Re: Managing SA/sa-learn with clamav
On Fri, Jul 10, 2009 at 05:01:14PM +0200, Jonas Eckerman wrote: Steven W. Orr wrote: http://wiki.apache.org/spamassassin/ClamAVPlugin It looks like what I thought I wanted already exists. Based on what I wrote above, and that I like the result of running sa + clamav via the two milters, does anyone have any caveats for me? 1: When running ClamAV inside SA you have to run SA even if ClamAV finds a virus. This requires more resources than just ClamAV. And ClamAV is way faster and requires far less than SA does. On 10.07.09 19:09, Henrik K wrote: When you block botnets directly from MTA (zen, helo checks, greylist etc), possible ClamAV/SA load is already reduced by a huge factor. Personally I only see handful of official ClamAV signatures hitting per 100k hams, so the scanning order wouldn't really matter. It does, if you receive much of mail. If you don't, you can surely call clamav and spamassassin (not spamc) from your .procmailrc as well but I still won't recommend that. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The early bird may get the worm, but the second mouse gets the cheese.
Re: Managing SA/sa-learn with clamav
On Mon, Jul 13, 2009 at 12:01:35PM +0200, Matus UHLAR - fantomas wrote: On 10.07.09 19:09, Henrik K wrote: When you block botnets directly from MTA (zen, helo checks, greylist etc), possible ClamAV/SA load is already reduced by a huge factor. Personally I only see handful of official ClamAV signatures hitting per 100k hams, so the scanning order wouldn't really matter. It does, if you receive much of mail. If you don't, you can surely call clamav and spamassassin (not spamc) from your .procmailrc as well but I still won't recommend that. I'm not sure I got your point. Do you mean that running ClamAV before SA is mandatory for much of mail? That's only if you are comfortable blocking directly with all the 3rd party rules, then it's effective yes. Personally I don't take the 3rd party FP chances and I also like SA to learn from those mails. The word order might be a little misleading here. It just comes down to whether you want to block with ClamAV alone, or use ClamAV/SA together. Similar thread here: http://marc.info/?t=12413908982
Re: Managing SA/sa-learn with clamav
On Mon, Jul 13, 2009 at 12:01:35PM +0200, Matus UHLAR - fantomas wrote: On 10.07.09 19:09, Henrik K wrote: When you block botnets directly from MTA (zen, helo checks, greylist etc), possible ClamAV/SA load is already reduced by a huge factor. Personally I only see handful of official ClamAV signatures hitting per 100k hams, so the scanning order wouldn't really matter. It does, if you receive much of mail. If you don't, you can surely call clamav and spamassassin (not spamc) from your .procmailrc as well but I still won't recommend that. On 13.07.09 13:35, Henrik K wrote: I'm not sure I got your point. Do you mean that running ClamAV before SA is mandatory for much of mail? it means that it's always better to run ClamAV before SA and if someone is receiving much of mail and the system is loaded, it could prevent the system from overloading by preventing SA of scanning viruses. That's only if you are comfortable blocking directly with all the 3rd party rules, then it's effective yes.Personally I don't take the 3rd party FP chances and I also like SA to learn from those mails. As it was already said, you can run clamav twice (although not elementary to do) with different configurations (wih/without 3rd party rules). -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. If Barbie is so popular, why do you have to buy her friends?
Re: Managing SA/sa-learn with clamav
Steven W. Orr wrote: http://wiki.apache.org/spamassassin/ClamAVPlugin It looks like what I thought I wanted already exists. Based on what I wrote above, and that I like the result of running sa + clamav via the two milters, does anyone have any caveats for me? 1: When running ClamAV inside SA you have to run SA even if ClamAV finds a virus. This requires more resources than just ClamAV. And ClamAV is way faster and requires far less than SA does. 2: If an infected whitelisted mail comes in, you would need a much higher score than the example (10) to stop the virus from passing. 3: If you just tag (and don't block) spam, using ClamAV only from within SA will actually let the virus infected mail though to users. All this said, we run CLamAV both from a milter (MIMEDefang) before SA *and* from SA with the plugin using different configurations. The clamd instance used *before* SA only has the official ClamAV sigs and has phishing sigs and some checks turned off. The clamd instance used *in* SA has the official sigs as well as some third party sig sets and has phishing, broken exe, etc checks turned on. Once question I have: If I use the plugin and it fires, will it in fact contribute to the bayes and AWL tables ending up as I described above? Or is there a placement question of where the plugin should be invoked? That plugin simply makes an eval test available that you can use for scoring. The effects of it's scores on bayes and AWL is the same as for any other scoring rules in SA. Regards /Jonas -- Jonas Eckerman Fruktträdet Förbundet Sveriges Dövblinda http://www.fsdb.org/ http://www.frukt.org/ http://whatever.frukt.org/
Re: Managing SA/sa-learn with clamav
On Fri, Jul 10, 2009 at 05:01:14PM +0200, Jonas Eckerman wrote: Steven W. Orr wrote: http://wiki.apache.org/spamassassin/ClamAVPlugin It looks like what I thought I wanted already exists. Based on what I wrote above, and that I like the result of running sa + clamav via the two milters, does anyone have any caveats for me? 1: When running ClamAV inside SA you have to run SA even if ClamAV finds a virus. This requires more resources than just ClamAV. And ClamAV is way faster and requires far less than SA does. When you block botnets directly from MTA (zen, helo checks, greylist etc), possible ClamAV/SA load is already reduced by a huge factor. Personally I only see handful of official ClamAV signatures hitting per 100k hams, so the scanning order wouldn't really matter. One flexible option would be replacing all the different milters with amavisd-milter+amavisd-new. It has all the hooks needed to make ClamAV+SA interact well.
Re: Managing SA/sa-learn with clamav
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/04/09 13:56, quoth Steven W. Orr: I think I have a problem. Maybe not, but I'd like to hear what other people think. I have a small home server running sendmail, spamassassin, spamass-milter and clamav-milter. The clamav helped a lot but there was a bunch of stuff getting through despite all that until I added scamp from https://sourceforge.net/projects/scamp/ Now things are creeping up again and it's making me think that there's a coordination issue I'm missing. Again: anything that gets through is stuff that sa liked after having gotten through clamav (plus scamp). Given that there are two milters, (i.e., spamass-milter and clamav-milter) I had to pick which should be first. I chose clamav, so if clamav-milter rejects it then spamassassin never sees the message. BTW, all false negatives are sent on to sa-learn --spam and then on to spamcop. Here's the question: Is it desirable for the stuff that gets rejected by clamav to be pumped through sa-learn? Is there a way to do it? The converse question is that if I were to switch the order of the milters, then all of the false negs that sa passes on to clavav that are picked up by clamav would also not be reported back to sa. What I really need is a better system for coordinating my sa bayes tables and whitelists. In fact, it seems like what would make sense is for clamav to be a test that is a plugin added to sa. Am I making any sense? Is this a good idea? Does it already exist? Are they coming to take me away? No one answered me and I happened to run across this plugin for SA http://wiki.apache.org/spamassassin/ClamAVPlugin It looks like what I thought I wanted already exists. Based on what I wrote above, and that I like the result of running sa + clamav via the two milters, does anyone have any caveats for me? I did read the discussion against at https://issues.apache.org/SpamAssassin/show_bug.cgi?id=2408 and I also read the pros presented by the plugin itself. Once question I have: If I use the plugin and it fires, will it in fact contribute to the bayes and AWL tables ending up as I described above? Or is there a placement question of where the plugin should be invoked? Thanks all. :-) - -- Time flies like the wind. Fruit flies like a banana. Stranger things have .0. happened but none stranger than this. Does your driver's license say Organ ..0 Donor?Black holes are where God divided by zero. Listen to me! We are all- 000 individuals! What if this weren't a hypothetical question? steveo at syslang.net -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkpRRH4ACgkQRIVy4fC+NyS6YwCfXaYF6nxa8eg/n20smO5vt67K qXMAnixwLfYk4t6UqQDpdn0XWRwoBXHA =ofW4 -END PGP SIGNATURE-
