better techniques to identify and remove zero-day viruses from cyrus store sought

Jorey Bump list at
Wed Aug 22 08:23:19 EDT 2007

John Crawford wrote:

> Sieve is during delivery to the cyrus store though.
> As we have the capability to identify hazards to our
> users, I'd like to be able to exercise central
> strategies improve their quality of life. So I seek
> tools to leverage after detection to aid with
> removal or remediation.
> Maybe would be nice to have a just-in-time scan interface
> at the cyrus message level just as a message is being
> accessed. CPU processing is getting cheaper all the time.

Hmm, this is an interesting problem. At one extreme, you're changing the 
  mailstore or connection while the user is logged in, which could 
result in some confusion (and possibly trigger some client software 
issues). At the other extreme, you may have an account that hasn't been 
checked for weeks, so it's fine to remove malicious messages that have 
accumulated due to lack of detection before delivery. You also have to 
be careful not to remove messages that have been forwarded to your 
support address, as they will contain strings that may trigger detection.

To handle all cases safely, you'd probably want to script using 
Cyrus::IMAP::Shell, so all changes are performed via IMAP. You can do 
this safely with Cyrus because it supports concurrent R/W access. 
Instead of deleting these messages, you'll want to put them in a 
quarantine account so you can restore them in the case of false positives.

I'm still not sure I'd be comfortable doing this beneath the nose of a 
logged in user. I'd also hesitate to touch anything outside the INBOX 
(and any quarantine folders you provide), since it can be assumed that 
the message was moved due to user action. I'd probably test this for a 
long time only on accounts that aren't being checked regularly (this 
also has the benefit of reducing the size of abandoned accounts).

Have you found that the risks justify this effort? Are your ClamAV scans 
of the mailstore turning up anything? Are they serious threats?

More information about the Info-cyrus mailing list