Date: Thu, 12 Jun 2003 15:58:59 -0400 From: Bill Moran <wmoran@potentialtech.com> To: David Kelly <dkelly@hiwaay.net> Cc: chat@FreeBSD.org Subject: Re: Antivirus for (mailservers on) FreeBSD Message-ID: <3EE8DB83.4040609@potentialtech.com> In-Reply-To: <20030612193524.GA31199@grumpy.dyndns.org> References: <5.2.1.1.2.20030612202321.02e28008@194.184.65.4> <3EE8C7FB.7040701@potentialtech.com> <20030612193524.GA31199@grumpy.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
David Kelly wrote: > How does "antivirus mail filtering" differ significantly from spam > filtering? Seems to me these two should be one and the same as "spam" > is a form of malicious code. No, no, no. Not even close. While it may seem that way to an end-user, programatically it's very different. Bayesan matching is generally done for spam, as it seems to be the best approach. This involves checking for a LARGE number of conditions and assigning a percentage likelihood for each that it is indicative of spam. Once _every_ condition has been checked, the email is labeled spam or not based on the sum of the liklihoods of all matched rules. This is VERY cpu intensive. Searching for malware is simply a matter checking set of rules until a positive match is found. The first positive match terminates the search with a positive. There are no percentages and the nature of the search means that putting the most likely candidates at the beginning of the search will cause it to terminate more quickly in many cases since there's no need to check the rest of the possibilities. Additionally, searching headers for instances of malware is unreliable and is therefore not done. Additionally, certain mail (such as proper mail that is _all_ plain text) need never be searched at all since there is no way to embed malware in an email that is all plain text. > All that seems to be lacking is easy updates to the spam/virus/worm rule > database. I'm not having any difficulty updating the Sophos database on a daily basis. I don't understand where this statement originated from. p.s. I abhor the term "virus" as I haven't seen one in years. The horrible technical elegance of a true virus doesn't exist in the abilities of modern malware developers. Worms and trojans are the best they can do. And worms are often too difficult. -- Bill Moran Potential Technologies http://www.potentialtech.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3EE8DB83.4040609>