[RLUG] Logwatch report

Sebastian Smith ssmith at cse.unr.edu
Wed Jun 7 12:20:14 PDT 2006 

Well... it _might_ be a lot of activity.  Do you log your anti-spam and 
anti-virus detections?  If you do, I would look at changing trends in 
those logs because in benchmarking against "legit" mail you are neglecting 
all mail rejected by your filter -- which could be a considerable amount.

In my experience, if you are experiencing an email bombing campaign the 
first sign will be a _large_ amount of unfiltered mail.  It is very 
difficult for Bayesian filters to keep up with dramatic changes in mail 
message formats.  If the mail is targeted at you specifically bayesian 
filters won't fair well, and neither will black lists and other 
techniques.

468 infected messages may be of no consequence, but you may want to keep 
an eye on it.  You'll probably know if you are under attack by what's in 
your inbox.  If you see no change, then your filter is doing its job... 
just watch the bandwidth consumption ;)

- Sebastian


On Wed, 7 Jun 2006, Rick Shepherd wrote:

> At the risk of sounding retarded it would appear from this that my server
> was hit 468 times with infected spam yesterday in addition to a handful of
> just infected email.  That sounds like a lot of virus activity on a domain
> that typically processes a few hundred emails (legit) daily.
>
> R
>
> -----Original Message-----
> From: rlug-bounces at rlug.org [mailto:rlug-bounces at rlug.org] On Behalf Of
> Sebastian Smith
> Sent: Wednesday, June 07, 2006 11:10 AM
> To: Rick Shepherd
> Cc: rlug at rlug.org
> Subject: Re: [RLUG] Logwatch report
>
> Rick,
>
> That's how I read that message.  Depending upon your filter the message
> may still be in a "quarantine" of some sort.
>
> - Sebastian
>
>
> On Wed, 7 Jun 2006, Rick Shepherd wrote:
>
>> I have been curious about a Logwatch report I get which includes at the
> top,
>> "468 messages destined for quarantine intentially (sic) not quarantined
>> (spam level exceeds quarantine cutoff level)."  I assume this means that
>> there were 468 messages that were going to ClamAV quarantine (presumably
>> because they were infected) got dumped because they were also spam.  Am I
>> reading that correctly?
>>
>>
>>
>> Rick Shepherd
>>
>>
>>
>>
>
> _______________________________________________
> RLUG mailing list
> RLUG at rlug.org
> http://lists.rlug.org/mailman/listinfo/rlug
>

More information about the RLUG mailing list