<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2653.12">
<TITLE>RE: Message Flow Diagram</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2>> My observations on the diagram are:</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> 1. Very good, very useful.</FONT>
</P>
<P><FONT SIZE=2>Thanks!</FONT>
</P>
<P><FONT SIZE=2>> 2. Might be nice to show the Virus Test as an external </FONT>
<BR><FONT SIZE=2>> process from MailScanner, even more so than the Spam Tests, </FONT>
<BR><FONT SIZE=2>> as MS does do some of its own spam checks, however it does </FONT>
<BR><FONT SIZE=2>> not do any of its own anti virus checking.</FONT>
</P>
<P><FONT SIZE=2>This is a great idea. I will incorporate this into the document. When I originally implemented this server it was built for spam filtering only. Virus tests were added later on, which may be apparent by the hasty addition of virus tests to the diagram. </FONT></P>
<P><FONT SIZE=2>> 3. Might also be nice to indicate that multiple anti-virus </FONT>
<BR><FONT SIZE=2>> engines can be used (choose the one you want, or use a combination).</FONT>
</P>
<P><FONT SIZE=2>I purposefully took out some of my environment specific information when posting. I am only using one virus scanner at this time but I hear many of you use several. I think the final version of this diagram could be distributed with a 'fill in the blanks' approach so you could plug in your own applications to the flow (for virus scanners and MTAs, since not everyone uses sendmail). </FONT></P>
<P><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2>> 4. At the end of the MailScanner process, you have Quarantine </FONT>
<BR><FONT SIZE=2>> and Deliver; I think Discard and Bounce would be good to add as well.</FONT>
</P>
<P><FONT SIZE=2>I should have clarified my configuration before sending. I run using high scoring spam score 9 / spam score 4.5 with high scoring actions set to store, forward spam-alert@domain.com mailbox and a spam score action set to forward spam-review@domain.com, deliver. That way, I have two mailboxes, spam-alert can be reviewed by operations for false positives that were not delivered to users and spam-review can be monitored by spam-filter staff for false positives and considerations for modifications to the system. This configuration does allow for a lot of flexibility but when you are identifying 20K+ spam messages per day, the mailboxes can get quite full very quickly. I have found this approach necessary for at least the initial tuning phase of spam-filter system deployment. </FONT></P>
<P><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> Hope these comments are useful,</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> Regards,</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> Antony.</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> --</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> The idea that Bill Gates appeared like a knight in shining </FONT>
<BR><FONT SIZE=2>> armour to lead all customers out of a mire of technological </FONT>
<BR><FONT SIZE=2>> chaos neatly ignores the fact that it was he who, by peddling </FONT>
<BR><FONT SIZE=2>> second-rate technology, led them into it in the first place.</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> - Douglas Adams in The Guardian, August 25, 1995</FONT>
<BR><FONT SIZE=2>> </FONT>
</P>
</BODY>
</HTML>