[Mimedefang] FW: Quarantining spam with MIMEDefang

Paul Murphy pmurphy at ionixpharma.com
Thu Jun 3 05:10:42 EDT 2004 

Chris,

Generally the structure of MIMEDefang filters will be something like:

A.  Check the message
B.  Examine the result
C.  If you don't like the result, log it
D.  If you don't like the result, tell someone about it
E.  If you don't like the result, optionally quarantine the message
F.  If you don't like the result, bounce/discard the message
G.  Continue or Return

To illustrate this, my filter has the following section to deal with viruses:

        if ($category eq "virus") {
            md_graphdefang_log('virus',$VirusName, $RelayAddr);

            # Bounce the mail!
            action_notify_administrator("Virus $VirusName found in mail -
rejected");

            # But quarantine the part for examination later.  Comment
            # the next line out if you don't want to bother.
            action_quarantine_entire_message("A known virus was discovered and
deleted.  Virus-scanner messages follow:\n\n\n$VirusScannerMessages\n\n");

            action_discard();
            return;

For spam scanning, you check the score assigned by SA, then quarantine on a high
score - 

                if ($hits >= 10) {
                  # Quarantine for inspection
                  md_graphdefang_log('def.spam', $hits, $RelayAddr);
                  return action_quarantine_entire_message("SPAM Message
quarantined - score $hits");
                } else {
                  action_change_header("X-Spam-Score", "$hits ($score) $names");
                  md_graphdefang_log('poss.spam', $hits, $RelayAddr);

You can quarantine individual parts of messages (which replaces that part with a
message saying it was quarantined), or can quarantine the whole message -
generally, the whole message is more useful, as stripping the executable from a
virus mail and delivering the body is probably a waste of time, while trying to
decide whether a quarantined file is legitimate without the supporting message
is not easy.

Best Wishes,

Paul.
__________________________________________________
Paul Murphy
Head of Informatics
Ionix Pharmaceuticals Ltd
418 Science Park, Cambridge, CB4 0PA

Tel. 01223 433741
Fax. 01223 433788

 

_______________________________________________________________________
DISCLAIMER:
This email and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to which they
are addressed.  If you have received this email in error please contact
the sender or the Ionix IT Helpdesk on +44 (0) 1223 433741
_______________________________________________________________________

More information about the MIMEDefang mailing list