On Sat, Jun 28, 2003, Antony Stone <[EMAIL PROTECTED]> wrote: > On Saturday 28 June 2003 12:13 am, Johannes Erdfelt wrote: > > > On Fri, Jun 27, 2003, Antony Stone <[EMAIL PROTECTED]> wrote: > > > On Friday 27 June 2003 11:50 pm, Johannes Erdfelt wrote: > > > > On Fri, Jun 27, 2003, Antony Stone <[EMAIL PROTECTED]> wrote: > > > > > MailScanner will remove infected attachments from emails and deliver > > > > > the remainder of the email as it was. Is that not what you want to > > > > > do? > > > > > > > > No. Like I mentioned further below the quote above, I don't want to > > > > deliver the body of worms. There's no point to deliver them and will > > > > just waste disk space and the users time. > > > > > > > > That's why I wanted to differentiate between viruses that attach to > > > > payloads (think infected executable) where the rest of the message > > > > and/or attachments might still be useful, versus worms which send their > > > > own emails and as a result, the entire message is useless. > > > > > > MailScanner has its own list of such viruses (called "silent viruses", > > > because it should keep quiet and not inform the apparent sender, because > > > this is almost certainly a false address), therefore it is possible for > > > MailScanner to decide what to do with different types of infection, even > > > if the anti-virus engine (MailScanner supports 15 different ones) does > > > not supply this information. > > > > Ahh, that's good to know. > > > > While MailScanner seems to be a fine application, I have various reasons > > why I want to develop something myself. > > I'm interested to know why that is. MailScanner is a very capable and > well-established application, and it would seem a big task to reproduce this > - for what benefit?
Performance is one. Perl isn't as speedy as I want. It doesn't stop viruses or spam early enough either. I want them stopped at SMTP time. I also have a few more features I want to implement. > > That being said, is there any interest to add similar functionality into > > the scanning engine? This way the metadata is kept with the signature. > > That does seem like a good idea. An obvious way to do it might be to have a > specific (short) string of characters as the start or end of the virus name > which classifies it in this way? I thought about that at one point, but I don't think it's a reliable way of handling it. I wouldn't want to presume that all signatures that start with Worm are completely bogus and should be dropped. JE --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
