[Mimedefang] Quarantine based on content

Cormack, Ken kcormack at acs.roadway.com
Tue Aug 5 15:52:01 EDT 2003


Thanks for changing the subjectline.  I realized once I clicked "send", that
I'd forgotten to change the subject-line.  (It's like realizing your keys
are in the ignition, but you still slam the locked car door!)

Redirection to another account sounds like a good compromise between "tell
no one", and "scream at deaf ears".  However, one would assume the Exchange
admins could simply monitor the existing Trend quarantine directory on the
Exchange server, to acheive that goal.  Simply offloading that task to the
Unix group (me), doesnt thrill me either.

Ideally, I think the best option may just be to wait until the sendmail
"spillover host" that I proposed gets budgeted for.  Then, if a message
doesnt get delivered on the first try, it would be off-loaded to the
spill-over to deal with.  The primary server's queue could remain small,
clean, and speedy, while the congested backlog (including undeliverable
bounce-backs from Trend) is moved to a second host.  But I digress, and
that's off-topic.

Anyway, thanks again, Stefano.  :)


-----Original Message-----
From: Stefano McGhee [mailto:SMcGhee at arcweb.com]
Sent: Tuesday, August 05, 2003 3:33 PM
To: mimedefang at lists.roaringpenguin.com
Subject: RE: [Mimedefang] Quarantine based on content WAS: MIMEDefang
2.36-BETA-2 plus administrivia

Hey Ken,
	I changed the subject o reflect what you were trying to do.  To
answer your first question: Yes, that can be done with SpamAssassin.  I
would just put something similar to:

rawbody MY_TRENDTEST /Trend SMEX Content Filter has detected sensitive
describe MY_TRENDTEST Found something Trend thought was spam

Into my sa-mimedefang.cf file.  Headers may be more to your liking for the

	As for consensus, I think that most people agree that SOMEONE
should be notified in the case of non-delivery.  The only exception are
viruses that forge the from address.  I would recommend redirecting the bad
stuff to a spam mailbox so that a human can review it or delete it at their
leisure, but then again, I'm not at a high volume site.

Hope that helps,


> I was thinking it would be nice to have MIMEDefang (v2.35), 
> in conjunction
> with Mail::SpamAssassin (v2.55), examine each message and/or 
> attachments for
> the string "Trend SMEX Content Filter has detected sensitive 
> content".  If
> this string could be assigned an artificially high SA score, 
> MIMEDefang
> could then ensure that the bounce-back gets quarantined (and 
> therefore,
> removed from the queue).  We currently quarantine anything 
> with an SA score
> of 20 or greater.

> However, what is the concensus regarding NOT sending back a 
> notification to
> a legitimate sender, who's original message may have been mistakenly
> identified (by Trend) as spam?

MIMEDefang mailing list
MIMEDefang at lists.roaringpenguin.com

More information about the MIMEDefang mailing list