FYI for everyone, I didn't have time to test and implement F-prot during this situation so I what I ended up doing was taking one of my Declude servers off the line, stripping it of all spam tests, and setting it "in front of" a second Declude server - it runs 7 lines worth of tests and makes a decision, very low CPU. In effect, I'm using the first as the gateway filter I was looking for, deleting the sobig's and passing the rest on to the second for spam filtering.
BTW, all of this hassle is over one client, a software developer. They put [EMAIL PROTECTED] in every one of their readme files for every installed and demo version since time began. Sobig comes along on all these machines, harvests email addresses from files such as these, and blasts'em. The multitude of sources made it impossible to block the onslaught by sender IP. Dan On Monday, August 25, 2003 0:48, John Tolmachoff \(Lists\) <[EMAIL PROTECTED]> wrote: >Yes, Declude Virus does this. Declude Virus is fired before >Declude JM. > >It is checked in this order by default: > >Imail SMTP security >Declude Virus virus scan >Declude Virus banned extension >Declude Virus vulnerabilities >Declude JM >Imail Rules >Delivery > >John Tolmachoff MCSE CSSA >Engineer/Consultant >eServices For You >www.eservicesforyou.com > >> -----Original Message----- >> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- >> [EMAIL PROTECTED] On Behalf Of Dan Patnode >> Sent: Monday, August 25, 2003 12:10 AM >> To: [EMAIL PROTECTED] >> Subject: Re: [Declude.JunkMail] Multi Server Configs >> >> Thank you Matt. If correct, you've brought me more clarity and direction >than I've >> had since this mess began. I've been so focused on fighting spam, I >havn't yet >> installed Scott's AV system (after more than a year), relying instead on a >basic >> Norton config to handle things. >> >> >> Scott, >> >> Can you confirm that virus' stopped by Declude AV (if so configured) will >prevent >> that message from being scanned by the spam system, including those tagged >> soley by attachment names like *.pif? >> >> >> Thanks, >> Dan 'Sobig Egg on Face' Patnode >> >> >> >> >> On Sunday, August 24, 2003 18:30, Matthew Bramble <[EMAIL PROTECTED]> wrote: >> > Dan, >> > >> > It appears that E-mail is first scanned by the virus scanner >> >(F-Prot or whatever), and then if it passes, the excluded >> >extensions are tested.� So as soon as your virus scanner became >> >Sobig.F aware, the excluded extensions test doesn't get done >> >because it is blocked by the scanner.� Maybe Scott can suggest >> >other ways to save processing power? >> > >> > Scott, >> > >> > I know this is the wrong discussion group, but since we're on >> >the topic, would it make more sense to test for banned >> >extensions before it goes to the virus scanner in order to save >> >processing power? >> > >> > Matt >> > >> > Dan Patnode wrote: >> > >> >Matt, by this: >> > >> > >> > >> >This does tie back into processor utilization though, because >> >before the definitions were available, the banned extension >> >test was placing those E-mails in a hold (wish you could have >> >them deleted).� The system seems though to scan the attachments >> >first and then look for attachments to ban by extension, and >> >that order could be reversed to save processing power.� I >> >assume this because the virus detection is now catching these >> >files subsequent to the definitions update instead of the >> >banned extension test doing the dirty work. >> > >> > >> > >> >are you saying that I could set up Fprot to scan for .pif files >> >and then have it run before Declude's junk filters, >> >holding/deleting them, saving the CPU from scanning these >> >messages with my junk tests? >> > >> >Can this be confirmed, Scott? >> > >> >Dan >> > >> > >> > >> >> --- >> [This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] >> >> --- >> This E-mail came from the Declude.JunkMail mailing list. To >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >> type "unsubscribe Declude.JunkMail". The archives can be found >> at http://www.mail-archive.com. > >--- >[This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] > >--- >This E-mail came from the Declude.JunkMail mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.JunkMail". The archives can be found >at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
