Feature request : Dangerous Content Scanning option

Julian Field mailscanner at ecs.soton.ac.uk
Thu May 27 20:13:16 IST 2004


How about we change your patch a bit.
In SweepContent.pm, do the "partial message" and "external bodies" checks,
then bail out if we aren't doing dangerous content checks. The reasoning
behind this is the partial message and external body checks directly affect
your ability to scan messages for viruses, and are therefore rather more
than just the other content checks. I would like the default behaviour to
be to check for partial messages and external bodies even if they switch
off the rather broad "Content Scanning" switch.

And I don't think your last patch will ever get executed if the content
scanning is switched off, as it is called from ScanBatch() which we already
have left if content scanning is off.

Does that sound better?

At 19:48 27/05/2004, you wrote:
>On Thu, May 27, 2004 at 06:58:09PM +0100, Julian Field wrote:
> > This strikes as rather dangerous.
>
>Agreed.
>But then I'd rather have a sharp knife, than a blunt one.
>
> > You first code patch will disable the
> > check for partial messages (among other things).
>
>Agreed. That is the intent.
>
>There is already an abstract switch that does this: "Virus Scanning".
>
> > Not checking for partial
> > messages will let viruses through that are present in multi-part messages.
>
>Agreed.  That is already well-documented in the .conf file.
>
> > I wouldn't advise anyone to switch off that check.
>
>Me neither.  I wouldn't dream of doing so for myself, and I don't even run
>a windows box.
>
>But I have agreed to do it to win back the trust of a client for whom email
>is critical in order to get at least ordinary virus-scanning in the loop.
>
> > I think you need to be rather more careful about what checks any option
> > like this might disable.
>
>I believe I've been extremely careful, but I'm happy to be corrected.
>
>As it happens the distinction I've implemented is co-terminous with
>difference between internal and external virus scanning in mailscanner,
>but that is not the intent.
>
>The intention is to distinguish between checks that positively identify
>malware (false positives aside), and checks that don't.  This is a
>distinction that is already made in the code and the reports.
>
>Although I'm not familiar with the history, I imagine that partial
>messages is one of those features that some misguided souls somewhere
>are still using for non-malicious purposes.  Until I quantify the
>various risks, that puts them in my dangerous content group.
>
>I'm not entirely unhappy about having a wide range of risk in that
>group.  I need users to take some responsibility for managing the
>riskier options, having compelling options opens that door.
>
>There are many of these checks, not all have individual conf switches,
>and there is no way to say "all current and future checks of this kind".
>
>So, then things would look like ...
>
>         VirusScanning
>                 Scanners
>                         ...
>                 Dangerous Content
>                         partial messages
>                         ...
>
>But if they looked like
>
>         VirusScanning
>                 Scanners
>                         ...
>                 partial messages
>                 Dangerous Content
>                         ...
>
>or
>
>         VirusScanning
>                 Scanners
>                         partial messages
>                         ...
>                 Dangerous Content
>                         ...
>
>I'd be just as happy.
>
>Partial messsages seem like a special case, because of their link with
>virus scanning, but in my book HTML scripts are far more scary.
>
>Now you can't sell those to everyone.
>
>I don't particularly want it.  I do need it.
>
>Regards, and thanks for wading through this rather epic mail,
>
>
>Paddy
>
>-------------------------- MailScanner list ----------------------
>To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
>Before posting, please see the Most Asked Questions at
>http://www.mailscanner.biz/maq/     and the archives at
>http://www.jiscmail.ac.uk/lists/mailscanner.html

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html



More information about the MailScanner mailing list