1) Most of the popular viruses are not very big. My main virus concern = is the fast spreading email worms. This solution is blocking those nicely. There is always a potential with any solution that something might slip = by the filtering. I am not overlooking that. I may need to do some = tweaking at some point to maintain the effectiveness of this solution if a really large worm were released.
2) Think of this in terms of resource allocation. Some box in my = datacenter will need to filter AV. It will either be an email server or one of the clustered SA boxes. I hate getting complaints about email server performance, so I would rather place the load of AV scanning onto the SA cluster. Also, my SA cluster is made up of all of the old servers that = we no longer want to use for web or email hosting, so there is not really a cost associated with the SA cluster. 3) I agree this could make a mess of the bayes DB pretty quickly, so we = have left autolearning disabled. But this is not a problem, because I am not = a fan of bayes autolearning anyway. I have always felt AL only reinforced mistakes. Manual training is always the best answer for bayes in my experience. We are running ClamD on the SA boxes. The performance of ClamD for = doing a large volume of email is much better than calling clamscan each time. = If you look at the clamav pluggin code, you will see that the pluggin uses = a perl module for connecting to ClamD over TCP. So SpamD does not even = need to spawn clamdscan to talk to ClamD. It just connect directly using = TCP. I respect your opinion about filtering solutions. You obviously have invested a considerable amount of time into thinking about these = solutions. I think it is awesome that we can have such discussions about all of the various ways of solving the virus and spam problems. Personally, I = think we need to stop worrying about virus and spam separately. I think we need = a "garbage filter" that catches everything instead of separate solutions = for each thing. The way I look at it, garbage is garbage regardless of how = it smells. This solution does let me offload all of the garbage filtering = to an inexpensive cluster of boxes, which allows my email servers to = perform better. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] = On Behalf Of Jason J. Ellingson Sent: Tuesday, December 28, 2004 5:21 PM To: [email protected] Subject: [xmail] Re: AV and SA *** JUST AN OPINION - PLEASE TAKE WITH A GRAIN OF SALT *** I think it is a great idea. However, here is why I choose not to do it = that way: 1) Only scans those messages under 250KB or whatever limit you set on = SPAMC. This misses any potentially infected files a friend might send you in a larger attachment. 2) Resources used more. The message is now set to the SA box(es) = regardless of potential infection status. And unless there is a quick abort = available in SPAMD for an infected message, the email will get fully checked by = all rules.... RBLs, SPF, etc... all completely unnecessary. 3) Can hurt BAYES/AWL databases... if the virus infected email is ever written with the REAL source email address (which nearly none do = currently unless accidentally zipped into an attachment by an infected user), the databases will effectively blacklist that user. -- AWL is stored by IP subnet/email address pairs. And as a side note, hopefully you are using ClamD to scan those = emails... much faster than serial execution checking. This is why I still stick to a policy of anti-virus scanners for = viruses, and anti-spam scanners for spam messages... and checked in that order. AGAIN, just an opinion by me and is not to be considered fact, or even a qualified opinion. Plus, I reserve the right to change my mind. ------------------------------------------------------------ Jason J Ellingson Sr. Web Software Developer 615.301.1682 : nashville 612.605.1132 : minneapolis www.ellingson.com [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] = On Behalf Of Shiloh Jennings Sent: Tuesday, December 28, 2004 10:14 AM To: [email protected] Subject: [xmail] AV and SA Previously, I had been running ClamAV and SpamC on each of my email =3D servers. SpamD was running on a cluster of FreeBSD boxes. I had always wanted a solution to move ClamAV off of the email servers and onto the SA boxes. = =3D I finally found a solution: http://wiki.apache.org/spamassassin/ClamAVPlugin We have been using that since it came out and it has been working flawlessly. Anybody running SA on a dedicated Linux or FreeBSD box =3D might want to consider running the ClamAV Pluggin for SA. The only tweak I = =3D made was switching the CLAMAV score from 10 to 300. I let my customers set = =3D their threshold as high as 100, and needed to make sure virus emails always = =3D scored well beyond their threshold. Also, I made a Win32 compile of the spamc that shipped with SA3. I was = =3D able to fully eliminate the need for CygWin on my Windows based XMail servers = =3D by doing that in addition to moving ClamAV to the SA boxes. I simply ran = =3D the SA installer on a Windows box that had VC5 installed in order to build = =3D the native Win32 spamc.exe, but there are also ways to do it for free. If = =3D you need to build spamc.exe for free, check out the following article: http://wiki.apache.org/spamassassin/BuildSpamcOnWindowsForFree Anyway, I figured I would pass this on in case any other hosts were =3D looking for similar solutions. - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED] - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED] - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
