On Sep 11, 2005, at 9:12 AM, Paul Murphy wrote:
John,
A little while later, it came back. It seemed less frequent, but this
is uner a night load, instead of a day load. So it's hard to tell.
It
looks like we're going to have to wait for the hardware upgrade.
Some standard questions:
1. Do you limit the size of messages submitted to SpamAssassin?
I had completely ripped SpamAssassin out of our Mimedefang. For now,
we were going to be doing ClamAV Sophos and filename checks in
Mimedefang, and Dangerous Content checks and Spam Assassin in
MailScanner. (in the past, we did sophos, filename checks, dangerous
content checks, and spam assassin in mailscanner, and we're back to
that configuration now)
(and, our limit in mailscanner is 256k; at home, where I _do_ use SA in
mimedefang, I also use 256k as my limit, so if we ever get to moving SA
into mimedefang at work, that's probably what limit I'll use there, as
well)
2. Do you do Spam checks on outgoing mail? Again, many sites work on
the
assumption that their outgoing mail is highly unlikely to be spam, so
they
don't scan it. If one of their users is showing abnormal numbers of
messages, they'll notice and investigate.
We can't make that assumption. We are central IT, and we have to relay
for all of campus, but we have little control of the email servers and
clients that are spread around campus. So, we not only try to protect
campus from the world, we have a slight bit of needing to protect the
world from some open relay that pops up on campus. And, with viruses
turning workstations into spam zombies, it's not really a valid
assumption that messages which come from within aren't going to be spam
(in any organization).
3. Do you run multiple virus scanners in serial/parallel over all
messages?
If so, you might want to consider how effective this is, since
generally
running two reliable scanners is the ideal trade-off between
performance and
effectiveness. Personally, I trust Clamav implicitly, and if I have
to use a
second high-profile scanner, I'd pick one of the main commercial
scanners.
I had re-written that part of mimedefang to only run Sophos if ClamAV
didn't find anything. I suppose that means most of the messages were
getting scanned twice, though. I suppose I could have it only run
Sophos if ClamAV has a failure.
The other side of the coin, though, is that our existing set up was to
replace each infected attachment with a warning message. That means I
had to move the virus scans from "filter_begin" to "filter" and
"filter_multipart", because (as I understand it) I can't run
action_drop_with_warning during filter_begin (I understand why, I'm
just saying, that's the routine I need in order to maintain a seamless
transition for our users). I expect that that added some overhead (as
each attachment has to be scanned individually), but it was a necessary
move. I also can't call "replace_entire_message" until filter_end
(where I could have replaced the entire message in filter_begin, if
that had been allowed).
Before you say anything about just dropping or bouncing viruses,
there's two things:
1) for viruses that don't come from our IMAP server (which is also our
webmail server, and the SMTP server for some of our clients), our
action was to bounce ... why don't we bounce for our IMAP server?
There's some concern about odd-user experience if a macro-virus is sent
from within that mail service to both people inside and outside of the
IMAP server ... those inside will see the message (unscanned), and
those outside wont get the message at all ... and the sender will only
know what happened if they read the bounce message (not entirely
likely). And if it's a forged sender virus message, instead of a
macro-virus, then bounces will get stuck in the IMAP server's queue
(because it sends all outgoing messages through the virus scanning
hosts), which is something we're trying to avoid.
2) and if I had gotten to the next stage, I was planning to add code
that only did drop-with-warning for non-forged sender viruses, like
document macro viruses, where the notice CAN be useful to the sender,
but mimedefang wont let me action_notify_sender for _any_ virus, thus
the useful notification for non-forged viruses has to go to the
recipient (which is actually what we do now for mailscanner, as well).
But, yes, we silently discard forged viruses now, but we replace with
warnings when it's a non-forged virus, or a bad attachment filename ...
and that's what I was trying to duplicate. But I can't do that in
filter_begin.
_______________________________________________
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
[email protected]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
