > solution.
> > > >
> > > > Consider the wider picture of MailScanner.conf overall, and the
> > > > number of questions on this list whose answer contains "with a
> > > > ruleset".  Perhaps we need to push rulesets a bit more, and have
> > > > some default functionality actually using real rulesets.
> > > >
> > > > If we agree that that this particular item ("Don't
> > quarantine silent
> > > > viruses") would be a useful default, then rather than yet another
> > > > option, perhaps the answer might be to for the default to become
> > > > "use this ruleset", and for the default ruleset to
> > implement "Don't
> > > > quarantine silent viruses".
> > > >
> > > > Using real rulesets in the default configuration, with real
> > examples,
> > > > would:
> > > > 1. bring rulesets to the attention of people who don't know about
> > > > them; 2. give confidence to those who are timid about starting to
> > > > use them; 3. demonstrate the preferred "xxx.rules" naming; 4. etc.
> > > > </just-a-thought>
> > > >
> > > >
> > > > --
> > > >
> > > > :  David Lee                                I.T. Service
> >         :
> > > > :  Systems Programmer                       Computer
> > Centre       :
> > > > :                                     University of
> > Durham  :
> > > > :  http://www.dur.ac.uk/t.d.lee/            South Road
> >         :
> > > > :                                     Durham
> >         :
> > > > :  Phone: +44 191 334 2752                  U.K.
> >         :
> > > >
> > > > -------------------------- MailScanner list ----------------------
> > > > To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> > > > Before posting, please see the Most Asked Questions at
> > > > http://www.mailscanner.biz/maq/     and the archives at
> > > > http://www.jiscmail.ac.uk/lists/mailscanner.html
> > > >
> > >
> > > -------------------------- MailScanner list ---------------------- To
> > > leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk Before
> > > posting, please see the Most Asked Questions at
> > > http://www.mailscanner.biz/maq/     and the archives at
> > > http://www.jiscmail.ac.uk/lists/mailscanner.html
> >
> > -------------------------- MailScanner list ----------------------
> > To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> > Before posting, please see the Most Asked Questions at
> > http://www.mailscanner.biz/maq/     and the archives at
> > http://www.jiscmail.ac.uk/lists/mailscanner.html
> >
>
> -------------------------- MailScanner list ----------------------
> To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> Before posting, please see the Most Asked Questions at
> http://www.mailscanner.biz/maq/     and the archives at
> http://www.jiscmail.ac.uk/lists/mailscanner.html




Regards

Howard Robinson
(Senior Technical Development Officer)
Harper Adams University College
Edgmond
Newport
Shropshire
TF10 8NB UK

E-mail: hrobinson at harper-adams.ac.uk
Tel.  : +44(0)1952 820280 Via switchboard
      : +44(0)1952 815253 Direct line
Fax.  : +44(0)1952 814783
College Web site http://www.harper-adams.ac.uk

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html

More information about the MailScanner mailing list