don't quarantine silent viruses?
Alex Neuman
alex at nkpanama.com
Wed May 26 16:38:20 IST 2004
Exactly what I've seen happening on several installations, mainly because of
the "spam-like" characteristics exhibited by mass-mailing,
"from:"-disguising worms/viruses. DCC/Razor/Pyzor report it as probable
spam, and the infected machines wind up in RBL's, contributing to the
overall score.
-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf
Of Randal, Phil
Sent: Wednesday, May 26, 2004 6:19 AM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: don't quarantine silent viruses?
Ahhh, interesting...
What I'm finding is that viruses which match the "no" answers in these rules
are still being flagged as spam by Spamassassin and being stored in
quarantine. At least, I think that's what's happening.
Comments, anyone?
Phil
----
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Patel, Anjana
> Sent: 26 May 2004 11:37
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: don't quarantine silent viruses?
>
> This config works quite well for us (cuts down the quarantine dir by
> 8o%):
>
> In MailScanner.conf:
>
> Quarantine Infections = %rules-dir%/quarantine.rules
>
> Example quarantine.rules file:
>
> Virus: bagle no
> Virus: dumaru no
> Virus: klez no
> Virus: lovgate no
> Virus: mimail no
> Virus: mydoom no
> Virus: netsky no
> Virus: sober no
> Virus: sobig no
> Virus: swen no
> Virus: default yes
>
> Hope this helps
>
> Anjana
>
> > -----Original Message-----
> > From: MailScanner mailing list
> [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> > Behalf Of Randal, Phil
> > Sent: 26 May 2004 10:46
> > To: MAILSCANNER at JISCMAIL.AC.UK
> > Subject: Re: don't quarantine silent viruses?
> >
> > That is another excellent idea. I've just scanned the
> archives and am
> > still confused as to what the ruleset would be to still quarantine
> > "illegal"
> > attachments but not quarantine viruses. I don't have a test box to
> play
> > on,
> > alas.
> >
> > Cheers,
> >
> > Phil
> >
> > ----
> > Phil Randal
> > Network Engineer
> > Herefordshire Council
> > Hereford, UK
> >
> > > -----Original Message-----
> > > From: MailScanner mailing list
> > > [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of David Lee
> > > Sent: 26 May 2004 10:40
> > > To: MAILSCANNER at JISCMAIL.AC.UK
> > > Subject: Re: don't quarantine silent viruses?
> > >
> > > On Wed, 26 May 2004, John Wilcock wrote:
> > >
> > > > On Wed, 26 May 2004 10:55:40 +0200, Marcin Rozek wrote:
> > > > > about 98% of e-mails that stays in our quarantine are
> copies of
> > > > > netsky/bagle/etc
> > > > > - could you please add an option to mailscanner "Don't
> quarantine
> > > > > silent viruses"? That would save a lot of disk-space.
> > > >
> > > > This can already be done with a ruleset (search the
> archives) but
> I
> > > > agree that this would be such a useful function that it
> > > might be worth
> > > > an option of its own.
> > >
> > > <just-a-thought>
> > > I agree with the above idea, but question its "another option"
> > > solution.
> > >
> > > Consider the wider picture of MailScanner.conf overall, and the
> > > number of questions on this list whose answer contains "with a
> > > ruleset". Perhaps we need to push rulesets a bit more, and have
> > > some default functionality actually using real rulesets.
> > >
> > > If we agree that that this particular item ("Don't
> quarantine silent
> > > viruses") would be a useful default, then rather than yet another
> > > option, perhaps the answer might be to for the default to become
> > > "use this ruleset", and for the default ruleset to
> implement "Don't
> > > quarantine silent viruses".
> > >
> > > Using real rulesets in the default configuration, with real
> examples,
> > > would:
> > > 1. bring rulesets to the attention of people who don't know about
> > > them; 2. give confidence to those who are timid about starting to
> > > use them; 3. demonstrate the preferred "xxx.rules" naming; 4. etc.
> > > </just-a-thought>
> > >
> > >
> > > --
> > >
> > > : David Lee I.T. Service
> :
> > > : Systems Programmer Computer
> Centre :
> > > : University of
> Durham :
> > > : http://www.dur.ac.uk/t.d.lee/ South Road
> :
> > > : Durham
> :
> > > : Phone: +44 191 334 2752 U.K.
> :
> > >
> > > -------------------------- MailScanner list ----------------------
> > > To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
> > > Before posting, please see the Most Asked Questions at
> > > http://www.mailscanner.biz/maq/ and the archives at
> > > http://www.jiscmail.ac.uk/lists/mailscanner.html
> > >
> >
> > -------------------------- MailScanner list ----------------------
> > To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
> > Before posting, please see the Most Asked Questions at
> > http://www.mailscanner.biz/maq/ and the archives at
> > http://www.jiscmail.ac.uk/lists/mailscanner.html
>
> -------------------------- MailScanner list ----------------------
> To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
> Before posting, please see the Most Asked Questions at
> http://www.mailscanner.biz/maq/ and the archives at
> http://www.jiscmail.ac.uk/lists/mailscanner.html
>
-------------------------- MailScanner list ----------------------
To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/ and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html
-------------------------- MailScanner list ----------------------
To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/ and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html
More information about the MailScanner
mailing list