From owner-freebsd-chat@FreeBSD.ORG Thu Jun 12 12:59:01 2003 Return-Path: Delivered-To: freebsd-chat@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8B5AE37B401 for ; Thu, 12 Jun 2003 12:59:01 -0700 (PDT) Received: from pa-plum1b-166.pit.adelphia.net (pa-plum1b-217.pit.adelphia.net [24.53.161.217]) by mx1.FreeBSD.org (Postfix) with ESMTP id B405943F3F for ; Thu, 12 Jun 2003 12:59:00 -0700 (PDT) (envelope-from wmoran@potentialtech.com) Received: from potentialtech.com (working [172.16.0.95]) h5CJwxOg002327; Thu, 12 Jun 2003 15:59:00 -0400 (EDT) (envelope-from wmoran@potentialtech.com) Message-ID: <3EE8DB83.4040609@potentialtech.com> Date: Thu, 12 Jun 2003 15:58:59 -0400 From: Bill Moran User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.3) Gecko/20030429 X-Accept-Language: en-us, en MIME-Version: 1.0 To: David Kelly References: <5.2.1.1.2.20030612202321.02e28008@194.184.65.4> <3EE8C7FB.7040701@potentialtech.com> <20030612193524.GA31199@grumpy.dyndns.org> In-Reply-To: <20030612193524.GA31199@grumpy.dyndns.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: chat@FreeBSD.org Subject: Re: Antivirus for (mailservers on) FreeBSD X-BeenThere: freebsd-chat@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Non technical items related to the community List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jun 2003 19:59:01 -0000 David Kelly wrote: > How does "antivirus mail filtering" differ significantly from spam > filtering? Seems to me these two should be one and the same as "spam" > is a form of malicious code. No, no, no. Not even close. While it may seem that way to an end-user, programatically it's very different. Bayesan matching is generally done for spam, as it seems to be the best approach. This involves checking for a LARGE number of conditions and assigning a percentage likelihood for each that it is indicative of spam. Once _every_ condition has been checked, the email is labeled spam or not based on the sum of the liklihoods of all matched rules. This is VERY cpu intensive. Searching for malware is simply a matter checking set of rules until a positive match is found. The first positive match terminates the search with a positive. There are no percentages and the nature of the search means that putting the most likely candidates at the beginning of the search will cause it to terminate more quickly in many cases since there's no need to check the rest of the possibilities. Additionally, searching headers for instances of malware is unreliable and is therefore not done. Additionally, certain mail (such as proper mail that is _all_ plain text) need never be searched at all since there is no way to embed malware in an email that is all plain text. > All that seems to be lacking is easy updates to the spam/virus/worm rule > database. I'm not having any difficulty updating the Sophos database on a daily basis. I don't understand where this statement originated from. p.s. I abhor the term "virus" as I haven't seen one in years. The horrible technical elegance of a true virus doesn't exist in the abilities of modern malware developers. Worms and trojans are the best they can do. And worms are often too difficult. -- Bill Moran Potential Technologies http://www.potentialtech.com