On Wed, 2 Jul 2008, John Jetmore wrote:
>
>
> Postini claims their mail filtering works this way. They have X scanning
> subsystems (at least one spam and one virus, but my understanding is
> multiples of each). When a chunk of data comes in off the wire they feed
> that chunk into each of the subsystems. Those subsystems may or may nor
> choose to analyze that chunk of data or wait until it has more data. When
> it has enough data to make a decision it can return a verdict at any point
> in the exchange, even if it hasn't seen the entire message (for instance,
> once it has enough data to see a mime boundary, that or the next chunk
> containing the start of the file might be enough to see a virus
> signature). I'm not sure if one positive subsystem is enough to flag the
> entire message, but once enough subsystems have marked it as bad, the MTA
> can start binning the incoming data stream until the dot is sent and they
> can tell the sender it's rejected.
>
This sounds about right ($dayjob is a postini reseller)
> Obviously Postini is highly motivated to do this well and efficiently and
I would hope so - but I've also seen situations where they are way behind
the curve on.
> I'm not suggesting Exim should be able to do this, just pointing out that
> it can and has been done. Of course, Postini has written all of their own
> subsystems too, they don't just plug into a out of the box clamav or
> spamassassin...
>
Yup. It's all proprietary, as far as I know.
--
--------------------------------------------------------
Dave Lugo dlugo@??? LC Unit #260 TINLC
Have you hugged your firewall today? No spam, thanks.
--------------------------------------------------------
Are you the police? . . . . No ma'am, we're sysadmins.
