[Avcheck] md5 body checksum ring buffer as cache??
Ralf Hildebrandt
Ralf.Hildebrandt@charite.de
Tue, 20 Nov 2001 18:54:00 +0100
On Tue, Nov 20, 2001 at 08:47:21PM +0300, Michael Tokarev wrote:
> In fact, this seems a very interesting idea, but from a different point
> of view. An MTA can compute message checksum (it is cleanup in postfix),
> compare it with some existing ring and reject shurely infected messages
> at an SMTP port right away without bothering with bounces and the like.
Yeah. The buffer must not be too big, though!
> Next, MTA can add "X-MD5-Checksum: blahblah" header for other messages
> so a viruschecker can use it to update the ring (and to stop checking
> clean messages). But I doubt it will be done in postfix.
:)
> Anyway, looking to amount of infected messages compared to other clean
> ones it seems not a big win if at all. Note that most (>95%) messages
> are clean and *different* (non-repeated), and note also that some viruses
> uses different (random) body every time (but usually with the same
> attachtments).
Yup, the percentage here is less than 1 percent, even less than 1 per
thousand...
--
Ralf Hildebrandt Tel. +49 (0)30-450 570-155
Fax. +49 (0)30-450 570-916
Look what sendmail just dragged in:
Ah, so if SMTP is a dog, does that imply that sendmail is a cat? It'd
make sense, given that cats will often drag in nasty little dying
things & drop them lovingly in front of you.
A female cat. Because sometimes, sendmail is a bitch.