Request for comments 3

UxBoD uxbod at splatnix.net
Tue Jul 24 22:00:06 IST 2007


Virii is virii so set as it.  The flag, IMHO, would ideally be triggered on user defined logic, around SA rules. ie. SA rule = /secret formula/i and action would be "tag it".  HR could then review tagged messages, if a case has been brought to them that a individual was sending out confidential information.
----- Original Message -----
From: "Julian Field" <MailScanner at ecs.soton.ac.uk>
To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
Sent: 24 July 2007 21:30:26 o'clock (GMT) Europe/London
Subject: Re: Request for comments 3

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

So I wouldn't actually *do* anything with the result. You just want me 
to add a "use-caution" action that sets a $message->{usecaution}=1 flag 
in the message properties.
Would this flag also be set on any virus-infected message?
What other circumstances would cause the flag to be set?

I do nothing with the flag, just set it for Custom Functions to use if 
they want to.

UxBoD wrote:
> Sorry Jules,
>
> What I mean, for example KAM_CARD (as in KAM.cf), disguises a message as from a friend/worshipper etc, but contains a URL that *could* download a virri/trojan.
>
> Currently, this type of message gets marked as SPAM, which means a user could potentially release it from Quarantine.
>
> What would be nice is if a SA rule could trigger a "Caution Flag", which means that MailWatch/or a home brew application could check this flag and stop the user from releasing it.  The user could be directed then to ask a techie to release the message once they had checked it out.
>
> This could also be used when a message contains potential IPR and it just gets flagged.
>
> Just seemed a useful idea to me, but please disregard if a daft idea ;)
>
> Cheers,
>
> --[ UxBoD ]--
> // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import"
> // Fingerprint: C759 8F52 1D17 B3C5 5854  36BD 1FB1 B02F 5DB5 687B
> // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B
> // Phone: +44 845 869 2749 SIP Phone: uxbod at sip.splatnix.net
>
> ----- Original Message -----
> From: "Julian Field" <MailScanner at ecs.soton.ac.uk>
> To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
> Sent: 24 July 2007 20:34:20 o'clock (GMT) Europe/London
> Subject: Re: Request for comments 3
>
>
> * PGP Signed by an unmatched address: 07/24/07 at 20:34:21
>
> I'm not quite sure what you're asking or suggesting here. What would 
> cause a message to be marked as "dangerous"? And what do I do with a 
> "dangerous" message?
>
> UxBoD wrote:
>   
>> Jules,
>>
>> I raised a question on the MailWatch list of whether it would be possible to not display a list of messages based on the SA rule.  Due to changes in V2 Steve believes it would probably be better performed in MailScanner.
>>
>> My thoughts are based around Trojan messages, where at the moment they are some times tagged via SA rules, but users do have the potential to release those messages and hence pose a potential security risk.  This would even happen if the message is quarantined.
>>
>> Using your newly introduced code, would it be possible to introduce a new field where a message could be marked as caution.  It is not a virri but should be treated with respect.  I know it could be deleted via the SA rule code, but what happens if it has been tagged a false positive.
>>
>> A caution flag could then be used by MailWatch, or any other application, to stop a user releasing it and perhaps asking them to fill in a form to contact tech support to check the message whether it is okay to release.
>>
>> What has prompted this RFC is the recent eCard SPAM/Malware that has been shown to download Trojans and Virii.
>>
>> What is your take on this, and anybody else who perhaps sees the benefits ?
>>
>> Regards,
>>
>> ps. You amaze me how quick you release new functionality :D
>> --[ UxBoD ]--
>> // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import"
>> // Fingerprint: C759 8F52 1D17 B3C5 5854  36BD 1FB1 B02F 5DB5 687B
>> // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B
>> // Phone: +44 845 869 2749 SIP Phone: uxbod at sip.splatnix.net
>>
>> ----- Original Message -----
>> From: "Julian Field" <MailScanner at ecs.soton.ac.uk>
>> To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
>> Sent: 24 July 2007 18:29:35 o'clock (GMT) Europe/London
>> Subject: Re: Request for comments 3
>>
>>
>>     
>>> Old Signed by an unmatched address: 07/24/07 at 18:29:36
>>>       
>>
>> Julian Field wrote:
>>   
>>     
>>>> Old Signed: 07/24/07 at 18:14:20
>>>>       
>>>>         
>>> Steve Freegard wrote:
>>>     
>>>       
>>>> Julian Field wrote:
>>>>       
>>>>         
>>>>>> e.g. store-nonspam will set $message->{isspam} = 0, store-mcp will 
>>>>>> set $message->{ismcp} = 1 etc. and add the relevant paths in 
>>>>>> $message->{quarantineplaces)??
>>>>>>           
>>>>>>             
>>>>> It wasn't going to do that, no. Simply choosing to store the message 
>>>>> in a place doesn't change its spam status, surely?
>>>>>         
>>>>>           
>>>> Ok - true enough for spam, but to replace MCP with this new feature - 
>>>> setting store-mcp would need to set $message->{ismcp} otherwise 
>>>> MailWatch won't be able to tell the difference between them and the 
>>>> MCP stuff will get lost in the noise (and won't get counted toward 
>>>> the MCP stats).
>>>>       
>>>>         
>>> Okay, I could do that as well. It will be easy to add that.
>>>     
>>>       
>> Also, do you need me to do anything special if they use the store-spam 
>> in the Non-Spam Actions and other combinations?
>>
>> Jules
>>
>>   
>>     
>
> Jules
>
>   

Jules

- -- 
Julian Field MEng CITP
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
For all your IT requirements visit www.transtec.co.uk


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.2 (Build 2014)
Charset: UTF-8

wj8DBQFGpmFjEfZZRxQVtlQRAv+5AKCrEaGeqAEvMryaXb4f/gmxGFDWJACgp2qW
QxQC4JoALuXAAwv6Vi1a6QA=
=bWH5
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
For all your IT requirements visit www.transtec.co.uk

--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the MailScanner mailing list