Virus scanning spam
Randal, Phil
prandal at HEREFORDSHIRE.GOV.UK
Fri May 28 09:56:31 IST 2004
I suspect we're unusual here, but of our around 8000 incoming emails daily
about 15% are viruses and 5% high-scoring spam. That's not including the
500-1300 messages which are blocked at the MTA level thanks to Vispan's
autoblacklisting of virus senders.
I'd thought of a simple "Scan for Viruses First" option, but you're right,
it could be auto-tuning. Or something like "Scan For Viruses
First=Yes/No/Auto".
Some things may need precedences regardless of the order scanned, like never
quarantining viruses, even if flagged as spam. Although this might need to
be an explicit option.
Cheers,
Phil
----
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Julian Field
> Sent: 28 May 2004 01:53
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: Virus scanning spam
>
> I need to look at the whole area of handling a quarantine of
> virus-checked spam files. And control over the order of
> virus-scanning vs. spam -scanning. If the virus checking was
> done first, you could delete the message before the spam
> scanning code got it, wihch would mean you could then only
> archive uninfected messages for example.
>
> This isn't as easy to do as maybe it should be, I never
> considered needing to reverse the order when I designed the
> code architecture in the first place.
>
> It would be even better if it could perhaps automatically
> switch order depending on the current trend in email state.
> So normally it could run in spam-then-virus order, but then
> detect a rise in the number of viruses and switch to
> virus-then-spam order for extra speed during a large outbreak.
> Normally spam-then-virus is faster if you delete or
> quarantine raw spam, as you avoid virus scanning it altogether.
>
> This isn't going to happen this week or any time soon like
> that, I need to have a long think first to get the architecture right.
>
> At 00:54 28/05/2004, you wrote:
> >I'm glad you agree... the only way there would be a point in
> it would
> >be to put the results in the quarantine only if it's not a virus. I
> >don't believe in quarantining known viruses, but I *do* think it's
> >useful to hold on to(at least temporarily) known non-viral
> spam if only
> >to avoid the perils of the rarely occurring false positive.
> >
> >-----Original Message-----
> >From: MailScanner mailing list
> [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> >Behalf Of Julian Field
> >Sent: Thursday, May 27, 2004 2:40 PM
> >To: MAILSCANNER at JISCMAIL.AC.UK
> >Subject: Re: Virus scanning spam
> >
> >
> >At 20:31 27/05/2004, you wrote:
> > > >From the MAQ:
> > >
> > >"16- Hey, MailScanner doesn't scan high scoring spam (or
> something I
> > >don't "deliver")!
> > >Anything which is not delivered or forwarded is not virus scanned.
> > >Here is an explanation and workaround. Pretty simple,
> instead of not
> > >delivering, do a store to an alias pointing to /dev/null.
> Thanks to Phil and Kai :)."
> > >
> > >Question: If the logical decision to do this is exactly as
> outlined
> > >in the previous paragraph, (I don't do Perl so it would be
> difficult
> > >for me to know), could one change the option to "anything
> that isn't
> > >delivered, forwarded or stored" so that it would scan even high
> > >scoring spam that's stored in the quarantine?
> >
> >I intentionally only ever put untouched mail in the
> quarantine. There
> >isn't much point virus scanning something, throwing away the
> original
> >content, and putting the results in the quarantine.
> >--
> >Julian Field
> >www.MailScanner.info
> >Professional Support Services at www.MailScanner.biz
> MailScanner thanks
> >transtec Computers for their support PGP footprint: EE81
> D763 3DB0 0BFD
> >E1DC 7222 11F6 5947 1415 B654
> >
> >-------------------------- MailScanner list ----------------------
> >To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
> >Before posting, please see the Most Asked Questions at
> >http://www.mailscanner.biz/maq/ and the archives at
> >http://www.jiscmail.ac.uk/lists/mailscanner.html
> >
> >-------------------------- MailScanner list ----------------------
> >To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
> >Before posting, please see the Most Asked Questions at
> >http://www.mailscanner.biz/maq/ and the archives at
> >http://www.jiscmail.ac.uk/lists/mailscanner.html
>
> --
> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support PGP
> footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
> -------------------------- MailScanner list ----------------------
> To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
> Before posting, please see the Most Asked Questions at
> http://www.mailscanner.biz/maq/ and the archives at
> http://www.jiscmail.ac.uk/lists/mailscanner.html
>
-------------------------- MailScanner list ----------------------
To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/ and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html
More information about the MailScanner
mailing list