I'm seeing a large problem where spam getting caight in the database is simply virus. So instead of getting caught by the attachment it's getting caught by the ip. Since the rules order isn't going to be changed anytime soon, I need to find a way to delete all messages out of the quaruntine that have been blocked by IP and have attachment extentions that are common to virus' IE. .htm .bat .scr etc

Any suggestions?

Kevin,

I too have some quarantined stuff that was caught by other filters an is, in fact, a virus but if the customer reies to send it, my virus gateway will catch it.  For example:

This actually has an email virus but was trapped by SPF.

Did the forum already have a discussion on the attachment BL order?  SF-ISP is not (yet) intended to be an anti-virus gateway but I can see that quarantining the above, while not causing any issues in my setup, is less than desireable.

Question ... Does MS-SQL have any options to do a virus scan on a per-field basis?  I have not ever seen anything like that but it may be possible.

Dan

Dan, you are seeing the same thing as me. Spamfilter if setup properly can catch virus' quite efficiently. Before we continue on with this, I think we need to talk about this with roberto. Having the ip moved to last would solve most of our problems, or atleast move the attachment filter first, that would help all of us to filter out our spam alot easier without having to come up with complicated custom solutions.

Fair enough roberto, but consider this. Your efficiency assumes we don't want to quaruntine the message if it's deemed spam.

For the people like dan and myself who quaruntine ipblocked spam, it wouldn't matter if the dns lookup came last because either way we want to quaruntine all mail do the database for users and so the baysean filter can add the entire email to it's database.

So efficiency is really irrelevant. Useability is a little more important at this point as we have a huge problem with users sorting through obvious spam that is becoming a big hassle because your product is working so well :)

In short, if you quaruntine mail blocked by it's ip, your efficiency is lost because you have to read the whole message anyway right? So putting the other filters first may add some over head but in the end it helps to sort out the spam because 90% of my spam is blocked by ip...

Kevin,

Not everyone uses the quarantine.  So, it only suits some users to hard code the solution you ask for.  That would make the software perform worse for those of us that do not quarantine. 

This in addition to the valid points that Roberto has made regarding efficient high performance design of the software.

-Matt

Matt. Let's not put our foot in our mouth again shall we?

Most people do use the quaruntine.

Who said anything about hardcoding it? Generally every feature request roberto adds is configured via the ini file.

There is also a fine line between efficiency and how well and how convienient a product works. Right now, it's a pain in the ass because 90% of the spam is caught by ip. 80% of that is files caught because of their attachment. So now all my users have to sift through all of this spam to delete a bunch of useless messages that are deemed spam but I have no method to delete them. You explsin to all my customers that they have to deal with deleting all of that spam because the spam software I use is efficient instead of co-operative.

No foot for me this time. I never claimed any majorities used or did not use the quarantine features.  The fact is that not everyone does and that's what I stated. 

This is a rehash of an old post.  What you ask for is not unreasonable, but in fact quite sensible, which is what has also been stated before.  The problem is the complex and tedius amount of work that would be needed.  It's likely we'll see SpamFilter anti virus features before you see the product with the complex configuration options you are asking for.

What you really need is an anti virus "plug in" for your database to scan and detect viruses.  I'm sure this is doable, but I've never looked into writing such a program. 

-Matt

Ok. So why do I need this antivirus plugin? I'm already blocking most of my virus' with spamfilter already. anything that gets past is scanned by norton and/or mcafee.

But let's say for examply people don't have norton or mcafee. Most likely they have something on their server right?

Now by going by your theory Matt, the antivirus plugin would help us to find virus' right?

But we already know what most of them are, because we blocked them by fileattachment.

So instead of having the file attachment before the ip scan. we now have an antivirus plug in as well.

I want you to explain to me how THIS is going to help efficiency. All this can do is slow down the process, due the fact that now the entire message needs to be scanned for virus'.

You complained about false positives if you drop those messages blocked by IP instead of quarantining.  Your overall configuration must be problematic for that to be a bigger problem than presenting your users with their personal virus stores.  This is a perfect example of why the quarantine is a bad idea.  It turns perfectly good ISP's into junk and virus collectors.   A good reporting system that allows users to see reports on every email that has been accepted or rejected is a far better way to go.

You can't be helped if you are not looking for other than the one solution that you have asked for repeatedly which simply is not going to happen. 

-Matt

People need to listen.

Spamfilter is working PERFECTLY. I don't know how to make this more clear. However, with the amount of spam that does get caught alot of it is virus' that are caught but I am unable to delete from the database because they are tagged by ip first. Which is fine. If someone could help write an sql script that could delete anything with an attachment, my problem would be solved. All I want to do is simplify my customers experiences with spam and make everyone's life easier.

Basically my request is this. How can I delete messages blocked by ip that have an attachment?

Kevin,

For this I'd go back to my 1st reply in this thread:

==============
The Msg field in the tblMsgs table would have a section similar to the following for an attachment of joe.txt:

------=_NextPart_000_003B_01C4ED2F.4D510E20
Content-Type: text/plain;
	name="joe.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename="joe.txt"

==============

If as you ask for in this last posting you wish to only be able to delete all emails blocked by IP that have any attachment, you could construct a SQL query that looks for the string "Content-Disposition: attachment;", as follows:

UPDATE    tblQuarantine
SET              tblQuarantine.Expire = 1
FROM         tblQuarantine, tblMsgs
WHERE     (tblQuarantine.MsgID = tblMsgs.MsgID) AND (tblMsgs.Msg LIKE '%Content-Disposition: attacdment;%') AND (tblQuarantine.RejectID = 12)

This will cause all messages with RejectID=12 and the attachment string to be tagged for deletion by SpamFilter. Please note that RejectID 12 includes both blacklisted IPs and rejects caused by the MAPS RBL servers. SpamFilter makes no distinctions between the two. If that is not satisfactory, the query could be modified to also look at the RejectDetails field in the tblQuarantine table to look for "is Blacklisted" (a subset of "The IP aa.bb.cc.dd is Blacklisted").

DISCLAIMER - This SQL statement was thought of while responding to this post, it is in no way supported/guaranteed to work by LogSat!

Roberto F.
LogSat Software