A quick update on this.
I verified that when the virus scanner triggers using AVAFTERJM ON,
the COPYFILE action will not trigger. This is good. It also means
that people can ROUTETO a null account (auto-delete account), and use
the COPYFILE action in place of HOLD and avoid having viruses stacking
up in their held E-mail. The COPYFILE action also allows for adding
JunkMail headers if you include the following command in your
Global.cfg, which can be a further benefit.
COPYFILEACTIONWITHHEADERS ON
Apparently this is the default in SmarterMail...confusing.
There is one caveat to turning this on that I should have mentioned
earlier. Declude will modify the recipients in the Q* file if they
were changed by a COPYTO or ROUTETO action whereas the HOLD action
doesn't modify the Q* file. I did previously ask Declude to modify
this behavior so that the original Q* file is copied before the changes
are made. One good thing though is that the original recipients are
still in that file, but not in a format that IMail will route to if
they are requeued by just copying the file. You have to read and
adjust the file with a script or manually if you wish to do this. For
instance, the following would be an original Q* file:
QF:\\Dffe0699801363abc.SMD
Hmail.mailpure.com
Iffe0699801363abc
X1
WE:\mail.mailpure.com
E0,
S<[EMAIL PROTECTED]>
NRCPT TO:<[EMAIL PROTECTED]>
R<[EMAIL PROTECTED]>
After a ROUTETO action sends the message to [EMAIL PROTECTED]
and the COPYFILE action is applied with this switch, the Q* file would
look like the following:
QF:\\Dffe0699801363abc.SMD
Hmail.mailpure.com
Iffe0699801363abc
X1
WE:\mail.mailpure.com
E0,
S<[EMAIL PROTECTED]>
NRCPT TO:<[EMAIL PROTECTED]>
R<[EMAIL PROTECTED]>
As you can see, the "R" line is what IMail will actually deliver to,
but you can read the file, delete the "R" lines and change the "NRCPT
TO" lines to "R" lines and then requeue the message.
And another note about this. If others prefer the original Q file
instead of the modified one to be used with COPYFILE, please voice your
opinions. I can't understand how the modified Q file is useful at all,
so I believe the behavior should be changed entirely instead of adding
a switch and further complicating the code. This essentially would
make it just like HOLD, but not a final action, and with the ability to
have JunkMail headers in the D* file.
Matt
Matt wrote:
Let me try to summarize what seems to be the consensus here.
With AVAFTERJM ON, only certain final actions will result in no virus
scanning. Those apparently include the following:
HOLD
DELETE
DELETE_RECIPIENT (for the deleted recipients)
On the following final actions, virus scanning will occur:
DELETE_RECIPIENT (for non-deleted recipients)
ROUTETO
COPYTO
WARN
SUBJECT
HEADER
FOOTER
ALERT
LOG
BEEP
The following final actions are unclear to me as to the behavior and I
haven't seen a mention about them here:
COPYFILE (for the file copied not the one
delivered, might copy the virus)
MAILBOX (maybe bypasses virus scanning, could use ROUTETO
instead)
ATTACH (not sure how this affects virus scanning, could
bypass it in certain situations or all)
BOUNCEONLYIFYOUMUST (might bypass virus scanning)
It would seem that the only new issues under the most common
configurations where spam is captured to accounts using ROUTETO would
be that undetected viruses could land in these accounts. This is
probably not that much E-mail on the typical day, though it could
potentially include banned extensions that would create bounces with
JunkMail running last. There would be an advantage to this in that it
would help stop backscatter though. One could create a filter to
segregate messages in these spam capture accounts that contained a
common virus executable so that they could be handled differently, for
instance, one could use the HEADER action or WARN action to tag the
headers and then use IMail rules to move these messages into a special
folder or delete them from the spam capture accounts if that was
preferred.
Would people agree that this is accurate?
Matt
Darrell ([EMAIL PROTECTED])
wrote:
HOLD,
DELETE, ETC - Does not get virus scanned with
AVAFTERJM
ROUTETO, SUBJECT, Etc - Does get virus scanned.
Think of it this way anything that ends up being delivered somewhere
(i.e. mailbox etc) gets scanned.
Darrell
Matt writes:
This is the crux of the issue that I would
like to figure out.
I am however under the impression that if you DELETE a message, Declude
Virus never gets it. I suspect that HOLD and MAILBOX are also that
way. I am unsure about ROUTETO, and that is what really matters to me.
As far as savings of resources, it is apparently huge, especially for
those running multiple virus scanners. Virus scanning takes more CPU
than all but the biggest JunkMail configs (things like custom filters
with thousands of lines of BODY or ANYWHERE searches). I know that on
my system I Delete about 70% of all messages, ROUTETO about 10%, and
deliver about 20%. I would like to save on scanning what I would
otherwise be deleting with JunkMail.
Matt
Keith Johnson wrote:
Markus,
However, Darrell mentioned that the AV scanner still runs once
action is taking agains the SPAM message (i.e. routeto, subject, etc.).
Is this not true?
Keith
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Markus Gufler
Sent: Friday, January 27, 2006 12:03 PM
To: Declude.Virus@declude.com
Subject: RE: [Declude.Virus] Feature request: DELETEVIRUSNAME
So, with or without AVAFTERJM, it looks
like each message is scanned by the virus scanner (which makes sense to
me).
Wrong... if you block the messages on the servers:
As we know usualy >50% of all incomming messages are spam.
We know too that resource usage of one or two scan-engines is way above
the entire spam filtering even if you use 5-6 external applications
like
sniffer, inv-uribl, spamchk, ...
So if you're spam filters are set up properly they will filter out at
least 50% of all incomming messages before they will reach the
av-engines.
Markus
---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]
---
This E-mail came from the Declude.Virus mailing list. To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
-------------------------------------------
Check out http://www.invariantsystems.com
for utilities for Declude,
Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring,
SURBL/URI integration, MRTG Integration, and Log Parsers.
---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
|