Viruses flagged as spam too

Scott Silva ssilva at sgvwater.com
Sat Jun 7 00:42:24 IST 2008


on 6-6-2008 2:17 AM James Gray spake the following:
> 
> On 06/06/2008, at 5:03 PM, Martin.Hepworth wrote:
> 
>> James
>>
>> How many viruses are you seeing? Ie whats the size of the problem? For 
>> me i see very few (1 a day maybe), so this option wouldn;t gain me much.
> 
> Not that many - probably accounting for about 50% of all virus 
> detections, which in turn is less than 1% of total mail volume.  
> However, the work involved explaining that an email can be BOTH a virus 
> and spam is chewing up significantly more than 0.5% of our support 
> desk's resources (probably 1-2 man hours per day!).  Consequently I've 
> been asked to investigate ways to mitigate the confusion from a 
> technical perspective, by avoiding the double classification (if 
> possible).  Failing that, we'll try to educate the users in a formal 
> training scheme (probably just one of the support people spending a few 
> minutes with each business unit and backed up with some documentation 
> etc.) .... but as they say, "you can lead a (l)user to a clue, but you 
> can't make them think".
> 
> I also think Phil's comments regarding learning the viruses as spam can 
> have a positive effect when the viruses inevitably morph is another 
> bonus to throw at the "powers that be".  However, protection from a 
> *possible* future threat doesn't solve the immediate problem of 
> disproportionate resource consumption of our support team.  Frankly, I 
> don't really care about the processing overhead (the time is 
> negligible).  I just want to avoid the double classification of 
> spam+virus.  One classification or the other seems to be about all our 
> users are capable of processing in a single message :P
> 
> Cheers,
> 
> James
> 
Just don't notify your users of viruses. I don't notify my users of either 
viruses or high scoring spam. I quarantine for a short while high spam that 
scores less than 30, and dump the rest. Low spam is the only thing that gets 
passed and tagged.
If you let the users know that something was blocked, they are going to want 
to see it because they always assume they know better. I don't even have 
exec's complaining about it. Sure I have had a few FP's, but I get notified of 
everything, and usually release the FP's before they know what happened.
  Their time is too valuable to mess with the crap, and they pay me to watch 
out for them.

-- 
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080606/4fd4e2f1/signature.bin


More information about the MailScanner mailing list