Date: Thu, 12 Jun 2003 22:16:01 -0400 From: Bill Moran <wmoran@potentialtech.com> To: chat@FreeBSD.org Subject: Re: Antivirus for (mailservers on) FreeBSD Message-ID: <3EE933E1.9080503@potentialtech.com> In-Reply-To: <200306122006.55906.dkelly@HiWAAY.net> References: <5.2.1.1.2.20030612202321.02e28008@194.184.65.4> <20030612193524.GA31199@grumpy.dyndns.org> <3EE8DB83.4040609@potentialtech.com> <200306122006.55906.dkelly@HiWAAY.net>
next in thread | previous in thread | raw e-mail | index | archive | help
David Kelly wrote: > On Thursday 12 June 2003 02:58 pm, Bill Moran wrote: > >>David Kelly wrote: >> >>>How does "antivirus mail filtering" differ significantly from spam >>>filtering? Seems to me these two should be one and the same as >>>"spam" is a form of malicious code. >> >>No, no, no. Not even close. >> >>While it may seem that way to an end-user, programatically it's very >>different. >> >>Bayesan matching is generally done for spam, as it seems to be the >>best approach. This involves checking for a LARGE number of >>conditions and assigning a percentage likelihood for each that it is >>indicative of spam. Once _every_ condition has been checked, the >>email is labeled spam or not based on the sum of the liklihoods of >>all matched rules. This is VERY cpu intensive. > > So what? If you are already pushing the message thru a spam filter then > while you are at it and have the message in hand then run a malicious > code check. If you are going to check for malicious code anyhow then it > shouldn't ultimately take more CPU cycles to do it from the spam filter > interface. > > No matter such malicious code is often hidden in .zip or .exe > attachments. Simply look there too. > > I am not suggesting use of optimized-for-spam search techniques against > malicious code, but optimized-for-code techniques from within the same > framework. I'm not getting what your point is here. Amavis and qmail-scanner already do this ... taking malware scanning and spam filtering into the same operation as a kind of wrapper. Trying to use malware techniques in (for example) spamassassin is impractical, just as incorporating spam filtering into Sophos would be impractical. Besides ... beyond the technique differences, the correct outcome is different as well. Emails containing malware should be quarantined immediately, and the user should have to beg the IT department if there is some reason he really wants to recieve that message. Emails IDed as spam should be sent on to the user with some sort of flag set to allow the user to use his local MUA to filter them if he prefers, or manually filter them or whatever. Additionally, you want to scan ALL emails for malware, so if something sneaks in off a floppy or something it doesn't run rampant throughout the company email system, while scanning outgoing emails for spam is simply a waste of CPU cycles. -- Bill Moran Potential Technologies http://www.potentialtech.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3EE933E1.9080503>