IIRC, the HOLD action was where the risk came in. Messages that are held by Declude using AVAFTERJM and then manually re-queued (via, say, the old SpamReview app) would NOT be scanned for viruses at all, since re-queued messages bypass Declude altogether.
HOLD is the only 'semi-final' action. All other actions either deliver the email to an mbox (in which case it is scanned by EVA), or remove the message completely (which is where the saved cycles come in). IMO, AVAFTERJM should be changed so that only deleted emails, not held ones, by pass the AV scan. In other words, all messages should be first scanned for spam, then the ones that are not DELETED should all be scanned for viruses. This would close the security risk from re-queued messages. The AVAFTERJM option would then only be useful for those that use the DELETE action, but with the huge security risk involved in requeueing unscanned messages I think that it is ALREADY only useful for those that use the DELETE action. Unfortunately the manual isn't clear on this point. At the very least, Declude should add a warning to the manual around AVAFTERJM that says that AVAFTERJM and HOLD should not be used in the same configuration. --DH -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, January 27, 2006 1:54 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME HOLD, DELETE, ETC - Does not get virus scanned with AVAFTERJM ROUTETO, SUBJECT, Etc - Does get virus scanned. Think of it this way anything that ends up being delivered somewhere (i.e. mailbox etc) gets scanned. Darrell Matt writes: > This is the crux of the issue that I would like to figure out. > > I am however under the impression that if you DELETE a message, > Declude Virus never gets it. I suspect that HOLD and MAILBOX are also that way. > I am unsure about ROUTETO, and that is what really matters to me. > > As far as savings of resources, it is apparently huge, especially for > those running multiple virus scanners. Virus scanning takes more CPU > than all but the biggest JunkMail configs (things like custom filters > with thousands of lines of BODY or ANYWHERE searches). I know that on > my system I Delete about 70% of all messages, ROUTETO about 10%, and > deliver about 20%. I would like to save on scanning what I would > otherwise be deleting with JunkMail. > > Matt > > > > Keith Johnson wrote: > >> Markus, >> However, Darrell mentioned that the AV scanner still runs once >> action is taking agains the SPAM message (i.e. routeto, subject, etc.). >> Is this not true? >> >> Keith >> >> -----Original Message----- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler >> Sent: Friday, January 27, 2006 12:03 PM >> To: Declude.Virus@declude.com >> Subject: RE: [Declude.Virus] Feature request: DELETEVIRUSNAME >> >> >> >> >>> So, with or without AVAFTERJM, it looks like each message is scanned >>> by the virus scanner (which makes sense to me). >>> >>> >> >> Wrong... if you block the messages on the servers: >> >> As we know usualy >50% of all incomming messages are spam. >> We know too that resource usage of one or two scan-engines is way >> above the entire spam filtering even if you use 5-6 external >> applications like sniffer, inv-uribl, spamchk, ... >> >> So if you're spam filters are set up properly they will filter out at >> least 50% of all incomming messages before they will reach the >> av-engines. >> >> Markus >> >> --- >> [This E-mail was scanned for viruses by Declude EVA www.declude.com] >> >> --- >> This E-mail came from the Declude.Virus mailing list. To >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >> type "unsubscribe Declude.Virus". The archives can be found >> at http://www.mail-archive.com. >> --- >> [This E-mail was scanned for viruses by Declude EVA www.declude.com] >> >> --- >> This E-mail came from the Declude.Virus mailing list. To >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >> type "unsubscribe Declude.Virus". The archives can be found >> at http://www.mail-archive.com. >> >> >> >> ------------------------------------------- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. SPAM-FREE 1.0(2476) --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
