mharc-users

Re: Best practice for removing virus messages...

2003-08-20 10:24:14
On August 20, 2003 at 10:09, "Sean M. Alderman" wrote:

I'm curious what your collective opinions are on the best way to remove
multple virus messages from multiple archives are.  We've had a storm of
the messages from the W32/Sobig(_dot_)1(_at_)MM worm archived over the past 
few day
or so.

My first thought was to write a script to yank the messages out of the
raw mbox files and follow that up with a make rebuild.  I'm not sure how
long that might take, so I thought I'd see if there might be better
alternatives.

Message deletion is a known problem with mharc, and I have been
contemplating on how a deletion system could be implemented, mainly
on how one would designate which messages should be deleted.

For now, things have to be done manually.  You should delete the
messages from the raw mbox files.  The tricky part is what to do
about the HTML archives.

As for a rebuild, it depends on the size of your archives and
the capabilities of your system.  At a minimum, you can delete the
attachment files from the archives so users try not to download them
from the archives.

You could try to get mhonarc to remove the message from the archives
minus doing a rebuild, but it would require to get all the command-line
options right so the archives are updated properly.  This is where
having mharc doing the deletion itself would be helpful.  A possible
hack (in order to avoid a complete rebuild) is to do the following:

  1. Run 'make disable'.  This way no auto-cron-based processing will
     be done while making edits to the archive.

  2. Run 'mhonarc -rmm' directly to each period sub-archive of each
     archive with the viral messages to delete the messages.  Note,
     this will cause some pages to revert to default layout settings,
     but we will fix that in the next step.

  3. Run 'make editidx'.  This will re-edit the pages of each archive
     so the proper layout settings are applied.  You can explicitly
     state which archives to re-edit by doing the following instead:

      <mharc-root>/bin/web-archive -verbose -editidx <arch1> <arch2> ....

    The -verbose will tell you what is going on.

  4. Run 'make enable'.  This will re-enable auto updates to the
     archives.

Editidx can take some time depending on the size of the archive, but
it is faster than doing a complete rebuild.


BTW, on rebuilds, if not all of your archives have been polluted, you
can just rebuild the ones with viral messages.  You can do this by
invoking web-archive script directly:

  <mharc-root>/bin/web-archive -verbose -rebuild <archive1> <archive2> ...


If you are really concerned about the overhead of rebuilds, or
do any of the above, you can try to modify mharc scripts directly
to make things more efficient.

--ewh

---------------------------------------------------------------------
To sign-off this list, send email to majordomo(_at_)mhonarc(_dot_)org with the
message text UNSUBSCRIBE MHARC-USERS

<Prev in Thread] Current Thread [Next in Thread>