Re: [exim] Snowshoe spam rejection

Tue, 17 Nov 2015 15:06:16 -0800 


On 11/16/2015 4:48 PM, Dennis Davis wrote:

Possibly worth pointing out that there's common ground between
anti-virus and anti-spam software.  Esepecially if you're using the
ClamAV virus checker:

http://www.clamav.net/

The variety of extra ClamAV signatures at:

http://sanesecurity.com/

include anti-spam, anti-phishing, etc signatures.

I found the above extra signatures were very useful and got rid of
a lot of stuff before even running messages through SpamAssassin.
This was quite efficient computationally, at the expense of the
extra memory used by ClamAV to store the "virus" signatures.

I've been out of the mail administrator role for quite some time
now.  So I can't say whether or not these extra ClamAV signatures
will help with Snowshoe spam rejection.
-- Dennis Davis <[email protected]>


I agree there is quite a bit of overlap between spam and malware checkers.


As I mentioned, my first line of defense is running every connection 
against spamhaus zen at rcpt acl time. Since employing the zen check, 
both malware and botnet spam were drastically reduced.



In the data acl, I also run clamav with the latest signatures before 
running SA. Interestingly, Clamav has not found anything in several 
months. (Admittedly, my server is very low volume, only a few hundred 
"ham" emails daily.)


I attribute the lack of malware to the zen XBL.


The last vestige of spam getting past rcpt time at my server is 100% of 
the 'snowshoe' variety. I am now pretty sure I have figured out how to 
stop that with a home-grown message scanner.  (Which I plan to run after 
clamav and before SA)



I have also decided to stop using "deny" at the data ACL and instead 
either redirect to a webmaster alias or the bit bucket. I have reached 
the conclusion that denying spam or malware at data time doesn't 
accomplish anything useful. Using deny with a code at rcpt time has the 
feature of saving both internet bandwidth and server time, but after 
data, that damage is already done.


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/





















					Reply via email to