[Avcheck] md5 body checksum ring buffer as cache??

Michael Tokarev mjt@tls.msk.ru
Tue, 20 Nov 2001 20:47:21 +0300


Ralf Hildebrandt wrote:
> 
> Hi!
> 
> Would a ring-buffer of md5 checksums of message bodies make sense for
> caching virus scan results?

In fact, this seems a very interesting idea, but from a different point
of view.  An MTA can compute message checksum (it is cleanup in postfix),
compare it with some existing ring and reject shurely infected messages
at an SMTP port right away without bothering with bounces and the like.
Next, MTA can add "X-MD5-Checksum: blahblah" header for other messages
so a viruschecker can use it to update the ring (and to stop checking
clean messages).  But I doubt it will be done in postfix.

Anyway, looking to amount of infected messages compared to other clean
ones it seems not a big win if at all.  Note that most (>95%) messages
are clean and *different* (non-repeated), and note also that some viruses
uses different (random) body every time (but usually with the same
attachtments).

Regards,
 Michael.