MIMEsweeper operation can roughly be divided into four phases:
The process involves the recursive disassembly of a mail message or Web data into its component parts. In the case of email, this disassembly includes all message attachments, for example, nested or compressed files.
All components are then checked against a number of configured validator instances, to generate a number of <Response> values. The <Response> values are compared, and one will determine the disposal route for the message or Web data.
MAILsweeper also has the ability to perform user authorisation checks, using the source and destination addresses of the message. | ![]() |
The `built-in' MAILsweeper validator, called AMUcheck, can be configured to perform these tasks.
AMUcheck makes use of a set of configured access rules. These rules specify different address combinations that may match with the source and destination addresses of the message.1
MIMEsweeper uses container handlers to perform recursive disassembly. Container handlers are able to recognise most common data types that may appear in the message or Web data and perform the necessary disassembly of each.
![]() |
Recursive disassembly ensures that all the data is validated, even if the information is compressed, encoded, nested, or incorporates a variety of these techniques. |
MIMEsweeper uses configured instances of these plug-in validators to perform the validation task.
Currently, the plug-in validators MIMEsweeper uses are:
VALEXE
- provides a link
to third party applications, such as anti-virus tools.
MIMEsweeper supports a range of anti-virus tools. VALATTR
- attribute
validator. Used for attribute analysis, usually to
determine the data type of a component. VALLEX
- lexical analysis
validator. Used to search the data content for keywords
or phrases. VALHTML
- HTML validator.
Used to search for potential threats in Web pages and
mail messages in HTML format, or with HTML format
attachments. AUTWNT
- Authenticode
validator. Used to authenticate the signature of
digitally signed information. Each validator instance checks the data held in each component generated during recursive disassembly and generates a validator <Response> to indicate the results of the validation.
MIMEsweeper collects the validator <Response> values generated by the validator instances2 and uses them to determine the disposal route for the message or Web data.
![]() |
Evaluation copies of several anti-virus tools are included with MIMEsweeper. See the release notes for details. |
Each disposal route comprises a list of disposal actions.
Disposal actions for MAILsweeper include: | ![]() |
Deliver
- delivers the
message onwards, to its intended recipient(s). Quarantine
- blocks the
message from onward delivery. The message is placed in
one of the quarantine areas3
for further investigation by the system administrator. Inform
- inform messages
may be sent during disposal, to alert certain users about
actions taken. For example, to inform a sender that their
message has been quarantined due to virus detection.
Users include senders, recipients and named persons
(usually system administrators). Edit
- text is
automatically inserted into the message body as the
message is returned into the mail system for onward
delivery. The text can be inserted at the beginning or
the end of the message body. Save
- save a copy of the
message for manual intervention. How the message is saved
depends on the host mail system. Event
- puts an event
entry into the Windows NT application event log. Trap
- generates an SNMP
trap message to the SNMP Manager.Disposal actions for WEBsweeper include: | ![]() |
Deliver
- the data is sent
to the Web browser. InformText
- a HTML page
is sent to the Web browser with a message indicating that
the data has been blocked. This option is used for short,
one line messages. InformFile
- a HTML page
is sent to the Web browser with a message indicating that
the data has been blocked. This option is used for longer
messages that can be written in HTML. This makes it easy
to generate documents that contain links to other
resources, such as a help desk, on-line manuals etc. ![]() |
If Web data is blocked it is always discarded. WEBsweeper does not use quarantine areas to store the blocked data. |
1 Using MAILsweeper generic address
format, user@location.
2 For MAILsweeper, a <Response>
may also be generated by the built-in
validator AMUcheck.
3 Presently, up to ten quarantine areas can be configured.
msw.support@mimesweeper.comCopyright © 1998, Content Technologies Limited. All rights reserved.