Request for comments 3
Julian Field
MailScanner at ecs.soton.ac.uk
Tue Jul 24 20:34:20 IST 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I'm not quite sure what you're asking or suggesting here. What would
cause a message to be marked as "dangerous"? And what do I do with a
"dangerous" message?
UxBoD wrote:
> Jules,
>
> I raised a question on the MailWatch list of whether it would be possible to not display a list of messages based on the SA rule. Due to changes in V2 Steve believes it would probably be better performed in MailScanner.
>
> My thoughts are based around Trojan messages, where at the moment they are some times tagged via SA rules, but users do have the potential to release those messages and hence pose a potential security risk. This would even happen if the message is quarantined.
>
> Using your newly introduced code, would it be possible to introduce a new field where a message could be marked as caution. It is not a virri but should be treated with respect. I know it could be deleted via the SA rule code, but what happens if it has been tagged a false positive.
>
> A caution flag could then be used by MailWatch, or any other application, to stop a user releasing it and perhaps asking them to fill in a form to contact tech support to check the message whether it is okay to release.
>
> What has prompted this RFC is the recent eCard SPAM/Malware that has been shown to download Trojans and Virii.
>
> What is your take on this, and anybody else who perhaps sees the benefits ?
>
> Regards,
>
> ps. You amaze me how quick you release new functionality :D
> --[ UxBoD ]--
> // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import"
> // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B
> // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B
> // Phone: +44 845 869 2749 SIP Phone: uxbod at sip.splatnix.net
>
> ----- Original Message -----
> From: "Julian Field" <MailScanner at ecs.soton.ac.uk>
> To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
> Sent: 24 July 2007 18:29:35 o'clock (GMT) Europe/London
> Subject: Re: Request for comments 3
>
>
> * PGP Signed by an unmatched address: 07/24/07 at 18:29:36
>
>
>
> Julian Field wrote:
>
>>> Old Signed: 07/24/07 at 18:14:20
>>>
>>
>> Steve Freegard wrote:
>>
>>> Julian Field wrote:
>>>
>>>>> e.g. store-nonspam will set $message->{isspam} = 0, store-mcp will
>>>>> set $message->{ismcp} = 1 etc. and add the relevant paths in
>>>>> $message->{quarantineplaces)??
>>>>>
>>>> It wasn't going to do that, no. Simply choosing to store the message
>>>> in a place doesn't change its spam status, surely?
>>>>
>>> Ok - true enough for spam, but to replace MCP with this new feature -
>>> setting store-mcp would need to set $message->{ismcp} otherwise
>>> MailWatch won't be able to tell the difference between them and the
>>> MCP stuff will get lost in the noise (and won't get counted toward
>>> the MCP stats).
>>>
>> Okay, I could do that as well. It will be easy to add that.
>>
> Also, do you need me to do anything special if they use the store-spam
> in the Non-Spam Actions and other combinations?
>
> Jules
>
>
Jules
- --
Julian Field MEng CITP
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
For all your IT requirements visit www.transtec.co.uk
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.2 (Build 2014)
Charset: UTF-8
wj8DBQFGplQ9EfZZRxQVtlQRAuyzAKD2X4cW6ZFPXhS1CqqV6EZp78A9qgCgkBzx
agTtcGFfPpFWC4G4tU/NX3w=
=G73/
-----END PGP SIGNATURE-----
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
For all your IT requirements visit www.transtec.co.uk
More information about the MailScanner
mailing list