From owner-freebsd-chat@FreeBSD.ORG Thu Jun 12 18:07:02 2003 Return-Path: Delivered-To: freebsd-chat@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CCB3F37B401 for ; Thu, 12 Jun 2003 18:07:02 -0700 (PDT) Received: from grumpy.dyndns.org (user-24-214-34-52.knology.net [24.214.34.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1920643FDF for ; Thu, 12 Jun 2003 18:07:01 -0700 (PDT) (envelope-from dkelly@grumpy.dyndns.org) Received: from grumpy.dyndns.org (localhost [127.0.0.1]) by grumpy.dyndns.org (8.12.9/8.12.9) with ESMTP id h5D16uV8032628 for ; Thu, 12 Jun 2003 20:06:56 -0500 (CDT) (envelope-from dkelly@grumpy.dyndns.org) Received: from localhost (localhost [[UNIX: localhost]]) by grumpy.dyndns.org (8.12.9/8.12.9/Submit) id h5D16uUj032627 for chat@FreeBSD.org; Thu, 12 Jun 2003 20:06:56 -0500 (CDT) From: David Kelly To: chat@FreeBSD.org Date: Thu, 12 Jun 2003 20:06:55 -0500 User-Agent: KMail/1.5.2 References: <5.2.1.1.2.20030612202321.02e28008@194.184.65.4> <20030612193524.GA31199@grumpy.dyndns.org> <3EE8DB83.4040609@potentialtech.com> In-Reply-To: <3EE8DB83.4040609@potentialtech.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200306122006.55906.dkelly@HiWAAY.net> Subject: Re: Antivirus for (mailservers on) FreeBSD X-BeenThere: freebsd-chat@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Non technical items related to the community List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jun 2003 01:07:03 -0000 On Thursday 12 June 2003 02:58 pm, Bill Moran wrote: > David Kelly wrote: > > How does "antivirus mail filtering" differ significantly from spam > > filtering? Seems to me these two should be one and the same as > > "spam" is a form of malicious code. > > No, no, no. Not even close. > > While it may seem that way to an end-user, programatically it's very > different. > > Bayesan matching is generally done for spam, as it seems to be the > best approach. This involves checking for a LARGE number of > conditions and assigning a percentage likelihood for each that it is > indicative of spam. Once _every_ condition has been checked, the > email is labeled spam or not based on the sum of the liklihoods of > all matched rules. This is VERY cpu intensive. So what? If you are already pushing the message thru a spam filter then while you are at it and have the message in hand then run a malicious code check. If you are going to check for malicious code anyhow then it shouldn't ultimately take more CPU cycles to do it from the spam filter interface. No matter such malicious code is often hidden in .zip or .exe attachments. Simply look there too. I am not suggesting use of optimized-for-spam search techniques against malicious code, but optimized-for-code techniques from within the same framework. -- David Kelly N4HHE, dkelly@hiwaay.net ===================================================================== The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system.