[pmmail-list] SirCam Virus Filtering Update

Kris Sorem Sr pmmail-list@blueprintsoftwareworks.com
Sun, 05 Aug 2001 01:59:24 -0700 (PDT) 

On Sat, 04 Aug 2001 23:39:24 -0700, Dave in Phoenix AZ wrote:

>It seems this discussion of whose filter is best has been a bit overdone,
>although it certainly has been interesting and explored the use of filters.

I'm glad you received some valuable education on filters. Can trying to
protect someone be overdone?

>
>My simple filter has missed a few more, but its no big deal... they are so
>easy to spot and you don't get infected by receiving the E-mail only if you
>open the attachement.  I see the virus text in preview window and simply
>delete it.  I am more concerned about any false positives which I have had
>none, since it triggers my autoreply telling sender they are infected and
>gives reference info to get rid of it.

Not opening an attachment whether solicted or not until it has been
screened does prevent infection. Many users however do not follow that
advice. Based upon the filter you are using, you've been lucky with no
false positives.

>
>The number of infected mail has dramatically slowed down the last few days.
>My filter overall captured and replied to about 300 virus messages with no
>false positives and about 4 that it didn't catch which I easily deleted
>manually.

Are you sure about 'no false positives'? Did you examine the body of
300 messages? What about the size of those messages? Did the attachment
have a double extension? 4 messages were not captured because you are
using a text string that is _not_ always present. You've been extremely
lucky. You should head to Las Vegas.

>
>As previously reported the simple filter that worked well for me is simply:
>b="in order to have your advice" & a="YES"

You should consider checking for an attachment first. It would be
faster. (a="YES" & b="in order to have your advice")
m.size>"137216 & a="YES" would have been faster and equally as
effective if not more effective.
>
>In theory it seems it shouldn't have worked that well, but in reality it
>did!

It should work on a limited subset of w32.sircam messages. Again, you
are extremely lucky.

>
>The battle of the filters has been interesting and informative!

What battle? No one needs to accept my suggestions. Equally, they can
live with the consequences.
--
JMO, 
/s/~Kris
-------------------------------+------------------------------------------



- pmmail-list - The PMMail Dicussion List ---------------------------
To UNSUBSCRIBE, send a message to mdaemon@bmtmicro.com with the first 
line of the message body being...
UNSUBSCRIBE pmmail-list@blueprintsoftwareworks.com