On Tue, 2 Oct 2001, Christian Bauer wrote: =>On 02 Oct (13:38), Slepp Lukwai wrote: => =>> How often and which method do you use to clean your quarantines? Or do you =>> not quarantine found viruses? I was hit by 250 Sircams in a night =>> recently, at 5 megs a piece. It was definitely thrashing the mail spool at =>> that point. => =>Virus mails get spooled in quarantine, I have a special user account on =>my mail server, used to sort through the contaminated mails by hand, =>because sometimes theres useful information in the mails, like a virus =>from the wife of my boss or anything like that. :)
Nice. :> I've not setup an account and tend to manually sit there with less to peek at the ones that appeared to be somewhat interesting, but that's about the extent of that. I used to have admin notification of a virus found turned on, but I decided in the end that I was getting altogether too much mail that way. I host mail for a number of fairly large websites, and as such, a billion people seem to have the webmaster e-mail addresses bookmarked. =>> Back in regards to the LDAP setup, has anyone used an LDAP entry to refer =>> to the quarantine Maildir of the AV software? This seems like a simple =>> proposition (simpler than user account based). => =>As you need only one quarantine folder, I think its goldplating to put =>the location in LDAP and not neccessary. I suppose setting an entry in the LDAP tables may result in people either getting a match when they search the database, or perhaps just that extra overhead that isn't needed. Even with the flags set to not accept new mail for the user, I'm sure anyone who decides to abuse the LDAP lists to grab a list of spam e-mail addresses (a client who thought they'd turn a quick $50 to someone), a few mails would come in for the qmail-scanner itself. It may be humourous to watch, none the less. =>One interesting thing, I hope some people here still remember mailbombs =>from good old mailbox times in the late 80s and early 90s: => =>Generate a 100 MB textfile with only 'A' (or anything like that) as =>content. Use a ZIP algorithm to compress it. Generate another textfile =>and compress this together with the first ZIP (not _in_) into an new =>file. => =>Repeat 42 times. The file you get is a mailbomb, try feeding it your =>mail virus scanner. If it's configured to do full scanning (unpack =>archives), you better didn't use your production server. Doesn't Sophos use a recursion depth count? I thought it did. It should prevent such a beautiful mailbomb from killing a mail spool. The problem with Sircam was the fact it used random documents. It happened to find a 5 meg document or something and was sending that from one person. They moved 1.2 gigs of mail overnight. Qmail-scanner gladly sent back a response to every one, as well as notified me and the recipient. It was that night I decided to turn off notification of the recipient. Then I turned off notification of the admins after I received quite a few more. -- | Stephen "Slepp" Olesen / VE6SLP | Edmonton, Alberta, Canada / (780) 425-4798 | President of Geeks Anonymous + http://www.geeksanon.ca/ +---------------------------------
