Solved

create an event sink that filters and delete emails after being scanned by SAV for exchange

Posted on 2004-04-15
3
686 Views
Last Modified: 2010-08-05
This question is pretty specific to a type of system
Exchange 2000
SAV for exchange
running on Windows 2000 server SP4
 
 
Our problem starts when we are receiving infected emails. SAV for exchange is meant to remove any infected attachment from an email but still delivers the mail to the recipient.
 
Example : someone outside the company has an infected computer with Netsky. The user doesn't know that his computer is infected but the virus sends itself to everybody in the address book. Usually the subject is random and the text as well.
In the address book, there is one or more addresses of our users from our organisation; so we will be receiving a bunch of infected emails. Fortunately SAV for exchange will scan those incoming emails and remove the attachment. Unfortunately the way SAV works, it will still deliver the mail with the random subject and text and will attach a new file that will be called "Deleted attachment.txt". In that text file there's a description of what happened, basically it will say that the mail contained a virus called Netsky and that the attachment has been removed.
If we have many people outside the company with an infected computer, our users will receive a LOT of those emails with an attachment called "Deleted attachment" ( one of ours is getting up to 800 a day now ).
 
 
Now there are many solutions:
1st - first one which is pretty effective is to create a rule on each stations that would delete those type of emails. Unfortunately if the user uses outlook express this won't get effective, and most of all it would take forever to get to everybody stations to create the rules.
2nd - We could use a "perimeter mail app" that would actually do that kind of work but usually these apps tie to an RBL list and filter emails based on those lists which is not totally reliable. Some other of those apps are also pretty expensive
 
3rd - So by doing some research I noticed that something called "event sink" could be used to filter an email right after it has been scanned by SAV.
 
The idea would be then to register a new event sink on the mail server ( from what I understand, this would be a VBscript ). The event sink would just delete any email with an attachment called "Deleted Attachment.txt".
 
Does anyone know how to write such a script ?
 
 
 
Thanks
0
Comment
Question by:ekriner
3 Comments
 
LVL 20

Accepted Solution

by:
What90 earned 500 total points
Comment Utility
I'm always awary of using Event sinks. If you are going to use one of these then test it on a test server first.



Have a look at this link:
http://www.vamsoft.com/orf/howto-attfltr.asp

And these as background:
http://www.outlookexchange.com/articles/glenscales/attarch.asp
http://www.outlookexchange.com/articles/glenscales/attarch2.asp

otherwise you might be able to adapt this:
http://support.microsoft.com/default.aspx?scid=kb;en-us;308303
0
 
LVL 7

Expert Comment

by:rosesolutions1
Comment Utility
This is a poor solution if your mail server is running under any load. For running under load, you will need this code to be properly compiled inside a theadsafe, multiprocessor-compliant component.

Best choice is to upgrade SAV to the latest release, which - according to http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=66 - features "Mass-Mailer Cleanup automatically eliminates entire messages generated by mass-mailer worms, not just attachments "
0
 

Author Comment

by:ekriner
Comment Utility
Thanks for the participation everyone! I have used the accepted answer.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
how to add IIS SMTP to handle application/Scanner relays into office 365.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now