[Mimedefang] Sober virus highlights problem

David F. Skoll dfs at roaringpenguin.com
Thu May 19 08:26:10 EDT 2005


Jonathan Maliepaard wrote:

> The outbreak of the "German Spam" sober virus out break has highlighted
> a problem in our methodology for handling SPAM. We have been using CanIt
> with the SPAM trap. In order to keep the trap as empty as possible we
> have been agressively whitelisting domains of well know local
> orginisations.

Whitelisting entire domains is almost always a bad idea, for exactly
the reason you discovered.  Whitelisting individual senders is a
better idea (but you should never whitelist your own e-mail address.)

> I understand that if a domain is whitelisted then the system will not
> check the mail for spam at all. Is there a way that even if a domain is
> whitelisted that a custom rule can be checked first (like the subject
> lines from the sober virus)?

This is a CanIt issue, not really a MIMEDefang one.  And CanIt won't
do content-scanning (except for virus-scanning) if a sender is whitelisted.

> And as another question should Clam not be discarding these emails as
> they are clearly virus related? Clam seems to discard phishing emails.

Interesting idea.  I wonder how easy it would be to maintain local
signatures for Clam, just to catch this kind of thing?  I'll have
to investigate.

Regards,

David.



More information about the MIMEDefang mailing list