[Avcheck] messages to the listserv

[Piotr Klaban]

On Thu, Aug 30, 2001 at 03:43:49PM +0400, Michael Tokarev wrote:
> I wan't call `infected' examples "official *parts*"
> of a package -- them all are examples only.  For now,

OK, but users are lazy ;-) and will use the given examples
especially that there are versions for many languages.
But I understand that anyone can write separate 'infected'
program in perl or C etc. with different settings. And
it is very good.

> one small exception: handling mail from MAILER-DAEMON@* --
> current `infected' will not notify such "senders").
Fine. I did not lokked through all the sources of 'infected'
it seems that I should.

> I'm afraid I can't write a handler that suit all needs --
Right, that was my thoughts only. That what is now works great,
and there is no need to implement new features.
It is up to the programmer to decide what to implement
and if something should be implemented. In fact your program
avcheck is near to complete - it works in the way
it should - it is a postfix content filter program.
Content inspection is the thing that is missing in the official
postfix distribution (I know you write a patch, and avcheck
supports content inspection), then for now there is
nothing to do with avcheck. More 'infected' example programs
could come from other people, if they need some additional
features.

> only headers) that explains (in Russian, see infected.ex2)
I know Russian a little (8 years in school ;-) ), but I do not have
Russian fonts here ;-).

> See above, and see Ralf's HOWTO that mentioned this.
> I know many antiviruses saves messages to some
> temp folder and uses "incident id" referred to
> that temp copy in notifications.  This scheme shurely
> will work, but has some drawbacks (or incomplete).
The same scheme uses Sophos that is used on another server
in my Univ. It is not necessary for the admin to deal
with virus messages for users that have their computers
infected. The only possible solution that I see
(if someone wants to store infected message for future use)
is to have infected messages stored and _automaticaly_
resended again without AV check after the user
request (by web or mail).
But no one need to implement such a thing today. 

>                  server A:            server B:
> transport_map    B  smtp:[B]:1025     A  smtp:[A]:1025

Thanks for this useful tip, I will use it here.

> entries), and there is no standard header for this

USENET News control messages uses something like:

X-Info: ftp://ftp.uu.net/networking/news/misc/pgpcontrol/README.html
        ftp://ftp.uu.net/networking/news/misc/pgpcontrol/README
X-PGP-Sig: 2.6 Subject,Control,Message-ID,Date,From,Sender
        iQCVAgUBO4y6ytdKTteDivjtAQFUcAP/cDh9mQqwT5EyIUxyZ2Q5roKdr7k+NZ9w
        slt8uhWn99nX8fYqPcMdergFuoF04CY3LrTfa2qig0L77az9QGpHoSPDNTIZ6cLX
        z9aozOcMcaL5ccRwchONt9h5SRtq7WbNNvkwbhBifsCelzBI5ktQQu5pi2YQBqps
        os8pgJ4ZLHk=
        =Mwn3

but checking this is CPU intensive (there were control messages
with bad PGP signatures bombs called him*crime or something like that
from the newgroup names).

> while not standartized, will not help alot.
Right. But I do not know if I will trust any mail server
from the internet besides mine, then I will install the same
software on each of local servers. But as I said - I am not
sure it is worth implementing, since this can be more CPU
intensive than anti-virus check.

> anyway.  So I don't know if that really needed to include
> a parser at this stage.
I do not know either, BUT
one of the possible gains from such a thing would be
in the situation when AVP dies - then simple text messages
could be tranferred not deffered.

-- 
Piotr Klaban