<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2800.1170" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Without going through the code (which in my case
would be pointless :)</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Can somebody help me understand the sequence and
decision making for handling/notifications that mailscanner uses?</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>In looking at a couple of log entries relating to
Sobig...it seems that the system processes the SPAM checking, then (since action
is deliver) scans with virus scanner and finds an infected attachment. The
system quarantines as it should...</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>New Batch: Scanning 1 messages, 101651
bytes<BR>Spam Checks: Starting<BR>Aug 21 10:14:00 HOST MailScanner[18553]:
Message 93F0F1C00E from 1.2.3.4 (<A
href="mailto:user@example.net">user@example.net</A>) to example.com is spam,
SpamAssassin (score=6, re<BR>quired 6, BAYES_20 -2.60, DCC_CHECK 2.63,
FORGED_MUA_OUTLOOK 2.17, INVALID_DATE 0.59, MICROSOFT_EXECUTABLE 0.10,
MIME_BOUND_NEXTPART 0.16, MISSING_MIME<BR>OLE 0.10, NO_REAL_NAME 1.15,
RAZOR2_CF_RANGE_91_100 1.21, RAZOR2_CHECK 0.88, X_AUTH_WARNING -0.40)<BR>Spam
Checks: Found 1 spam messages<BR>Spam Actions: message 93F0F1C00E actions are
deliver<BR>MailScanner E-Mail Virus Scanner version 4.22-5
starting...<BR>Config: calling custom init function SQLLogging<BR>Initialising
SQL Logging temp files<BR>Virus and Content Scanning: Starting<BR>INFECTED::
W32/Sobig-F:: ./93F0F1C00E/document_all.pif<BR>Virus Scanning: SophosSAVI found
1 infections<BR>Virus Scanning: Found 1 viruses<BR>Filetype Checks: No
executables (document_all.pif)<BR>Other Checks: Found 1 problems<BR>Saved entire
message to /quarantine/example.com/20030821/93F0F1C00E<BR>writing to
/quarantine/example.com/20030821/93F0F1C00E/message: No such file or
directory</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>With that said, I pose the following questions and
my attempt at the answers:</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>1. Will the virus scanner always run no
matter what the disposition and handling direction is for SPAM?</FONT></DIV>
<DIV><FONT face=Arial size=2>Answer: Yes, no matter what handling or
detection is done on the SPAM characteristics, the VIRUS scanner will be run
against the message.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>2. If so, which disposition takes
priority? the SPAM or the VIRUS handling instructions?</FONT></DIV>
<DIV><FONT face=Arial size=2>Answer: No matter the disposition/handling of
the SPAM identified message, if the VIRUS SCAN is positive for a virus, VIRUS
processing and handling takes over.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>3. This got me to thinking about VIRUS
handling....is it safe to say that IF a message is clean, its passed and handled
appropriately, however if it is infected, the scanner will attempt to clean the
virus? If it can clean the virus, it passes the message with a "Virus
disinfected" notification? If its not able to clean the virus the system
delete's the attachment unless its told otherwise in the "Quarantine Infections
=" directive?</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Sorry for the long-winded question, just spawned a
couple of ideas...</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>CT</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV></BODY></HTML>