better techniques to identify and remove zero-day viruses from cyrus store sought

John Crawford jmc-cyrus at
Wed Aug 22 04:51:51 EDT 2007

Jorey Bump wrote, On 8/21/2007 2:28 PM:
> John Crawford wrote:
>> What's the best way, and second best way to react to zero-day virus
>> threats - messages that are delivered to the mail store before the
>> detection is in place? 
> Any detection that can take place in the mail store can (and should) be 
> moved up the chain, preferably to the MTA.

Thanks to Jorey and Joseph for the replies.

The MTA- that is where the scan occurs for inbound mail.
Once it's arrived, it's can be re-evaluated with the
benefit of newly incorporated methods of detection.
Some of our techniques are effective against attachments
and identifying known mail content hazards. And of course
this is a layer before the Mail User Agent handling,
which may also have detection capabilities. (depending
on the user and their client).

We do have blocking for hazardous attachments, etc.
Clamav has been a nice tool for locating phishing
messages and "please visit my website to see
if I can hack in" ecards. The MUA side detection
most clients have is less effective against these though.

>> Is there a best practice that functions nicely
>> within the cyrus community? 
> Yes, once a message is delivered, leave it alone. The most you should do 
>   at that point is maybe provide an opt-in sieve rule that stores 
> suspicious messages in a special folder. But even this has caveats, and 
> I prefer to let the users sort their own mail.

Sieve is during delivery to the cyrus store though.
As we have the capability to identify hazards to our
users, I'd like to be able to exercise central
strategies improve their quality of life. So I seek
tools to leverage after detection to aid with
removal or remediation.

Maybe would be nice to have a just-in-time scan interface
at the cyrus message level just as a message is being
accessed. CPU processing is getting cheaper all the time.


> ----
> Cyrus Home Page:
> Cyrus Wiki/FAQ:
> List Archives/Info:

More information about the Info-cyrus mailing list