[sanesecurity] Re: Sanesecurity.Jurlbl.5624.UNOFFICIAL matches "com"
- From: Sebastian Berm <maillinglist@xxxxxxxxxx>
- To: sanesecurity@xxxxxxxxxxxxx
- Date: Tue, 14 Jul 2009 10:36:45 +0200
sanesecurity@xxxxxxxxxxxx wrote:
<snip>
If any of the emails that are scanned are then flagged up as
infected by one of the new signatures you could spit out a fatal
warning
and not apply the new sigs.
Rather, I am planing to simply strip the signatures that do not meet the
user's minimum character requirements and possibly place them into a
temporary file for viewing and maybe even log the occurrence to the log
file.
That's not a very good solution. All that does is stop small domains
being listed. It doesn't stop domains like facebook.com being listed.
A *much* better solution would be to give the user an option to scan a
folder(s) of their selection before rolling them out.
Wouldn't it just be a better idea to implement something like this
before the signatures are even distributed to the mirrors?
I do agree with you, it would be a nice option, however, I also agree
with Bill that the script is slowly becoming a swiss army knife...
Not really bad, but perhaps it should be a plugin or something.
No reason to cause panic by spitting out fatal warnings and
bypassing the entire signature file for one errant signature.
I disagree. If a user has specifically stated that no email in this
folder is spam, and then a signature update starts identifying
messages in that folder as spam, the user should be warned. Perhaps
you could add a "ham_folder_threshold" configuration option or
something so you can specify how many emails in that folder should
trigger before stopping the rollout.
I agree, however, due to the nature of how I'm providing e-mail
scanning, I don't have a lot of confirmed ham here.
I doubt, I'm the only one facing this problem...
This sort of scanning should take place before the signatures even
appear in the signature file, but the "com" listing clearly proves
that it isn't. Next best option, do it locally before rolling them out.
This also protects against malicious updates to signature files, by
their maintainer, or by an enterprising hacker.
You're right on that one...
--
Regards,
Sebastian Berm
Other related posts:
