so would a milter for sendmail that strips off attachments, queues them for decompression and scanning at a later time be more useful? Say such a milter could strip off attachments, replacing them with a URL in the email that will allow the recipient to download them if they prove clean. It's not an instant gratification, but it'll let you distribute the scanning among several machines. if an attachment gets denied, the url would inform the user why they can't access the file. i had an idea to write this a while ago, but never felt like writing the mime code to handle strange attachments. mike On Mon, 1 Mar 2004, Rubens Kuhl Jr. wrote:
I'm not aware of any mail scanner that does this without running an external anti-virus or something alike, although is not that intensive to follow the zip headers (as they already do with the MIME headers in order to drop external attachments). Most scanners can accept an anti-virus plugin and them scan inside zip files, but that requires more processing power, more queue disk space, more RAM, more administration to update virus patterns, and so on. The cost/benefit usually pays off, but more complexity means less people will adopt the solution, thus making worm spreading easier.
your description makes it all sound quite complicated, possibly because you are passing all the processing down to the end-user's machine.
I was talking about central anti-virus processing... although it's easier on administration than updating hundreds or thousands of machines, it establishes a central bottleneck. Doing decompression and extensive pattern matching on a high volume server is not an easy task.
we have anti-virus (clamav) and anti-spam (spamassassin) running at the server level, and thus save the end-user alot of cycles.
Even on low volume servers, this task is not something one would do without some thinking; on high volume, this is achievable but would require a good systems design to cope with the higher latency between mail receive and mail delivery.
clamav will look inside zip files, and automatically updates its signature database.
spamassassin uses both global rules and per-user rules to rate incoming email and reduce the impact of spam.
Been there at many installations of MailScanner (http://www.mailscanner.info).
we even run in-line scans of MIME headers during the SMTP process and reject specific attachments (.exe, .pif, etc) without even bothering the end-user.
That kind of filtering is much easier to configure, administer and goes low on resources. Extending this to verify filenames inside zip files would not be difficult to do, and is simple and not intensive enough to lots of people to turn such filters on.
Rubens
!DSPAM:4042cb6d168642834354387!