[Mimedefang] Sven is driving me crazy!

Michael W. Cocke cocke at catherders.com
Fri Sep 19 17:42:02 EDT 2003


On Fri, 19 Sep 2003 14:38:23 -0400, you wrote:

>"Michael W. Cocke" wrote:
>> When mimedefang (2.36) performs an action on a message (removes an
>> attachment, the virus checker that mimedefang calls detected a virus,
>> etc.) does the message get sent along to the next step in the normal
>> process, or does it short cut.
>
>IIRC, the default filter in 2.36+ rejects messages found to contain a
>virus with a 550 SMTP message.  (action_quarantine followed by
>action_bounce)
>
>I've modified my filters to quarantine and discard;  there's little
>point in rejecting it IMHO.  I figure that since I've already spent
>network and computing resources to accept the message and process it
>that if it's nastyware it's better deleted than kept.  :/
>
>(action_quarantine followed by action_drop currently, although one
>system [with no actual AV, just the "bad extension" check] is set up
>with action_quarantine_entire_message)
>
>> (I'm still getting the stupid message, sans virus - about 100 an hour
>> right now)  ARRRGGGGHHHHH!!!!!
>
>It sounds like you've got your filter set up to call action_drop on
>virus parts, but you don't call action_discard to actually delete the
>*message*.
>
>-kgd


Kris,

Thanks - you put me on the right path, but there was an additional
step (IMHO) - after the mime is defanged and the virus checker run, it
DID, in fact, shortcut the spam test if either of the above tests was
positive.  What I wanted was a way to stop the messages that told me
about the defanged, infected executable.  Trash like that, I don't
even want to know about - especially at the rate of 2 per minute!

I took the short-cuts out of the mimedefang code, and now I can detect
the text message that accompanies the virus, and drop the whole thing
with spamassassin.  And REAL messages with attachments will still be
handled properly.

Mike-


Mornings:  Evolution in action.  Only the grumpy will survive.
-----------------------------------------------------

Please note - Due to the intense volume of spam, we have
installed site-wide spam filters at catherders.com.  If
email from you bounces, try non-HTML, non-encoded, 
non-attachments.



More information about the MIMEDefang mailing list