Request for comments 3
Julian Field
MailScanner at ecs.soton.ac.uk
Tue Jul 24 22:37:40 IST 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
As a variation, how about I create a "custom" action which takes a
parameter. This is passed to a MailScanner::CustomConfig::CustomAction()
function, including the parameter given. So you could create
sub CustomAction {
my($message, $parameter) = @_;
$message->{usecaution} = 1 if $parameter eq 'caution';
}
(It would be defined in one of the CustomFunction files in
/usr/lib/MailScanner/MailScanner/CustomFunctions. I would put in a
sample 'CustomAction.pm' file in there so that the function was always
defined, if only to do nothing by default.
That way you can extend the system to create whatever extra flags you
want, and/or take any other actions you want with the message. And you
can have as many variations as you like, all depending on what you pass
in as the 'parameter'.
Would this not be better than having a specific 'use-caution' flag with
a definition that I create?
Julian Field wrote:
> * PGP Signed: 07/24/07 at 22:21:13
>
>
>
> UxBoD wrote:
>> Virii is virii so set as it.
> I don't understand your English. Do you want me to tag virus-infected
> messages as 'use-caution'?
>> The flag, IMHO, would ideally be triggered on user defined logic,
>> around SA rules. ie. SA rule = /secret formula/i and action would be
>> "tag it". HR could then review tagged messages, if a case has been
>> brought to them that a individual was sending out confidential
>> information.
>>
> Yes, I get that bit. You want an action called "use-caution" which
> would set the flag.
>
> Are there any other circumstances (in MailScanner) that would cause
> the flag to be set?
>
>> ----- Original Message -----
>> From: "Julian Field" <MailScanner at ecs.soton.ac.uk>
>> To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
>> Sent: 24 July 2007 21:30:26 o'clock (GMT) Europe/London
>> Subject: Re: Request for comments 3
>>
>>
>> > Old Signed by an unmatched address: 07/24/07 at 21:30:27
>>
>> So I wouldn't actually *do* anything with the result. You just want
>> me to add a "use-caution" action that sets a $message->{usecaution}=1
>> flag in the message properties.
>> Would this flag also be set on any virus-infected message?
>> What other circumstances would cause the flag to be set?
>>
>> I do nothing with the flag, just set it for Custom Functions to use
>> if they want to.
>>
>> UxBoD wrote:
>>
>>> Sorry Jules,
>>>
>>> What I mean, for example KAM_CARD (as in KAM.cf), disguises a
>>> message as from a friend/worshipper etc, but contains a URL that
>>> *could* download a virri/trojan.
>>>
>>> Currently, this type of message gets marked as SPAM, which means a
>>> user could potentially release it from Quarantine.
>>>
>>> What would be nice is if a SA rule could trigger a "Caution Flag",
>>> which means that MailWatch/or a home brew application could check
>>> this flag and stop the user from releasing it. The user could be
>>> directed then to ask a techie to release the message once they had
>>> checked it out.
>>>
>>> This could also be used when a message contains potential IPR and it
>>> just gets flagged.
>>>
>>> Just seemed a useful idea to me, but please disregard if a daft idea ;)
>>>
>>> Cheers,
>>>
>>> --[ UxBoD ]--
>>> // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import"
>>> // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B
>>> // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B
>>> // Phone: +44 845 869 2749 SIP Phone: uxbod at sip.splatnix.net
>>>
>>> ----- Original Message -----
>>> From: "Julian Field" <MailScanner at ecs.soton.ac.uk>
>>> To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
>>> Sent: 24 July 2007 20:34:20 o'clock (GMT) Europe/London
>>> Subject: Re: Request for comments 3
>>>
>>>
>>>
>>>> Old Signed by an unmatched address: 07/24/07 at 20:34:21
>>>>
>>> I'm not quite sure what you're asking or suggesting here. What would
>>> cause a message to be marked as "dangerous"? And what do I do with a
>>> "dangerous" message?
>>>
>>> UxBoD wrote:
>>>
>>>> Jules,
>>>>
>>>> I raised a question on the MailWatch list of whether it would be
>>>> possible to not display a list of messages based on the SA rule.
>>>> Due to changes in V2 Steve believes it would probably be better
>>>> performed in MailScanner.
>>>>
>>>> My thoughts are based around Trojan messages, where at the moment
>>>> they are some times tagged via SA rules, but users do have the
>>>> potential to release those messages and hence pose a potential
>>>> security risk. This would even happen if the message is quarantined.
>>>>
>>>> Using your newly introduced code, would it be possible to introduce
>>>> a new field where a message could be marked as caution. It is not
>>>> a virri but should be treated with respect. I know it could be
>>>> deleted via the SA rule code, but what happens if it has been
>>>> tagged a false positive.
>>>>
>>>> A caution flag could then be used by MailWatch, or any other
>>>> application, to stop a user releasing it and perhaps asking them to
>>>> fill in a form to contact tech support to check the message whether
>>>> it is okay to release.
>>>>
>>>> What has prompted this RFC is the recent eCard SPAM/Malware that
>>>> has been shown to download Trojans and Virii.
>>>>
>>>> What is your take on this, and anybody else who perhaps sees the
>>>> benefits ?
>>>>
>>>> Regards,
>>>>
>>>> ps. You amaze me how quick you release new functionality :D
>>>> --[ UxBoD ]--
>>>> // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg
>>>> --import"
>>>> // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B
>>>> // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B
>>>> // Phone: +44 845 869 2749 SIP Phone: uxbod at sip.splatnix.net
>>>>
>>>> ----- Original Message -----
>>>> From: "Julian Field" <MailScanner at ecs.soton.ac.uk>
>>>> To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
>>>> Sent: 24 July 2007 18:29:35 o'clock (GMT) Europe/London
>>>> Subject: Re: Request for comments 3
>>>>
>>>>
>>>>
>>>>> Old Signed by an unmatched address: 07/24/07 at 18:29:36
>>>>>
>>>> Julian Field wrote:
>>>>
>>>>>> Old Signed: 07/24/07 at 18:14:20
>>>>>>
>>>>> Steve Freegard wrote:
>>>>>
>>>>>> Julian Field wrote:
>>>>>>
>>>>>>>> e.g. store-nonspam will set $message->{isspam} = 0, store-mcp
>>>>>>>> will set $message->{ismcp} = 1 etc. and add the relevant paths
>>>>>>>> in $message->{quarantineplaces)??
>>>>>>>>
>>>>>>> It wasn't going to do that, no. Simply choosing to store the
>>>>>>> message in a place doesn't change its spam status, surely?
>>>>>>>
>>>>>> Ok - true enough for spam, but to replace MCP with this new
>>>>>> feature - setting store-mcp would need to set $message->{ismcp}
>>>>>> otherwise MailWatch won't be able to tell the difference between
>>>>>> them and the MCP stuff will get lost in the noise (and won't get
>>>>>> counted toward the MCP stats).
>>>>>>
>>>>> Okay, I could do that as well. It will be easy to add that.
>>>>>
>>>> Also, do you need me to do anything special if they use the
>>>> store-spam in the Non-Spam Actions and other combinations?
>>>>
>>>> Jules
>>>>
>>>>
>>> Jules
>>>
>>>
>>
>> Jules
>>
>>
>
> Jules
>
Jules
- --
Julian Field MEng CITP
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
For all your IT requirements visit www.transtec.co.uk
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.2 (Build 2014)
Charset: UTF-8
wj8DBQFGpnElEfZZRxQVtlQRAgxNAJwKvni93Yr7q8ClOxzjBC0A2lQrHwCfdfmI
Tr2iUNb44tYa3J9b/shdk5g=
=Ow1C
-----END PGP SIGNATURE-----
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
For all your IT requirements visit www.transtec.co.uk
More information about the MailScanner
mailing list