RE: [RLUG] Logwatch report

Wed, 07 Jun 2006 12:22:35 -0700

Well... it _might_ be a lot of activity. Do you log your anti-spam and anti-virus detections? If you do, I would look at changing trends in those logs because in benchmarking against "legit" mail you are neglecting all mail rejected by your filter -- which could be a considerable amount.
In my experience, if you are experiencing an email bombing campaign the first sign will be a _large_ amount of unfiltered mail. It is very difficult for Bayesian filters to keep up with dramatic changes in mail message formats. If the mail is targeted at you specifically bayesian filters won't fair well, and neither will black lists and other techniques. 


468 infected messages may be of no consequence, but you may want to keep 
an eye on it.  You'll probably know if you are under attack by what's in 
your inbox.  If you see no change, then your filter is doing its job... 
just watch the bandwidth consumption ;)


- Sebastian


On Wed, 7 Jun 2006, Rick Shepherd wrote:


At the risk of sounding retarded it would appear from this that my server
was hit 468 times with infected spam yesterday in addition to a handful of
just infected email.  That sounds like a lot of virus activity on a domain
that typically processes a few hundred emails (legit) daily.

R

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Sebastian Smith
Sent: Wednesday, June 07, 2006 11:10 AM
To: Rick Shepherd
Cc: [email protected]
Subject: Re: [RLUG] Logwatch report

Rick,

That's how I read that message.  Depending upon your filter the message
may still be in a "quarantine" of some sort.

- Sebastian


On Wed, 7 Jun 2006, Rick Shepherd wrote:


I have been curious about a Logwatch report I get which includes at the

top,

"468 messages destined for quarantine intentially (sic) not quarantined
(spam level exceeds quarantine cutoff level)."  I assume this means that
there were 468 messages that were going to ClamAV quarantine (presumably
because they were infected) got dumped because they were also spam.  Am I
reading that correctly?



Rick Shepherd






_______________________________________________
RLUG mailing list
[email protected]
http://lists.rlug.org/mailman/listinfo/rlug



_______________________________________________
RLUG mailing list
[email protected]
http://lists.rlug.org/mailman/listinfo/rlug






















					Reply via email to