Autor: Tim Jackson Fecha: A: exiscanusers Cc: exim-users, Tom Kistner Asunto: [Exim] Re: exiscan demime facility
Hi Tom, on Fri, 28 Feb 2003 15:35:00 +0100 you wrote:
[strict MIME checking catching real mail] > I think the false positive rate should be reasonably low. I have tested
> my demimer with ~3000 messages from my own INBOX. <snip> > this brings my
> own false-positive rate with NON-virus and NON-spam messages to zero.
Have you got some kind of command line tool you're using to check all
these messages against the demimer, or are you just piping them back
through Exim? In either case, if you can let us all know how you're doing
it (and make the tool available in the former case), I'm sure there are
plenty of us with significant-size repositories of mail who would be happy
to check the demimer against in the same way and see what happens - the
larger test base can only be a good thing in trying to spot any potential
problems.
> > Would it not be feasible to consider, in addition to the
> > demime_action, to have an option "attempt to unpack broken MIME" which
> > would make a "best effort" attempt?
> Yes, I agree on that.
Great! Thanks. Look forward to it.
How about my other suggestion; that is, to (optionally) give the virus
scanner a go at the original message first, before attempted de-MIMEing,
in cases where demime_action = pass and MIME is broken? I think this will
complement the new feature nicely, and give maximum chance of catching
malicious content.
> > Another thing: even if the "broken MIME catcher" has 0% false
> > positives, the message it produces (e.g. "This message has broken MIME
> > (base 64 length is not a multiple of 4 characters") is very technical
> > and not as intelligible as "This message contains a virus..." in the
> > event that it lands back in an end users' mailbox.
> I know. You can now easily define a "wrapper" text with
> exiscan_demime_rejectmsg that can include a more verbose explanation of
> the general problem.
Mm, but it's going to have to be a "generic" message, unfortunately; less
specific than "Virus XYZ is why we have a problem with this mail". But
this is a minor issue, and I guess in this case the additional protection
added by the MIME sanity checking outweighs the small decrease in useful
information provided in reject messages.
Thanks for your ongoing work on Exiscan - I'm sure I speak for everyone in
saying that you're doing a great job.