Jorey Bump wrote, On 8/21/2007 2:28 PM: > John Crawford wrote: > >> What's the best way, and second best way to react to zero-day virus >> threats - messages that are delivered to the mail store before the >> detection is in place? > > Any detection that can take place in the mail store can (and should) be > moved up the chain, preferably to the MTA. Thanks to Jorey and Joseph for the replies. The MTA- that is where the scan occurs for inbound mail. Once it's arrived, it's can be re-evaluated with the benefit of newly incorporated methods of detection. Some of our techniques are effective against attachments and identifying known mail content hazards. And of course this is a layer before the Mail User Agent handling, which may also have detection capabilities. (depending on the user and their client). We do have blocking for hazardous attachments, etc. Clamav has been a nice tool for locating phishing messages and "please visit my website to see if I can hack in" ecards. The MUA side detection most clients have is less effective against these though. > >> Is there a best practice that functions nicely >> within the cyrus community? > > Yes, once a message is delivered, leave it alone. The most you should do > at that point is maybe provide an opt-in sieve rule that stores > suspicious messages in a special folder. But even this has caveats, and > I prefer to let the users sort their own mail. > Sieve is during delivery to the cyrus store though. As we have the capability to identify hazards to our users, I'd like to be able to exercise central strategies improve their quality of life. So I seek tools to leverage after detection to aid with removal or remediation. Maybe would be nice to have a just-in-time scan interface at the cyrus message level just as a message is being accessed. CPU processing is getting cheaper all the time. thanks, John > > > > > ---- > Cyrus Home Page: http://cyrusimap.web.cmu.edu/ > Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki > List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html > ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
