MCP & quarantine

Quentin Campbell Q.G.Campbell at NEWCASTLE.AC.UK
Thu Jul 21 13:26:48 IST 2005


I don't normally use the MailScanner quarantine feature here. Am looking
for some pointers to enable me to quarantine messages caught my MCP.

We are using MCP to recognise and block what looks like a new MyDoom or
similar virus/worm that arrives as a zipped attachment in a socially
engineered message that looks like it was sent by this site.

When the MCP action is "delete" that is working OK. However I would like
to capture some of these messages to be better able to study their
content and characteristics.

To that end I changed the MCP action from "delete" to "quarantine". The
logs indicate that the action is now "quarantine" but I am seeing
nothing under /var/spool/MailScanner/quarantine.

Note that I do _not_ want any other messages to be quarantined. This
happened when I was trying to sort out the MCP quarantining problem by
changing actions in MailScanner.conf. Found that a message containing a
.bmp attachment had been quarantined (.bmp files are one of the 50+
filename types that we block).   

Any advice on this is welcome.

Thanks

Quentin 
---
PHONE: +44 191 222 8209    Information Systems and Services (ISS),
                           University of Newcastle,
                           Newcastle upon Tyne,
FAX:   +44 191 222 8765    United Kingdom, NE1 7RU.
------------------------------------------------------------------------
"Any opinion expressed above is mine. The University can get its own." 

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!



More information about the MailScanner mailing list