Re: [Declude.Virus] Feature request: DELETEVIRUSNAME

[Scott Fisher]

 -Declude I'd be a lot more interested in the AVAFTERJM ON if the HOLD action messages where virus scanned.   ----- Original Message ----- From: Matt To: Declude.Virus@declude.com Sent: Friday, January 27, 2006 1:25 PM Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME Let me try to summarize what seems to be the consensus here. With AVAFTERJM ON, only certain final actions will result in no virus scanning.  Those apparently include the following:     HOLD     DELETE     DELETE_RECIPIENT (for the deleted recipients) On the following final actions, virus scanning will occur:     DELETE_RECIPIENT (for non-deleted recipients)     ROUTETO     COPYTO     WARN     SUBJECT     HEADER     FOOTER     ALERT     LOG     BEEP The following final actions are unclear to me as to the behavior and I haven't seen a mention about them here:     COPYFILE (for the file copied not the one delivered, might copy the virus)     MAILBOX (maybe bypasses virus scanning, could use ROUTETO instead)     ATTACH (not sure how this affects virus scanning, could bypass it in certain situations or all)     BOUNCEONLYIFYOUMUST (might bypass virus scanning) It would seem that the only new issues under the most common configurations where spam is captured to accounts using ROUTETO would be that undetected viruses could land in these accounts.  This is probably not that much E-mail on the typical day, though it could potentially include banned extensions that would create bounces with JunkMail running last.  There would be an advantage to this in that it would help stop backscatter though.  One could create a filter to segregate messages in these spam capture accounts that contained a common virus executable so that they could be handled differently, for instance, one could use the HEADER action or WARN action to tag the headers and then use IMail rules to move these messages into a special folder or delete them from the spam capture accounts if that was preferred. Would people agree that this is accurate? Matt Darrell ([EMAIL PROTECTED]) wrote: HOLD, DELETE, ETC - Does not get virus scanned with AVAFTERJM ROUTETO, SUBJECT, Etc - Does get virus scanned. Think of it this way anything that ends up being delivered somewhere (i.e. mailbox etc) gets scanned. Darrell Matt writes: This is the crux of the issue that I would like to figure out. I am however under the impression that if you DELETE a message, Declude Virus never gets it.  I suspect that HOLD and MAILBOX are also that way.  I am unsure about ROUTETO, and that is what really matters to me. As far as savings of resources, it is apparently huge, especially for those running multiple virus scanners.  Virus scanning takes more CPU than all but the biggest JunkMail configs (things like custom filters with thousands of lines of BODY or ANYWHERE searches).  I know that on my system I Delete about 70% of all messages, ROUTETO about 10%, and deliver about 20%.  I would like to save on scanning what I would otherwise be deleting with JunkMail. Matt   Keith Johnson wrote: Markus,    However, Darrell mentioned that the AV scanner still runs once action is taking agains the SPAM message (i.e. routeto, subject, etc.). Is this not true? Keith  -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Markus Gufler Sent: Friday, January 27, 2006 12:03 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Feature request: DELETEVIRUSNAME   So, with or without AVAFTERJM, it looks like each message is scanned by the virus scanner (which makes sense to me).     Wrong... if you block the messages on the servers: As we know usualy >50% of all incomming messages are spam. We know too that resource usage of one or two scan-engines is way above the entire spam filtering even if you use 5-6 external applications like sniffer, inv-uribl, spamchk, ... So if you're spam filters are set up properly they will filter out at least 50% of all incomming messages before they will reach the av-engines. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".    The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".    The archives can be found at http://www.mail-archive.com.   ------------------------------------------- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF.  IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".    The archives can be found at http://www.mail-archive.com.