> IIRC, the HOLD action was where the risk came in. Messages > that are held by Declude using AVAFTERJM and then manually > re-queued (via, say, the old SpamReview app) would NOT be > scanned for viruses at all, since > re-queued messages bypass Declude altogether.
<snip> > At the very least, Declude should add a warning to the manual > around AVAFTERJM that says that AVAFTERJM and HOLD should not > be used in the same configuration. > > --DH Dan, this is all implementation dependent. Your observed behaviour is not universal to Declude deployments. Specifically, re-queued messages on IMail systems do indeed get scanned by Declude JunkMail and EVA when the Q*.SMD is moved to the overflow folder (as opposed to being moved to the spool folder with the D*.SMD file). Given this re-queuing method, I disagree with your conclusion. I do agree that there is a gap in the functionality and/or the manual on how re-queuing is accomplished and what the wrinkles are. Andrew 8) > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Dan Horne > Sent: Friday, January 27, 2006 11:12 AM > To: [email protected] > Subject: RE: [Declude.Virus] Feature request: DELETEVIRUSNAME > > > HOLD is the only 'semi-final' action. All other actions > either deliver the email to an mbox (in which case it is > scanned by EVA), or remove the message completely (which is > where the saved cycles come in). > > IMO, AVAFTERJM should be changed so that only deleted emails, not held > ones, by pass the AV scan. In other words, all messages should be > first scanned for spam, then the ones that are not DELETED > should all be scanned for viruses. This would close the > security risk from re-queued messages. The AVAFTERJM option > would then only be useful for those that use the DELETE > action, but with the huge security risk involved in > requeueing unscanned messages I think that it is ALREADY only > useful for those that use the DELETE action. Unfortunately > the manual isn't clear on this point. > > At the very least, Declude should add a warning to the manual > around AVAFTERJM that says that AVAFTERJM and HOLD should not > be used in the same configuration. > > --DH > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Darrell > ([EMAIL PROTECTED]) > Sent: Friday, January 27, 2006 1:54 PM > To: [email protected] > Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME > > HOLD, DELETE, ETC - Does not get virus scanned with AVAFTERJM > ROUTETO, SUBJECT, Etc - Does get virus scanned. > > Think of it this way anything that ends up being delivered > somewhere (i.e. > mailbox etc) gets scanned. > > Darrell > > > Matt writes: > > > This is the crux of the issue that I would like to figure out. > > > > I am however under the impression that if you DELETE a message, > > Declude Virus never gets it. I suspect that HOLD and > MAILBOX are also > that way. > > I am unsure about ROUTETO, and that is what really matters to me. > > > > As far as savings of resources, it is apparently huge, > especially for > > those running multiple virus scanners. Virus scanning > takes more CPU > > than all but the biggest JunkMail configs (things like > custom filters > > with thousands of lines of BODY or ANYWHERE searches). I > know that on > > > my system I Delete about 70% of all messages, ROUTETO about > 10%, and > > deliver about 20%. I would like to save on scanning what I would > > otherwise be deleting with JunkMail. > > > > Matt > > > > > > > > Keith Johnson wrote: > > > >> Markus, > >> However, Darrell mentioned that the AV scanner still runs once > >> action is taking agains the SPAM message (i.e. routeto, subject, > etc.). > >> Is this not true? > >> > >> Keith > >> > >> -----Original Message----- > >> From: [EMAIL PROTECTED] > >> [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler > >> Sent: Friday, January 27, 2006 12:03 PM > >> To: [email protected] > >> Subject: RE: [Declude.Virus] Feature request: DELETEVIRUSNAME > >> > >> > >> > >> > >>> So, with or without AVAFTERJM, it looks like each message > is scanned > > >>> by the virus scanner (which makes sense to me). > >>> > >>> > >> > >> Wrong... if you block the messages on the servers: > >> > >> As we know usualy >50% of all incomming messages are spam. > >> We know too that resource usage of one or two scan-engines is way > >> above the entire spam filtering even if you use 5-6 external > >> applications like sniffer, inv-uribl, spamchk, ... > >> > >> So if you're spam filters are set up properly they will > filter out at > > >> least 50% of all incomming messages before they will reach the > >> av-engines. > >> > >> Markus > >> > >> --- > >> [This E-mail was scanned for viruses by Declude EVA > www.declude.com] > >> > >> --- > >> This E-mail came from the Declude.Virus mailing list. To > >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >> type "unsubscribe Declude.Virus". The archives can be found > >> at http://www.mail-archive.com. > >> --- > >> [This E-mail was scanned for viruses by Declude EVA > www.declude.com] > >> > >> --- > >> This E-mail came from the Declude.Virus mailing list. To > >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >> type "unsubscribe Declude.Virus". The archives can be found > >> at http://www.mail-archive.com. > >> > >> > >> > >> > > > > ------------------------------------------- > Check out http://www.invariantsystems.com for utilities for > Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow > Queue Monitoring, SURBL/URI integration, MRTG Integration, > and Log Parsers. > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > > CONFIDENTIALITY NOTICE: > This email message, including any attachments, is for the > sole use of the intended recipient(s) and may contain > confidential and privileged information. Any unauthorized > review, use, disclosure or distribution is prohibited. If you > are not the intended recipient, please contact the sender by > reply email and destroy all copies of the original message. > > SPAM-FREE 1.0(2476) > > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
