EMAIL FILTER VALIDATION SUITE

Most email viruses employ similar propagation techniques and are, consequently, very similar in external appearance to one another. That being the case, it is possible to design an email virus filter that removes viruses based on outward appearance. This is highly desirable, since it will ensure that, even when a new virus comes along, your filter will be able to screen for it.

On the other hand, the penalty for failing to detect a virus in an email message is high. How do you know if you've covered all the bases by detecting all of the important propagation techniques? This page will allow you to download a email filter validation suite that consists of generic email messages which can be passed through your filter to test all of the popular methods of virus propagation. If your filter detects each message and handles it correctly, it is probably ready for prime time.

Although not nearly as malicious as virus writers, spammers are sometimes equally sneaky. Since many installations have systems in place to detect and eliminate spam (such as BSM Development's MailCorral), this puts a crimp in the spammer's style. In order for spam to work, it must be delivered to its target. Figuring out new ways to slip spam by email filters is one of the things that spammers do periodically. This validation suite also presents tests for some of the latest spam techniques.

Messages Verified:

Here is a list of the messages included in the test suite and the filter criteria they are intended to test. The name of each test is given as well.

The messages beginning with "baddoc_" generally test the limits of mail filters and/or their ability to handle misbehaved or badly-formed messages.

Mail archivers are often implemented as a mail handling robot to which regular email messages are simply sent by an MTA. The MTA simply duplicates every mail message it sees and forwards the copy, through regular channels to the archiver. Should the archiver crash for any reason, the messages sent to it may be bounced by the MTA. This often leads to the bounces being sent back to the original sender, thereby causing much confusion, since they never sent any message to the archiver.

To support mail archiving, your filter may wish to detect bounce messages and trash those resulting from delivery failures to your mail archive robot's address. The messages beginning with "bounce_" are meant to test this ability in particular, as well as a filter's ability to handle bounce messages in general.

The messages beginning with "spam_" are designed to test the spam classifier in your mail filter.

The messages beginning with "virus_" are meant to test the virus detection component of your mail filter.

How It Works:

We provide you with the suite of test messages and a shell script that can be used to submit some or all of the messages to your mail delivery program (e.g. the "mail" command).

Once you have your filter working, send the messages from the validation suite through your mail system and observe the results. Each message includes text that describes the test it is meant to perform and the results that should be expected. Anything that doesn't conform to the expectd results should be investigated.

You can also use the validation suite as a regression test after filter code changes have been made.

Specially crafted email: the validation suite uses hand-made email messages that contain generic varieties of the virus and spam delivery techniques most commonly used. The messages are designed to exercise all paths through a typical email filter program.

Safe to use: denatured viruses that cannot hurt your system, even if they get through, are used in the validation suite. They are much safer than using real, live viruses (but, if you'd like to live dangerously, go ahead -- you certainly can use live viruses to test your filter, just don't complain when you find out that we told you so).