MCP newbie question

[Kai Schaetzl]

Denis Beauchemin wrote on Mon, 15 May 2006 15:50:50 -0400:

> I already use Clam + www.sanesecurity.com Clam phishing sigs.  I thought 
> this would make the emails detected as viruses and thus destroyed.  But 
> my users are still complaining about phishing attempts (most of them in 
> French). 

I see, it's very much possible that French gets mostly thru undetected (as 
other languages probably as well).

>  
> My users would like me to delete these emails before they even reach 
> them.  That's why I inquired about MCP. 

Maybe I misunderstood your sentence "I would like to receive copies of 
emails without the end-users even knowing about it." That indicated to me 
that you want them to receive the mail like normal, but you want a copy (so 
you can test if your filter rules would work. What you actually want is add 
extra rules that catch more phishing, especially in French, than now gets 
caught? Is that correct? Then I wonder why you want to use MCP for this. 
MCP is an *extra* spamassassin run with a different ruleset. Why not just 
add your extra rules to your first spamassassin run?

>  
> What would MailWatch do for me?  I want to be able to look at the emails 
> to create new SA rules that would make the phishing attempts go to the 
> bit bucket. I think MW would just give me the same info I already have 
> in my maillog, which lacks the message body.

No, it gives you just that what you want if you let MailScanner store all 
messages in the quarantine. And, frankly, even without the bodies there's 
quite much more you see/get with Mailwatch than what's in your maillog. Try 
it. Deleting messages is scary in my eyes, anyway. You *will* get false 
positives. By using a quarantine you avoid the problem that you may delete 
false positives.

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com