Request for comments 3

UxBoD uxbod at splatnix.net
Tue Jul 24 20:17:21 IST 2007


Jules,

I raised a question on the MailWatch list of whether it would be possible to not display a list of messages based on the SA rule.  Due to changes in V2 Steve believes it would probably be better performed in MailScanner.

My thoughts are based around Trojan messages, where at the moment they are some times tagged via SA rules, but users do have the potential to release those messages and hence pose a potential security risk.  This would even happen if the message is quarantined.

Using your newly introduced code, would it be possible to introduce a new field where a message could be marked as caution.  It is not a virri but should be treated with respect.  I know it could be deleted via the SA rule code, but what happens if it has been tagged a false positive.

A caution flag could then be used by MailWatch, or any other application, to stop a user releasing it and perhaps asking them to fill in a form to contact tech support to check the message whether it is okay to release.

What has prompted this RFC is the recent eCard SPAM/Malware that has been shown to download Trojans and Virii.

What is your take on this, and anybody else who perhaps sees the benefits ?

Regards,

ps. You amaze me how quick you release new functionality :D
--[ UxBoD ]--
// PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import"
// Fingerprint: C759 8F52 1D17 B3C5 5854  36BD 1FB1 B02F 5DB5 687B
// Keyserver: www.keyserver.net Key-ID: 0x5DB5687B
// Phone: +44 845 869 2749 SIP Phone: uxbod at sip.splatnix.net

----- Original Message -----
From: "Julian Field" <MailScanner at ecs.soton.ac.uk>
To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
Sent: 24 July 2007 18:29:35 o'clock (GMT) Europe/London
Subject: Re: Request for comments 3

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Julian Field wrote:
> * PGP Signed: 07/24/07 at 18:14:20
>
>
>
> Steve Freegard wrote:
>> Julian Field wrote:
>>>> e.g. store-nonspam will set $message->{isspam} = 0, store-mcp will 
>>>> set $message->{ismcp} = 1 etc. and add the relevant paths in 
>>>> $message->{quarantineplaces)??
>>
>>> It wasn't going to do that, no. Simply choosing to store the message 
>>> in a place doesn't change its spam status, surely?
>>
>> Ok - true enough for spam, but to replace MCP with this new feature - 
>> setting store-mcp would need to set $message->{ismcp} otherwise 
>> MailWatch won't be able to tell the difference between them and the 
>> MCP stuff will get lost in the noise (and won't get counted toward 
>> the MCP stats).
> Okay, I could do that as well. It will be easy to add that.
Also, do you need me to do anything special if they use the store-spam 
in the Non-Spam Actions and other combinations?

Jules

- -- 
Julian Field MEng CITP
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
For all your IT requirements visit www.transtec.co.uk


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.2 (Build 2014)
Charset: UTF-8

wj8DBQFGpjcAEfZZRxQVtlQRAslAAJ9UHZsuApNS+pBNwMbU5ds12OgOPACdGd+2
g3daHzE+Tat3JYJelbWyKSA=
=7NPm
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
For all your IT requirements visit www.transtec.co.uk

--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the MailScanner mailing list