[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Simple e-mail virus scanner

Am Wed, Aug 20, 2003 at 10:40:13AM -0400, Noah L. Meyerhans sagte:
> On Wed, Aug 20, 2003 at 08:44:08AM +0200, Christoph Moench-Tegeder wrote:
> > > > So, I'm wondering, does anybody know about any such approach?
> > > After getting sick of all the virus crap in my inbox I installed the
> > > following in /etc/exim/system_filter.txt:
> > 
> > This approach yields a high false positive rate. This can be a major
> > annoyance on mailing lists, when you get unsubscribed because of a
> > "matching" mail body. Your filter (which seems to be based on Nigel
> > Metheringham's system_filter) does not parse MIME headers but just
> > looks for filenames following Content-Type or begin.
> I agree that it is not optimal.  However, as I don't run Windows I don't
> expect to see any legitimate attachments whose file names match the
> regex in that filter.  Same goes for the few other people who use this
> mail server.  I would be much more careful about installing this filter
> in a setting where dozens or hundreds of users may be affected by it.
> And yes, it was based on Nigel Metheringham's filter.  I just
> copy&pasted the chunks that I used.
> noah

Isn't he saying that if i do the following:
"hey I get a lot of these document_all.pif recently"
this message here get filtered?

This never happend to me using the example who was at the exim ftp-site
for a while (can't find it anymore - who likes a copy of mine?)

I was bitten by the more generall approach of "mailscanner" 
(apt-cache show mailscanner)
where every "document1.sxw.pdf" is treated as bad. So I had to turn
this feature off.

As usual never ever take automated action based on a simple thing
like filename or whatever. Sort them to a special mailbox and let a
human look at it.
(me beeing very annoyed about all these "there was a virus in your mail"
I get on top of the mess)

These filters can fend off a lot of this stuff and are very cheap
(in price and CPU-time). I can only recommend using it (the right way).


Reply to: