Jorey Bump wrote, On 8/22/2007 8:23 AM: > John Crawford wrote: > >> Sieve is during delivery to the cyrus store though. >> As we have the capability to identify hazards to our >> users, I'd like to be able to exercise central >> strategies improve their quality of life. So I seek >> tools to leverage after detection to aid with >> removal or remediation. >> >> Maybe would be nice to have a just-in-time scan interface >> at the cyrus message level just as a message is being >> accessed. CPU processing is getting cheaper all the time. > > Hmm, this is an interesting problem. At one extreme, you're changing the > mailstore or connection while the user is logged in, which could > result in some confusion (and possibly trigger some client software > issues). At the other extreme, you may have an account that hasn't been > checked for weeks, so it's fine to remove malicious messages that have > accumulated due to lack of detection before delivery. You also have to > be careful not to remove messages that have been forwarded to your > support address, as they will contain strings that may trigger detection. > > To handle all cases safely, you'd probably want to script using > Cyrus::IMAP::Shell, so all changes are performed via IMAP. You can do > this safely with Cyrus because it supports concurrent R/W access. > Instead of deleting these messages, you'll want to put them in a > quarantine account so you can restore them in the case of false positives. I don't see that it's possible to read any particular message, or to iterate and evaluate content of messages with Cyrus::IMAP::Shell. Do I miss something? > > I'm still not sure I'd be comfortable doing this beneath the nose of a > logged in user. I'd also hesitate to touch anything outside the INBOX > (and any quarantine folders you provide), since it can be assumed that > the message was moved due to user action. I'd probably test this for a > long time only on accounts that aren't being checked regularly (this > also has the benefit of reducing the size of abandoned accounts). > > Have you found that the risks justify this effort? Are your ClamAV scans > of the mailstore turning up anything? Are they serious threats? Yes, I get very good results of content I would like to safely hide away. I use standard clamav with the usual clamav signatures. I've not experienced problems from any false positives. I'll have a signature update, and it will find messages received 50 minutes earlier - ones my users don't need to be exposed to. thanks, John > > ---- > Cyrus Home Page: http://cyrusimap.web.cmu.edu/ > Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki > List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html > ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html