Ian R. Justman wrote:
Hi, all.
I was curious what best practices are nowadays for those who use
post-queue filtering if they elect not to keep
spam/virused/bad-attachment-laden messages, something which I found
myself having to do owing to my previous message (there's no way to
selectively disable pre-queueing on a per-connection basis based on
connecting IP or whether the remote party has authenticated itself).
After having moved from pre-queue-filtering to condition-based
post-queue filtering, that leaves me with a problem based on my present
Amavsid policy of rejecting any questionable messages (spam/virus/banned
attachments) to kill messages dead in their tracks during the SMTP
sesssion. As such, I will have to change to something like D_DISCARD so
I can keep my mail queue clean.
Any thoughts?
My theory:
The only reasonable choices for a post-queue spam/virus filter
are discard (and optionally quarantine), or tag+pass and let
the mail client classify based on the tags.
Rejecting spam/viruses post-queue will send a bounce to the
likely-forged sender address, annoying some innocent party.
Do this enough and you'll get blacklisted. Ditto for sending
"your mail was blocked due to spam/virus" notices to the
sender. Those should never be sent anymore.
For banned files, the choice isn't so clear. IME most banned
files are sent by real users, so a bounce (or a sender
notification) is returned to the actual sender; this is good.
However, if you ban executables you will occasionally block an
unknown virus. Those bounces will probably go to an innocent
party, creating some backscatter.
Viruses should probably not be tagged+passed; too much risk of
clients disregarding the virus tag. So the options with
viruses are to either discard, or to separate virus scanning
from spam scanning by using clamav-milter or similar to reject
viruses pre-queue.
Practice:
Actual implementation will depend on your size and business
model. Here (private network with ~1000 users), we tag+pass
spam up to some SA score, higher scoring spam is discarded.
Viruses are always discarded.
Discarded mail is saved in an admin-access-only quarantine for
a few days, then removed by a cron job. We rarely need to
release something from quarantine - maybe once every 3 or 4
months - but management likes to know it's there.
--
Noel Jones
