Re: Simple e-mail virus scanner
Am Wed, Aug 20, 2003 at 10:40:13AM -0400, Noah L. Meyerhans sagte:
> On Wed, Aug 20, 2003 at 08:44:08AM +0200, Christoph Moench-Tegeder wrote:
> > > > So, I'm wondering, does anybody know about any such approach?
> > > After getting sick of all the virus crap in my inbox I installed the
> > > following in /etc/exim/system_filter.txt:
> >
> > This approach yields a high false positive rate. This can be a major
> > annoyance on mailing lists, when you get unsubscribed because of a
> > "matching" mail body. Your filter (which seems to be based on Nigel
> > Metheringham's system_filter) does not parse MIME headers but just
> > looks for filenames following Content-Type or begin.
>
> I agree that it is not optimal. However, as I don't run Windows I don't
> expect to see any legitimate attachments whose file names match the
> regex in that filter. Same goes for the few other people who use this
> mail server. I would be much more careful about installing this filter
> in a setting where dozens or hundreds of users may be affected by it.
>
> And yes, it was based on Nigel Metheringham's filter. I just
> copy&pasted the chunks that I used.
>
> noah
>
Isn't he saying that if i do the following:
"hey I get a lot of these document_all.pif recently"
this message here get filtered?
This never happend to me using the example who was at the exim ftp-site
for a while (can't find it anymore - who likes a copy of mine?)
I was bitten by the more generall approach of "mailscanner"
(apt-cache show mailscanner)
where every "document1.sxw.pdf" is treated as bad. So I had to turn
this feature off.
As usual never ever take automated action based on a simple thing
like filename or whatever. Sort them to a special mailbox and let a
human look at it.
(me beeing very annoyed about all these "there was a virus in your mail"
I get on top of the mess)
These filters can fend off a lot of this stuff and are very cheap
(in price and CPU-time). I can only recommend using it (the right way).
gruss
pascal
Reply to: