Matt,
Thank you for this informative report.
As I have many scripts working around Declude (my intention
is to reduce them) I have to verify some things before I can turn on AVAFTERJM.
But if this will be the case here is my vote for the original R-line in the
Q-file.
Markus
A quick update on this.
I verified that when the virus
scanner triggers using AVAFTERJM ON, the COPYFILE action will not
trigger. This is good. It also means that people can ROUTETO a
null account (auto-delete account), and use the COPYFILE action in place of
HOLD and avoid having viruses stacking up in their held E-mail. The
COPYFILE action also allows for adding JunkMail headers if you include the
following command in your Global.cfg, which can be a further
benefit.
COPYFILEACTIONWITHHEADERS
ON
Apparently this is the default in
SmarterMail...confusing.
There is one caveat to turning this on that I
should have mentioned earlier. Declude will modify the recipients in the
Q* file if they were changed by a COPYTO or ROUTETO action whereas the HOLD
action doesn't modify the Q* file. I did previously ask Declude to
modify this behavior so that the original Q* file is copied before the changes
are made. One good thing though is that the original recipients are
still in that file, but not in a format that IMail will route to if they are
requeued by just copying the file. You have to read and adjust the file
with a script or manually if you wish to do this. For instance, the
following would be an original Q* file:
QF:\\Dffe0699801363abc.SMD Hmail.mailpure.com Iffe0699801363abc X1 WE:\mail.mailpure.com E0, S<[EMAIL PROTECTED]> NRCPT
TO:<[EMAIL PROTECTED]> R<[EMAIL PROTECTED]>
After
a ROUTETO action sends the message to [EMAIL PROTECTED] and
the COPYFILE action is applied with this switch, the Q* file would look like
the following:
QF:\\Dffe0699801363abc.SMD Hmail.mailpure.com Iffe0699801363abc X1 WE:\mail.mailpure.com E0, S<[EMAIL PROTECTED]> NRCPT
TO:<[EMAIL PROTECTED]> R<[EMAIL PROTECTED]>
As
you can see, the "R" line is what IMail will actually deliver to, but you can
read the file, delete the "R" lines and change the "NRCPT TO" lines to "R"
lines and then requeue the message.
And another note about this.
If others prefer the original Q file instead of the modified one to be used
with COPYFILE, please voice your opinions. I can't understand how the
modified Q file is useful at all, so I believe the behavior should be changed
entirely instead of adding a switch and further complicating the code.
This essentially would make it just like HOLD, but not a final action, and
with the ability to have JunkMail headers in the D*
file.
Matt
Matt wrote:
Let me try to
summarize what seems to be the consensus here.
With AVAFTERJM ON,
only certain final actions will result in no virus scanning. Those
apparently include the following:
HOLD DELETE DELETE_RECIPIENT
(for the deleted recipients)
On the
following final actions, virus scanning will occur:
DELETE_RECIPIENT (for non-deleted recipients)
ROUTETO COPYTO
WARN SUBJECT
HEADER FOOTER
ALERT LOG
BEEP
The following final actions are
unclear to me as to the behavior and I haven't seen a mention about them
here:
COPYFILE (for the file copied not the one delivered, might copy the
virus) MAILBOX (maybe bypasses virus scanning,
could use ROUTETO instead) ATTACH (not sure how
this affects virus scanning, could bypass it in certain situations or
all) BOUNCEONLYIFYOUMUST (might bypass virus
scanning)
It would seem that the only new
issues under the most common configurations where spam is captured to
accounts using ROUTETO would be that undetected viruses could land in these
accounts. This is probably not that much E-mail on the typical day,
though it could potentially include banned extensions that would create
bounces with JunkMail running last. There would be an advantage to
this in that it would help stop backscatter though. One could create a
filter to segregate messages in these spam capture accounts that contained a
common virus executable so that they could be handled differently, for
instance, one could use the HEADER action or WARN action to tag the headers
and then use IMail rules to move these messages into a special folder or
delete them from the spam capture accounts if that was
preferred.
Would people agree that this is
accurate?
Matt
Darrell ([EMAIL PROTECTED])
wrote:
HOLD, DELETE, ETC - Does not get virus scanned with AVAFTERJM
ROUTETO, SUBJECT, Etc - Does get virus scanned. Think of it this
way anything that ends up being delivered somewhere (i.e. mailbox etc)
gets scanned. Darrell
Matt writes:
This is the crux of the issue that I would like
to figure out. I am however under the impression that if you DELETE
a message, Declude Virus never gets it. I suspect that HOLD and
MAILBOX are also that way. I am unsure about ROUTETO, and that is
what really matters to me. As far as savings of resources, it is
apparently huge, especially for those running multiple virus
scanners. Virus scanning takes more CPU than all but the biggest
JunkMail configs (things like custom filters with thousands of lines of
BODY or ANYWHERE searches). I know that on my system I Delete
about 70% of all messages, ROUTETO about 10%, and deliver about
20%. I would like to save on scanning what I would otherwise be
deleting with JunkMail. Matt
Keith Johnson wrote:
Markus, However, Darrell
mentioned that the AV scanner still runs once action is taking
agains the SPAM message (i.e. routeto, subject, etc.). Is this not
true? Keith -----Original Message----- From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Markus Gufler Sent: Friday, January 27, 2006 12:03 PM
To: Declude.Virus@declude.com
Subject: RE: [Declude.Virus] Feature request: DELETEVIRUSNAME
So, with or without AVAFTERJM, it looks like
each message is scanned by the virus scanner (which makes sense to
me).
Wrong... if you block
the messages on the servers: As we know usualy >50% of all
incomming messages are spam. We know too that resource usage of
one or two scan-engines is way above the entire spam filtering
even if you use 5-6 external applications like sniffer, inv-uribl,
spamchk, ... So if you're spam filters are set up properly they
will filter out at least 50% of all incomming messages before they
will reach the av-engines. Markus --- [This E-mail was
scanned for viruses by Declude EVA www.declude.com] --- This
E-mail came from the Declude.Virus mailing list. To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives
can be found at http://www.mail-archive.com.
--- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This
E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives
can be found at http://www.mail-archive.com.
-------------------------------------------
Check out http://www.invariantsystems.com
for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude
Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and
Log Parsers. --- [This E-mail was scanned for viruses by Declude
EVA www.declude.com]
--- This
E-mail came from the Declude.Virus mailing list. To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
|