procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Sircam virus answer

2001-07-26 05:41:23
from [Don Hammond] [Permanent Link] 
On 26 Jul, greg(_at_)elmnet(_dot_)net wrote:
| I used Don's code, that he posted here, and caught 4 falses and no 
| viruses.  What it missed is over 50 copies of the viruses that are 
| in /var/spool/mail/ and I have received 3.  
| 

I'm not sure what to make of this. But feel I should make clear that
there are/were no guarantees offered. There never are and, in my mind,
that always goes without saying. Cutting/pasting code on this or any
other list carries risks that should be understood, and are the ultimate
responsibility of the final user. There are an abundance of hints and
examples in the list archives for testing recipes without injecting
messages into the mail system. If you have 50 copies of the virus in
the mail spool, it's trivial to pull them (or even some of them) and
run them through this or any other filter to find and fix what's wrong.
Or report the information gathered from said testing to the list for
help if need be.

That said, I mentioned at least twice that my filters were more
aggressive than necessary -- intending to filter not only the virus,
but most discussions of and replies to it. It's doing that for me. I
also explained how to change it so such collateral messages would not be
filtered. I can only guess, but the 4 false positives may fall into
this category.

As far as real virus messages getting through, I also mentioned that the
only *one* I received got through mine too. And explained why and
detailed the fix. I tested it and it worked. So all I can say, is my
filter is doing for me what I want it to, based on my very limited
exposure to the virus. YMMV.

I still stand by my statements that relying solely on a lower case date:
header is flawed. Forget that date: is compliant, and is no guarantee of
guilt. If guilty messages are being passed with Date: (and they are), it
is a de facto rebuttal of the proposition that filtering date: is
effective. As part of a more comprehensive plan, maybe. But not by
iteself.

Not intending to be argumentative, but thought it needed clarification.

-- 
                   /"\
Don Hammond        \ /     ASCII Ribbon Campaign
Raleigh, NC US      X        Against HTML Mail,
                   / \      and News Too

_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: First time post to procmail list, Jephe Wu
Next by Date:  problems with procmail : to and cc, Eric
Previous by Thread:  Re: Sircam virus answer, greg
Next by Thread:  Re: Sircam virus answer, John Conover
Indexes:  [Date] [Thread] [Top] [All Lists]