don't quarantine silent viruses?

Alex Neuman alex at nkpanama.com
Wed May 26 16:32:13 IST 2004 

Sounds good, although I still think (and have always thought) that admins
should have the option of scanning for viruses first and spam second (even
though for some it's not practical or logical) or the option to scan for
both, no matter what.

The approach right now is "if it's spam, I won't bother scanning for
viruses" (which can be inelegantly circumvented using a ruleset as described
before). This has the advantage that resources are not spent scanning for
viruses where a message is clearly spam. The disadvantage is that due to
most viruses' nature, their contents are so repeated and, for lack of a
better word, "spammy", that plugins like SA/Razor/Pyzor/DCC will mark them
as spam, and lists like XBL, CBL, etc. will mark those machines as "possibly
compromised", contributing to the overall SPAM score.

The problem with that approach is that most admins would rather store than
delete SPAM because of the possibility (although quite small) of a false
positive.


-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf
Of David Lee
Sent: Wednesday, May 26, 2004 4:40 AM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: don't quarantine silent viruses?


On Wed, 26 May 2004, John Wilcock wrote:

> On Wed, 26 May 2004 10:55:40 +0200, Marcin Rozek wrote:
> > about 98% of e-mails that stays in our quarantine are copies of
netsky/bagle/etc
> > - could you please add an option to mailscanner "Don't quarantine silent
> > viruses"? That would save a lot of disk-space.
>
> This can already be done with a ruleset (search the archives) but I
> agree that this would be such a useful function that it might be worth
> an option of its own.

<just-a-thought>
I agree with the above idea, but question its "another option" solution.

Consider the wider picture of MailScanner.conf overall, and the number of
questions on this list whose answer contains "with a ruleset".  Perhaps we
need to push rulesets a bit more, and have some default functionality
actually using real rulesets.

If we agree that that this particular item ("Don't quarantine silent
viruses") would be a useful default, then rather than yet another option,
perhaps the answer might be to for the default to become "use this
ruleset", and for the default ruleset to implement "Don't quarantine
silent viruses".

Using real rulesets in the default configuration, with real examples,
would:
1. bring rulesets to the attention of people who don't know about them;
2. give confidence to those who are timid about starting to use them;
3. demonstrate the preferred "xxx.rules" naming;
4. etc.
</just-a-thought>


--

:  David Lee                                I.T. Service          :
:  Systems Programmer                       Computer Centre       :
:                                           University of Durham  :
:  http://www.dur.ac.uk/t.d.lee/            South Road            :
:                                           Durham                :
:  Phone: +44 191 334 2752                  U.K.                  :

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html

More information about the MailScanner mailing list