RFC: Useful or not ?

[Christiaan den Besten]

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Hi all !

Couple of days ago I noticed our mailservers were blocking a large quantity or "HTML.Phishing.Bank-225'. Since some virusscanners 
have failed us a couple of times before I wanted to double check it was not blocking by mistake.

Since we do not quarantine these virusses by default I had to enable this, restart MS, wait for an instance of this particular virus 
(/ phishing mail) to popup again, disable quarantine, restart  MS etc .... e voila .. I had my sample.

At that time I dediced it would be more relaxed if MailScanner could save a 'sample' of every 'new virus' (or other things our 
virusscanner blocks) it receives. Therefore I wrote a small patch for MailScanner which does just that.

Would other people see this as a useful supplement to MailScanner, or is it just handy for me (/us). Any feedback is appreciated.

You can download a patch (for SweepViruses.pm) at http://mailscanner.prolocation.net/MS-VirusSample-v2.patch. It currently supports 
virusses detected by ClamAVModule and f-prot. But adding support for other virusscanner is pretty trivial. The current patch also 
assumes you have made a directory /var/spool/MailScanner/VirusSamples/ which is chown'ed to same uid as the MailScanner processes.

bye,
Chris

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!