Ok you're right exactly as you was when HOP was introduced. Such a little feature request was not worth neither the half of all messages in this topic. Additionaly the entire Declude staff seems to be in holidays. So I have to write another time my own post-solution.
Markus > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Don Brown > Sent: Saturday, January 28, 2006 5:32 AM > To: [email protected] > Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME > > A single piece of software can't possibly be all things to all people. > I think the best that can be expected is that it reasonably > addresses all, or most, of those objectives which the user > community shares. > > It is easy to say that it only costs $xx when it's not your > money, the same as it is to say that it will only take 30 > lines of code when you don't have to write it, test it, > maintain it and fix it when it breaks. > > I was the culprit who introduced the HOP feature in Declude a > long time ago. It was effective back then in combating > dynamic servers in the delivery chain. As intimate as Scott > was with his code and with the challenges we all faced, we > debated it on and off the list for a long time, before he was > convinced it would be a good thing for the entire user > community. IOW, he had to see the beef - the evidence, that > there was an issue and that it was one which Declude could > address effectively. > > Scott is gone and Imail has changed requiring a major > overhaul in Declude. Many of the old timers on this list are > still NOT running the most current release, due to certain > challenges and anomalies. > > I'm not trying to be a horses tail or beat you up and there > is nothing personal involved. I just think that unless a > feature request can be justified with facts, which you admit > that yours cannot, that we refrain from distracting the > community and particularly the people at Declude. > > I'd rather see Declude keep pumping the water out of the > bilge to the point they can fix the hull, rather than taking > the time to hang a new pennant from the mast. Wouldn't you? > > Thanks, > > > Friday, January 27, 2006, 6:05:46 PM, Markus Gufler > <[EMAIL PROTECTED]> wrote: > MG> I hav no stat's or numbers. > > MG> Only the fact that AV-Engines has introduced a suspicious > category > MG> that is catching more and more new outbreaks. Additionaly > it seems > MG> that the scanning process is becoming more and more complex. Each > MG> variant (we have up to two-letter versions!) seems to > need complete > MG> new definitions. Another more > MG> alarming: certain virus-signatures seems catching only a > part of one > MG> single but polymorphic and encrypted virus variant. > > MG> Try to send a vb-script containing one single call of the > MG> filesystem-object even if zipped or with renamed file > extension trough some av-engines. > MG> DELETEVIRUS ON will delete the entire message and you > will have to > MG> tell some fairy story to the customer who call you > because he misses some messages. > > MG> Don't deleting messages immediately as many of us do is one way. > MG> Adding 5 DELETEVIRUSNAME-lines in the global.cfg would be a very > MG> simple possibility to keep clean and small the virus > folder. And I > MG> repeat: It should be something very very simple to > implement. Anyone > MG> who doesn't want or need it could simply not turn it on. > > MG> Regarding the allready existing FORGINGVIRUS DNS lookup > feature and > MG> a possible enhancement like AUTODELETEKNOWNWORMS. > MG> I wouldn't say that I don't trust declude's FORGINGVIRUS > list. But > MG> first of all I realy want to know what I categorize > FORGING and what > MG> not an my server. Beside the fact that since we don't send out > MG> notfications to customers anymore my personal > FORGINGVIRUS list is > MG> simply a good way to filter out 99% of all postmaster > notifications, > MG> and so a wave of thus notifications is an excellent > indicator that > MG> something new is around that I should give a look. > MG> An additional DNS lookup for each hold virus in my eyes is not > MG> really usefull if the number of forging viruses is so > small as it is > MG> today. Ok it's a nice thing for someone who doesn't want > daily care his server. > MG> Another unclear aspect is how this DNS-based list handles > different > MG> virus names. We have seen in the last months that there > is no more > MG> consistent naming between AV-Companies. Does Declude maintain and > MG> serve forging virus names for all AV-Engines? > > MG> I still consider Declude my swiss army knife for handling > MG> SMTP-traffic and keep our customer mailboxes usable for the daily > MG> work. And even if I know that some tools in my knife can be > MG> dangerous I want to have them when it will become neccessary. > > MG> Markus > > > > > >> -----Original Message----- > >> From: [EMAIL PROTECTED] > >> [mailto:[EMAIL PROTECTED] On Behalf Of Don Brown > >> Sent: Friday, January 27, 2006 8:24 PM > >> To: [email protected] > >> Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME > >> > >> There is no perfect Spam or Virus system. There will > either be false > >> positives, missed Spam or Viruses or a combination of both. > >> Therefore, if the customer is expecting absolute > perfection, then I > >> think the problem is one of a customer with unrealistic > expectations. > >> > >> You said, "what happens if tommorow turns out that scan > engines has > >> catched many legit messages as viruses due to a new buggy > singature." > >> Well, then you need to HOLD ALL messages tagged as containing a > >> virus, if you are that anal about it and that makes your original > >> point moot. > >> For instance, you've solved nothing if you had "bagal" > hard coded to > >> be deleted and that was the buggy one in the signature file. How > >> often does this really happen - does it happen more than 1% of the > >> time? It hasn't shown to be an issue in our case, but I > think we'd > >> all be interested in your statistics which show it as a > significant > >> exposure to false positives. > >> > >> You said, "or because a legit message unexpected contains > something > >> "sospicious." My previous comment was to hold all of those > tagged as > >> suspicious. Do you have good statistics on these, which show a > >> significant false positive rate? I think we'd all be > interested in > >> your finding . . . > >> > >> Thanks, > >> > >> > >> Friday, January 27, 2006, 10:56:56 AM, Markus Gufler > >> <[EMAIL PROTECTED]> wrote: > >> > >> >> aren't you out hunting mosquitos with hand grenades? > >> > >> MG> If the "mosquito" is a very nasty but important customer > >> it's bether > >> MG> using tank's, mg's and whatever you can organize in order > >> to prevent > >> MG> painfull stings... > >> > >> MG> On a day liky today I could turn on DELETEVIRUSES with > >> nearly zero > >> MG> risk in order to keep the server disk clean. But what > happens if > >> MG> tommorow turns out that one of the scan engines has > catched many > >> MG> legit messages as viruses due to a new buggy singature or > >> because a > >> MG> legit message unexpected contains something "sospicious". > >> How do you > >> MG> explain to customers that the messages are already deleted? > >> > >> MG> F-Prot's exit code 8 (suspicious files) has catched a > lot of new > >> MG> unknow viruses before singatures was available. So I use > >> this exit > >> MG> code in my config to hold messages. But suspicous > could also be > >> MG> something legit we don't know at the moment. > >> > >> MG> As I can understand a feature like DELETEVIRUSNAME > >> wouldn't require > >> MG> more then 30 lines of code and 3 hours of work and it would > >> MG> eliminate any need for own scripts on each server. This > >> is not what > >> MG> I consider a hand grenade... > >> > >> MG> Markus > >> > >> > >> MG> --- > >> MG> [This E-mail was scanned for viruses by Declude EVA > >> www.declude.com] > >> > >> MG> --- > >> MG> This E-mail came from the Declude.Virus mailing list. To > >> MG> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >> MG> type "unsubscribe Declude.Virus". The archives can be found > >> MG> at http://www.mail-archive.com. > >> > >> > >> > >> ---- > >> Don Brown - Dallas, Texas USA Internet Concepts, Inc. > >> [EMAIL PROTECTED] http://www.inetconcepts.net > >> (972) 788-2364 Fax: (972) 788-5049 > >> ---- > >> > >> --- > >> [This E-mail was scanned for viruses by Declude EVA > www.declude.com] > >> > >> --- > >> This E-mail came from the Declude.Virus mailing list. To > >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >> type "unsubscribe Declude.Virus". The archives can be found > >> at http://www.mail-archive.com. > >> > > MG> --- > MG> [This E-mail was scanned for viruses by Declude EVA > www.declude.com] > > MG> --- > MG> This E-mail came from the Declude.Virus mailing list. To > MG> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > MG> type "unsubscribe Declude.Virus". The archives can be found > MG> at http://www.mail-archive.com. > > > > ---- > Don Brown - Dallas, Texas USA Internet Concepts, Inc. > [EMAIL PROTECTED] http://www.inetconcepts.net > (972) 788-2364 Fax: (972) 788-5049 > ---- > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
