Antivirus for (mailservers on) FreeBSD
Bill Moran
wmoran at potentialtech.com
Thu Jun 12 19:16:05 PDT 2003
David Kelly wrote:
> On Thursday 12 June 2003 02:58 pm, Bill Moran wrote:
>
>>David Kelly wrote:
>>
>>>How does "antivirus mail filtering" differ significantly from spam
>>>filtering? Seems to me these two should be one and the same as
>>>"spam" is a form of malicious code.
>>
>>No, no, no. Not even close.
>>
>>While it may seem that way to an end-user, programatically it's very
>>different.
>>
>>Bayesan matching is generally done for spam, as it seems to be the
>>best approach. This involves checking for a LARGE number of
>>conditions and assigning a percentage likelihood for each that it is
>>indicative of spam. Once _every_ condition has been checked, the
>>email is labeled spam or not based on the sum of the liklihoods of
>>all matched rules. This is VERY cpu intensive.
>
> So what? If you are already pushing the message thru a spam filter then
> while you are at it and have the message in hand then run a malicious
> code check. If you are going to check for malicious code anyhow then it
> shouldn't ultimately take more CPU cycles to do it from the spam filter
> interface.
>
> No matter such malicious code is often hidden in .zip or .exe
> attachments. Simply look there too.
>
> I am not suggesting use of optimized-for-spam search techniques against
> malicious code, but optimized-for-code techniques from within the same
> framework.
I'm not getting what your point is here.
Amavis and qmail-scanner already do this ... taking malware scanning and
spam filtering into the same operation as a kind of wrapper.
Trying to use malware techniques in (for example) spamassassin is
impractical, just as incorporating spam filtering into Sophos would
be impractical.
Besides ... beyond the technique differences, the correct outcome is
different as well. Emails containing malware should be quarantined
immediately, and the user should have to beg the IT department if there
is some reason he really wants to recieve that message. Emails IDed as
spam should be sent on to the user with some sort of flag set to
allow the user to use his local MUA to filter them if he prefers, or
manually filter them or whatever.
Additionally, you want to scan ALL emails for malware, so if something
sneaks in off a floppy or something it doesn't run rampant throughout
the company email system, while scanning outgoing emails for spam is
simply a waste of CPU cycles.
--
Bill Moran
Potential Technologies
http://www.potentialtech.com
More information about the freebsd-chat
mailing list