VirusScan has not moved a .~bx file...yet.
Yet. :) What I would recommend if you are going to go this route is disabling scanning of the IMail user directories (such as \IMail\users\ or \IMail\example.com\users\), to ensure that it doesn't grab those files.
> No. Some virus/worm laden files are detected. Various virus > scanners will detect different amounts, anywhere from none to > many. I haven't heard of a desktop scanner that can detect most.
VirusScan appears to be finding 100% of the virus laden messages I used to find via Imail filters for executable file attachments.
You seem to be confusing "All copies of some viruses are detected" with "Some copies of some/all viruses are detected".
Specifically, if VirusScan detects Netsky.P in a .SMD file (as an example), it should always detect Netsky.P in a .SMD file. However, that doesn't mean that it will detect Netsky.O in a .SMD file, or other viruses.
How about this: If you are confident that it is catching all viruses, call McAfee and ask them if it will catch 100% of viruses that are in your mailserver's queue directory. I can almost guarantee you they will not say that it does.
McAfee is pretty smart -- they aren't going to charge $20 for something that they normally charge $2,000 or $20,000 for.
> Note that by doing that, it will also leave the Q*.SMD file, > which can cause problems. For example, you are likely to get > blank E-mails, and will have a hard time delivering E-mails > if there are false positives (although that should be rare).
I have considered this issue and have been tracking it. So far, I have not found any orphaned SMD files nor have I seen any blank e-mail messages.
In that case, IMail must be seeing that the D*.SMD file is blank, not delivering the E-mail, and instead reporting (hopefully) to the log file what is happening.
Speculation and wishful thinking to follow...
I think SMTPd32.exe is taking care of this. It may attempt to write the D*.SMD file, then check if the D*.SMD file is still in the SPOOL directory before attempting to create the Q*.SMD file.
Actually, IMail starts the Q*.SMD file before the D*.SMD file. I'm guessing that it doesn't check to verify that the D*.SMD file was written, but instead the SMTP32.exe process that delivers the E-mail is no longer sending the E-mail if the D*.SMD file is missing (which is smart, since the D*.SMD file will never be blank due to a problem on the remote end, as the D*.SMD file includes the Received: header that IMail adds).
> Other issues include poor logging (it may log that it finds > viruses, but you would have to do a lot of work to find out > who it was sent from/to), no notifications, no ability to use > multiple virus scanners, no mailserver AV vulnerability > detection, etc.
I will agree with you on these points.
But, at this point in time,...
I do not care who sent the virus/worm laden message. I do not need notifications. I just want to kill the virus/worm laden messages.
The real problem, though, is that if there are viruses using mailserver vulnerabilities, they won't get caught. For example, I believe it is Netsky.P that sometimes uses encrypted .ZIP files, which the desktop McAfee can't catch.
And, you have zero protection from the time that a virus is released until the time McAfee updates their definitions and your copy downloads them. Mailserver AV programs have various ways of helping with this (such as using multiple virus scanners, vulnerability detection, verifying that .com/.bat/.pif and similar files are not .exe's disguised with the wrong extension, etc.).
Again, I'm not saying your way is bad -- just that you need to fully understand the limitations. If, for example, you run the risk of losing your job for each virus that comes through the mailserver (as is often the case, whether people realize it or not), going to the boss and saying "You can get McAfee for $20,000, Declude Virus Pro for $1,295, or I can run the desktop version of McAfee for free since we have a license for it" may be worthwhile. The ball is then in his court to make a decision and/or ask questions and/or let you decide.
For a hobby server, or a non-profit that has enough money to run their own mailserver but not enough for mailserver virus scanning, etc., your trick if done properly can be beneficial.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
