newbie question: scan msgs smaller than certain size

[Gustavo Baratto <gu...@globalrelay.net>]

Greetings...

I'm coming from a long time using Dspam, so please bear with me if this
is a stupid question :D

We are planning to use spamassassin with the clamav plugin.

So, basically we need spamd to virus scan all messages, and spam scan
just messages smaller than 100K.

Is there way to do this inside spamassassin, without having the MTA to
sort it by size? We use exim, and it has a pretty awesome spamassassin
support, but it has a crappy clamav support.

I searched a lot in the wiki, docs, and google, but I wasn't very lucky :(

Thanks for any hint.

Re: newbie question: scan msgs smaller than certain size

[Mr Shunz <mr...@gmail.com>]

On 10/4/07, Gustavo Baratto <gu...@globalrelay.net> wrote:
> Greetings...
>
> I'm coming from a long time using Dspam, so please bear with me if this
> is a stupid question :D
>
> We are planning to use spamassassin with the clamav plugin.
>
> So, basically we need spamd to virus scan all messages, and spam scan
> just messages smaller than 100K.
>
> Is there way to do this inside spamassassin, without having the MTA to
> sort it by size? We use exim, and it has a pretty awesome spamassassin
> support, but it has a crappy clamav support.
>
> I searched a lot in the wiki, docs, and google, but I wasn't very lucky :(
>
> Thanks for any hint.
>

Hi,
if use use ACL spam scans in exim you can put:

condition = ${if <= {$message_size}{100K}{1}{0}}

in the relevant sections

Re: newbie question: scan msgs smaller than certain size

[Steven <st...@aviawest.com>]

Jonathan Armitage wrote:
> Tom Bombadil wrote:
>
>> Thanks for the response Loren, but unfortunately, as far as I know we
>>  can specify the "spamd" directive just once in exim.
>>
> I realise we're getting OT here, but there are at least two ways to call
> SA from Exim, the built-in hook which you are using, and sa-exim, which
> calls SA via the local_scan() function. So you could call SA twice. 
You can use the built in hook as many times as you want.

Re: newbie question: scan msgs smaller than certain size

[Jonathan Armitage <jo...@hepworthband.co.uk>]

Tom Bombadil wrote:

> Thanks for the response Loren, but unfortunately, as far as I know we
>  can specify the "spamd" directive just once in exim.
> 
I realise we're getting OT here, but there are at least two ways to call
SA from Exim, the built-in hook which you are using, and sa-exim, which
calls SA via the local_scan() function. So you could call SA twice.

Jon

OT: Re: newbie question: scan msgs smaller than certain size

[Matthew Newton <mc...@leicester.ac.uk>]

On Fri, Oct 05, 2007 at 11:30:30AM -0700, Tom Bombadil wrote:
> Loren Wilton wrote:
> > I don't know how you would do it in exim (or if you even could) but in
> > theory you could have two SA setups.  One would only have the clam
> > plugin enabled and no other rules, and the other would have the full set
> > of rules you want.  Then you could av scan using the first setup, and if
> > that passes, run the second setup with the 100K message limit.

> > moderately horrible, and exim may not have the nice failover support for
> > a second SA; not being an exim guy I don't really know.  But I suppose
> 
> Thanks for the response Loren, but unfortunately, as far as I know we
> can specify the "spamd" directive just once in exim.

Just once, but you can list more than one SpamAssassin copy for
resilience - see:

  http://exim.org/exim-html-current/doc/html/spec_html/ch41.html#SECTscanspamass

Up to 32 SA addresses can be listed, and are queried randomly.

The same page (scroll up a few lines from the above link) explains
how you can run different Virus scanners, like this:

  av_scanner = $acl_m0

  deny message = This message contains malware ($malware_name)
       set acl_m0 = sophie
       malware = *

  deny message = This message contains malware ($malware_name)
       set acl_m0 = aveserver
       malware = *

I would be moderately surprised if you could not also do this:

  spamd_address = $acl_m0

  deny message = This message was classified as a Virus
       set acl_m0 = 127.0.0.1 783
       spam = nobody

  deny message = This message was classified as a Virus
       set acl_m0 = 127.0.0.1 784
       condition = ${if < {$message_size}{100K}}
       spam = nobody

Using SA to call ClamAV seems like a nasty hack - a slightly
better hack, IMHO, might be to use the "cmdline" virus scanning
option and write a script to try clamav on localhost and fall back
to other hosts if not available locally. Or do what we do - have
several mail servers and a cron job to watch the processes ;-).

There's not a lot you can't achieve with exim - if really stuck
then shell out with a ${run ...} string expansion.

HTH,

Matthew


-- 
Matthew Newton <mc...@le.ac.uk>

Network Support and UNIX Systems Administrator, Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <cc...@le.ac.uk>

Re: newbie question: scan msgs smaller than certain size

[Tom Bombadil <gr...@gmail.com>]

Loren Wilton wrote:
> I don't know how you would do it in exim (or if you even could) but in
> theory you could have two SA setups.  One would only have the clam
> plugin enabled and no other rules, and the other would have the full set
> of rules you want.  Then you could av scan using the first setup, and if
> that passes, run the second setup with the 100K message limit.
> 
> I don't know if you could do the first scan using spamd; I have a vague
> and probably incorrect memory that it has its own 200K message limit
> hard-coded. If that is the case you would have to invoke SA directly.
> 
> I have a feeling that performance doing that would probably be
> moderately horrible, and exim may not have the nice failover support for
> a second SA; not being an exim guy I don't really know.  But I suppose
> it would be something to try.

Thanks for the response Loren, but unfortunately, as far as I know we
can specify the "spamd" directive just once in exim.

Thanks ;)

Re: newbie question: scan msgs smaller than certain size

[Loren Wilton <lw...@earthlink.net>]

I don't know how you would do it in exim (or if you even could) but in 
theory you could have two SA setups.  One would only have the clam plugin 
enabled and no other rules, and the other would have the full set of rules 
you want.  Then you could av scan using the first setup, and if that passes, 
run the second setup with the 100K message limit.

I don't know if you could do the first scan using spamd; I have a vague and 
probably incorrect memory that it has its own 200K message limit hard-coded. 
If that is the case you would have to invoke SA directly.

I have a feeling that performance doing that would probably be moderately 
horrible, and exim may not have the nice failover support for a second SA; 
not being an exim guy I don't really know.  But I suppose it would be 
something to try.

        Loren

Re: newbie question: scan msgs smaller than certain size

[Tom Bombadil <gr...@gmail.com>]

> 
> I don't think you can have SA not spam scan emails over a certain size,
> while still having SA call clamav.
>

Thanks Steven. This is what I wanted to confirm.

Re: newbie question: scan msgs smaller than certain size

[Steven <st...@aviawest.com>]

Tom Bombadil wrote:
>> This is not really on-topic for the SA list, but what clamav support are you
>> missing? 
>>     
>
> Sorry... I guess I didn't explain myself properly. I don't want to go
> off topic talking about exim, but basically clamav failover/load balance
> is the problem. We already do what you suggested, but if clamav dies in
> the setup you suggested, we will be deferring mail like crazy :)
>
>   
Then setup multiple clamav daemons for exim to use.  But thats not a 
question for this list.

I don't think you can have SA not spam scan emails over a certain size, 
while still having SA call clamav.

Re: newbie question: scan msgs smaller than certain size

[Tom Bombadil <gr...@gmail.com>]

> 
> This is not really on-topic for the SA list, but what clamav support are you
> missing? 

Sorry... I guess I didn't explain myself properly. I don't want to go
off topic talking about exim, but basically clamav failover/load balance
is the problem. We already do what you suggested, but if clamav dies in
the setup you suggested, we will be deferring mail like crazy :)

On the other hand, spamd support is pretty good on exim, with failover
and everything.

So, the idea is to use just spamd on exim, and have spamassassin to do
the virus scanning. The catch is that I don't feel great about
spamassassin scanning 30MB files, while virus scanning should be mandatory.

Cheers,
g.

Re: newbie question: scan msgs smaller than certain size

[Dave Pooser <da...@pooserville.com>]

> Is there way to do this inside spamassassin, without having the MTA to
> sort it by size? We use exim, and it has a pretty awesome spamassassin
> support, but it has a crappy clamav support.

This is not really on-topic for the SA list, but what clamav support are you
missing? Looks to me like you could do this very simply with ACLs (after
setting "av_scanner = clamd:/tmp/clamd" in the main configuration settings):

  # Deny if the message contains a virus.
  
  deny    malware    = *
          message    = This message contains a virus ($malware_name).
          
  # Reject spam scoring 10+

  deny  message   = Message blocked by our spam filter.\nEmail
<po...@example.com> with questions.
        condition   = ${if <{$message_size}{100K}{true}{false}}
        spam      = nobody:true
        condition = ${if >{$spam_score_int}{99}{1}{0}}
-- 
Dave Pooser
Cat-Herder-in-Chief, Pooserville.com
"...Life is not a journey to the grave with the intention of arriving
safely in one pretty and well-preserved piece, but to slide across the
finish line broadside, thoroughly used up, worn out, leaking oil, and
shouting GERONIMO!!!" -- Bill McKenna