Thomas Harold wrote:
On 12/3/2009 10:32 PM, Dennis Peterson wrote:
I quoted viruses above because much of what is found is actually
blacklisted URL's, scams, spam, etc. Very few true viruses show up
anymore.
That seems to be true if you're doing DNSBLs that block the dynamic
address ranges. I see a steady trickle of true viruses (well, trojans)
constantly hitting ClamAV. But when you look closely at the host names,
I'd bet that nearly all of them would be blocked by some sort of dynamic
DNSBL.
True - and it's cheaper than scanning for viruses, in terms of system usage.
I've focused on defeating the bastids before scanning with scanning as a last
resort. Any sources of viruses get added to my DNSBL or URLBL bind tables.
(We're not currently using a DNSBL at SMTP time.)
It would probably be a lot worse for us, except that we don't accept
hostnames that aren't valid, aren't FQDNs, and don't resolve back to a
DNS A or MX record. Out of all of our SMTP time rejects, the FQDN check
is responsible for over half. There's a lot of bots out there that just
use a 6-10 random letter host identifier that can't get past the FQDN test.
Ditto here, too. I'm just handling mail for my home and a small hosting and mail
list business I run now but you'd think I was defending fortress Earth with all
the blocking tools that are in place.
dp
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
